[vpn-help] racoon & ike: Missing the last tiny bit ... [solved!]

Clemens Perz cperz at gmx.net
Sun Mar 21 17:07:22 CDT 2010

Hi Matthew,

this was it! Exactly the missing link :))

I went into it a bit more and found out that having it working depends 
on two settings:

sysctl net.ipv4.conf.all.rp_filter=0
sysctl net.ipv4.conf.eth0.rp_filter=0

You can set that at runtime. If you want to configure it on system boot, 
  add a file /etc/sysctl.d/60-network-security.conf or edit 
/etc/sysctl.conf, enabling these three lines


Obviously, its a bit static - so putting it into a wrapper script and 
handle the device having the default route would be the most flexible 

Thanks again,

Matthew Grooms wrote:
> On 3/19/2010 9:01 AM, Clemens Perz wrote:
>> Hmm, but it is not the best solution. Because now all connections inside
>> the vpn are originating from my internal eth0 ip address, which might
>> change when I move between DHCP driven networks.
>> Will need to get back to tap then. It seems, that packages make it to
>> the kernel, but somehow do not arrive at the tap device. Does that make
>> sense to someone? Which screw I have to turn to make it work?
> Please have a look at this post.
> http://lists.shrew.net/mailman/htdig/vpn-help/2008-November/001827.html
> -Matthew

More information about the vpn-help mailing list