Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-5205

`ipsec verify` and upstream FAQ recommends disabling rp_filter but /etc/sysctl.d/50-libreswan.conf does not disable it

XMLWordPrintable

    • None
    • Low
    • rhel-sst-security-crypto
    • ssg_security
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • None

      Description of problem:
      `ipsec verify` and upstream FAQ recommends disabling rp_filter but /etc/sysctl.d/50-libreswan.conf does not disable it

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:
      1.
      2.
      3.

      Actual results:

      Expected results:

      Additional info:
      [root@localhost ~]# ipsec verify
      Verifying installed system and configuration files

      Version check and ipsec on-path [OK]
      Libreswan 3.32 (netkey) on 5.4.17-2036.104.5.el8uek.x86_64
      Checking for IPsec support in kernel [OK]
      NETKEY: Testing XFRM related proc values
      ICMP default/send_redirects [OK]
      ICMP default/accept_redirects [OK]
      XFRM larval drop [OK]
      Pluto ipsec.conf syntax [OK]
      Checking rp_filter [ENABLED]
      /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
      rp_filter is not fully aware of IPsec and should be disabled
      Checking that pluto is running [OK]
      Pluto listening for IKE on udp 500 [OK]
      Pluto listening for IKE/NAT-T on udp 4500 [OK]
      Pluto ipsec.secret syntax [OK]
      Checking 'ip' command [OK]
      Checking 'iptables' command [OK]
      Checking 'prelink' command does not interfere with FIPS [OK]
      Checking for obsolete ipsec.conf options [OK]

      ipsec verify: encountered 3 errors - see 'man ipsec_verify' for help

      https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_rp_filter_in_.2Fproc.2Fsys.2Fnet_.3F

      [root@localhost ~]# cat /etc/sysctl.d/50-libreswan.conf

      1. when using 1 interface for two networks when using NETKEY, the kernel
      2. thinks it can be clever by sending a redirect (cause it cannot tell
      3. an encrypted packet came in, but a decrypted packet came out),
      4. so it sends a bogus ICMP redirect
        #
      5. We disable redirects for XFRM/IPsec
        net.ipv6.conf.default.accept_redirects = 0
        net.ipv6.conf.all.accept_redirects = 0
        net.ipv4.conf.default.send_redirects = 0
        net.ipv4.conf.default.accept_redirects = 0
        net.ipv4.conf.all.send_redirects = 0
        net.ipv4.conf.all.accept_redirects = 0

      [root@localhost ~]# rpm -qi libreswan
      Name : libreswan
      Version : 3.32
      Release : 7.0.1.el8_3
      Architecture: x86_64
      Install Date: Fri 02 Apr 2021 01:15:58 PM EEST
      Group : Unspecified
      Size : 4897354
      License : GPLv2
      Signature : RSA/SHA256, Tue 10 Nov 2020 03:51:23 AM EET, Key ID 82562ea9ad986da3
      Source RPM : libreswan-3.32-7.0.1.el8_3.src.rpm
      Build Date : Tue 10 Nov 2020 03:40:03 AM EET
      Build Host : jenkins-172-17-0-2-c5b0924f-57ee-47f9-9480-e1f94219cf65.blddevtest1iad.osdevelopmeniad.oraclevcn.com
      Relocations : (not relocatable)
      Vendor : Oracle America
      URL : https://libreswan.org/
      Summary : IPsec implementation with IKEv1 and IKEv2 keying protocols

      yes I know this is observed on OL but they keep RH defaults when rebuilding: rhel8.3 sources -> libreswan-3.32/packaging/fedora/libreswan-sysctl.conf

              dueno@redhat.com Daiki Ueno
              mailinglists35_gmail Mai Ling (Inactive)
              Daiki Ueno Daiki Ueno
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: