1

I've just configured a vpn connection (l2tp), but when I run ipsec verify I get:

$ ipsec verify
...
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                [NOT DISABLED]

Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!

     ICMP default/accept_redirects              [NOT DISABLED]

Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on or cause sending of bogus ICMP redirects!

     XFRM larval drop                           [OK]

Can you explain in simple words what that means, and what will happen if I won't disable them?

x-yuri
  • 3,373

1 Answers1

1

For send_redirects you can find an answer in the Libreswan FAQ:

Let's say you have a VPN server in a cloud that you use with your phone. Your phone will setup an IPsec VPN and all its traffic is encrypted and send to the cloud instance, which decrypts it and sends it on the internet, using SNAT. Replies it receives are encrypted and send to your phone.

Your phone will send the VPN server an encrypted packet. The server receives it on eth0 (its only interface!) and decrypts it. The decrypted packet is then ready to get routed. The server looks which interface it should send the packet to. It is destined to go out eth0. Since the packet came in via eth0 and would go out via eth0, the server concludes there clearly must be a better path not involving itself, since it is going out the same interface. It has no idea the packet arrived encrypted and got decrypted.

This is why we recommend disabling "send_redirects" in /etc/sysctl.conf using

Maybe the Introduction to strongSwan is a little bit clearer here:

If the VPN gateway is not the default gateway of the LAN, ICMP redirects might get returned to hosts if they send traffic destined for the remote hosts/subnets to the VPN gateway, directing them to the default gateway of the LAN (which probably doesn't work and otherwise might get that traffic out unencrypted). To avoid this, disable sending such ICMP messages by setting net.ipv4.conf.all.send_redirects and net.ipv4.conf.default.send_redirects to 0 (if the latter is not set before the interface comes up, also set the option for the individual interface, i.e. net.ipv4.conf..send_redirects).

For accept_redirects I would assume just good networking practice. Since your VPN gateway should know all local routes, any ICMP redirect would be bogus and should be ignored.