Kai writes:
what's about the kernel parameter rp_filter?! There is for each network device a dir in /proc/sys/net/ipv4/conf/ !
Yes, I see those settings there...
And for IPSec it must be set to "0" (the default value, I think)!!
Yes, before the SuSEfirewall2 script runs, these are 0.
The /sbin/SuSEfirewall2 script look at start time for ipsec devices (in v2.0 -> less +522 /sbin/SuSEfirewall2), but is there no IPSec device present the rp_filter parmeter ist set to "1"! May you want to set them all to "0": for i in /proc/sys/net/ipv4/conf/* ; do { echo "1" > $i/rp_filter ; } done ;
Okay, but: When?
If that dosen't help you can switch off the kernel security at #17 in /etc/rc.config.d/firewall2.rc.config.
I checked, it's already off. I left it off until I got a working config, which I don't appear to have yet. I'm trying to give myself the best chance for success. :-)
A litte bug on the /sbin/SuSEfirewall2 script is that the changes on the kernel parameteres are a one-way-ticket! Once set the script didn't roll it back to the original values if you stop/refresh/reload the firewall, so the only way I see is to reboot the machine (or roll back the values by hand ;-)
Thank you, I didn't know that!
btw. works IPSec correctly if you didn't start the firewall?!
On one end, I'm already behind a CISCO PIX firewall, so I have the luxury of not running the firewall. On the other end, I'm wide open to the world, and I'm not willing to shut the firewall down. That strikes me as downright dangerous.
PS remember: you CAN'T ping from one IPSec router to the other!!! You must use other IPs than the route IPs a source / target IPs for ping tests: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/faq.html#cantping
A good reminder, thank you.
PSS Very important (the real trick): http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/faq.html#masq.faq
Thanks... though with SuSEfirewall2 in play, I'm not sure how to issue manual commands with IPTables and not screw up what SuSEfirewall2 has done for me. The prospect of manually creating firewall scripts is not a pretty one. I have a bunch of port forwarding going on. :-(
Have a nice day....
I'll try, thanks.