8
root@t-Aspire-5742:/# sudo ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]

Linux Openswan U2.6.37/K3.5.0-42-generic (netkey)
Checking for IPsec support in kernel                            [OK]

 SAref kernel support                                           [N/A]

 NETKEY:  Testing XFRM related proc values                      [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects! [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects                    [OK]

Checking that pluto is running                                  [OK]

 Pluto listening for IKE on udp 500                             [OK]

 Pluto listening for NAT-T on udp 4500                          [OK]

Two or more interfaces found, checking IP forwarding            [FAILED]

Checking for 'ip' command                                       [OK]

Checking /bin/sh is not /bin/dash                               [WARNING]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption Support                                [DISABLED]
Florian Diesch
  • 89,821
PHANI
  • 541

2 Answers2

15

You need to disable send and accept:

# Disable send redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects

# Disable accept redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects

To make it permanent on reboot, in your sysctl.conf place the below lines

net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0 
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0 
net.ipv4.conf.lo.send_redirects = 0
madSkillz
  • 3
Skeletonkey
  • 151
0

Please norice the /proc/sys/net/ipv4/conf/... files are read only even for root user. You should disable it using your VPN configuration. For example in OpenSwan you should do:

Prompt> sudo vi /etc/sysctl.conf
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

You can also use 

sudo sysctl stuff.you.want.to.change=newValue

As suggested by comments to avoid reboot

Moshe Kaplan
  • 3
  • That is technically not true, you just don't write directly to those files. You use sudo sysctl stuff.you.want.to.change=newValue.

    To make your changes persistent, you need to edit the /etc/sysctl.conf.

     – jawtheshark Sep 01 '16 at 12:51
  • But it is the same thing I wrote. What is the diff? – Moshe Kaplan Sep 02 '16 at 15:03
  • Persistence. If you change the configuration file, it is not changing the kernel value in real time. You need to reboot. If you use sysctlyou change the values real time, just as if you had write access on the (read-only) files. – jawtheshark Sep 02 '16 at 15:05
  • @jawtheshark you are correct – Moshe Kaplan Sep 03 '16 at 19:19