8
root@t-Aspire-5742:/# sudo ipsec verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]

Linux Openswan U2.6.37/K3.5.0-42-generic (netkey)
Checking for IPsec support in kernel                            [OK]

 SAref kernel support                                           [N/A]

 NETKEY:  Testing XFRM related proc values                      [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects! [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects                    [OK]

Checking that pluto is running                                  [OK]

 Pluto listening for IKE on udp 500                             [OK]

 Pluto listening for NAT-T on udp 4500                          [OK]

Two or more interfaces found, checking IP forwarding            [FAILED]

Checking for 'ip' command                                       [OK]

Checking /bin/sh is not /bin/dash                               [WARNING]

Checking for 'iptables' command                                 [OK]

Opportunistic Encryption Support                                [DISABLED]
Florian Diesch
  • 86,013
  • 17
  • 224
  • 214
PHANI
  • 521
  • 3
  • 7
  • 8

2 Answers2

15

You need to disable send and accept:

# Disable send redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects

# Disable accept redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects

To make it permanent on reboot, in your sysctl.conf place the below lines

net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0 
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0 
net.ipv4.conf.lo.send_redirects = 0
madSkillz
  • 3
  • 2
Skeletonkey
  • 151
  • 1
  • 3
  • I believe changing `all` and `default` is [enough](https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F). – x-yuri Feb 26 '21 at 20:05
0

Please norice the /proc/sys/net/ipv4/conf/... files are read only even for root user. You should disable it using your VPN configuration. For example in OpenSwan you should do:

Prompt> sudo vi /etc/sysctl.conf
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

You can also use 

sudo sysctl stuff.you.want.to.change=newValue

As suggested by comments to avoid reboot

Moshe Kaplan
  • 3
  • 4
  • That is technically not true, you just don't write directly to those files. You use `sudo sysctl stuff.you.want.to.change=newValue`. To make your changes persistent, you need to edit the `/etc/sysctl.conf`. – jawtheshark Sep 01 '16 at 12:51
  • But it is the same thing I wrote. What is the diff? – Moshe Kaplan Sep 02 '16 at 15:03
  • Persistence. If you change the configuration file, it is not changing the kernel value in real time. You need to reboot. If you use `sysctl`you change the values real time, just as if you had write access on the (read-only) files. – jawtheshark Sep 02 '16 at 15:05
  • @jawtheshark you are correct – Moshe Kaplan Sep 03 '16 at 19:19