I find the soluton from github gist: https://gist.github.com/kryptek/7683862
KVM Debian - Disabling ICMP Redirect Acceptance makes SSH and ping impossible
Question
I am currently setting up a VPN LT2P/IPSec on my Debian KVM following this tutorial : http://bailey.st/blog/2011/07/06/secure-ipsecl2tp-vpn-for-on-the-road-android-devices/
Issuing this command :
root@localhost:~# ipsec verify
I got the following output
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [FAILED]
Cannot execute command "lsof -i UDP:500": No such file or directory
Pluto listening for NAT-T on udp 4500 [FAILED]
Cannot execute command "lsof -i UDP:4500": No such file or directory
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
So I edited this setting in /etc/sysctl.conf to
Disable ICMP Redirect Acceptance
net.ipv4.conf.all.accept_redirects = 0
I then restarted networking in /etc/init.d
Now my problem comes : I cannot connect through SSH to my KVM anymore nor ping the ip. (The only thing I can use is VNC)
How could I connect via SSH again without enabling the ICMP Redirect Acceptance?
Solution
OTHER TIPS
If you just did /etc/init.d/networking restart
make sure that your interfaces are up (e.g. with ifconfig
). When I restarted networking like that on Debian wheezy it says:
Running /etc/init.d/networking restart is deprecated because it may not re-enable some interfaces ... (warning)
And in fact I did discover that I needed to ifup eth0
(rebooting should also work).
I don't think your problem has anything to do with ICMP redirect. I disabled it on my KVM instance running wheezy and it accepts ping and ssh. If it isn't the above issue then I would suspect something in your IPsec configuration is wrong and breaking netfilter.