12

Ubuntu 14.04, Openswan U2.6.38/K3.13.0-30-generic

When I run ipsec verify I get this error.

Two or more interfaces found, checking IP forwarding            [FAILED]

I see quite a few of this same question floating around. Has anybody finally found the solution?

Of course I've enabled IP forwarding in sysctl.conf :-)

I've done a ton of research and just cannot get by this.

Christopher Perrin
  • 4,741
  • 17
  • 32
user236822
  • 121
  • 1
  • 1
  • 3

3 Answers3

8

The gist of this is that the Ubuntu AMI's must use the NETKEY stack and that you must make configuration tweaks to support that. You also need to enable IP forwarding.

You will make these changes using the /etc/sysctl.conf file and the sysctl command. This will cause changes in the proc file system at paths like /proc/sys/net/ipv4/conf/*/send_redirects, but by editing this file, you ensure those changes are reflected on reboot.

Edit /etc/sysctl.conf and add or uncomment the following lines:

net.ipv4.ip_forward=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0

Now use the sysctl command to load your new configuration:

$ sudo sysctl -p /etc/sysctl.conf

If you succeeded, running $ sudo ipsec verify again should show everything [OK].

Hope it could help.

Rose Ab
  • 221
  • 1
  • 2
  • I am running it inside a dcoker container, i have add all the kernel modules reuired for Strongswan ipsec, but it stills give me the error `/usr/sbin/ipsec: unknown IPsec command verify (ipsec --help for list)` – Saad Jan 08 '18 at 13:27
5

According to this post on the Opensswan mailing list, the error is caused by an old perl version and can be ignored.

mattti
  • 51
  • 1
  • 5
2

This post solve it for me:

  • echo 0 > /proc/sys/net/ipv4/ip_forward
  • ipsec verify
Community
  • 1
gogasca
  • 313
  • 2
  • 15