OPERATIONAL DEFECT DATABASE
...
...
Description of problem: `ipsec verify` and upstream FAQ recommends disabling rp_filter but /etc/sysctl.d/50-libreswan.conf does not disable it Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: [root@localhost ~]# ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.32 (netkey) on 5.4.17-2036.104.5.el8uek.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabled Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OK] ipsec verify: encountered 3 errors - see 'man ipsec_verify' for help https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F [root@localhost ~]# cat /etc/sysctl.d/50-libreswan.conf when using 1 interface for two networks when using NETKEY, the kernel thinks it can be clever by sending a redirect (cause it cannot tell an encrypted packet came in, but a decrypted packet came out), so it sends a bogus ICMP redirect # We disable redirects for XFRM/IPsec net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 [root@localhost ~]# rpm -qi libreswan Name : libreswan Version : 3.32 Release : 7.0.1.el8_3 Architecture: x86_64 Install Date: Fri 02 Apr 2021 01:15:58 PM EEST Group : Unspecified Size : 4897354 License : GPLv2 Signature : RSA/SHA256, Tue 10 Nov 2020 03:51:23 AM EET, Key ID 82562ea9ad986da3 Source RPM : libreswan-3.32-7.0.1.el8_3.src.rpm Build Date : Tue 10 Nov 2020 03:40:03 AM EET Build Host : jenkins-172-17-0-2-c5b0924f-57ee-47f9-9480-e1f94219cf65.blddevtest1iad.osdevelopmeniad.oraclevcn.com Relocations : (not relocatable) Vendor : Oracle America URL : https://libreswan.org/ Summary : IPsec implementation with IKEv1 and IKEv2 keying protocols yes I know this is observed on OL but they keep RH defaults when rebuilding: rhel8.3 sources -> libreswan-3.32/packaging/fedora/libreswan-sysctl.conf
Won't Do
Click on a version to see all relevant bugs
Red Hat Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
