KVM Debian - Disabling ICMP Redirect Acceptance makes SSH and ping impossible

StackOverflow https://stackoverflow.com/questions/16543377

  •  29-05-2022
  •  | 
  •  

Question

I am currently setting up a VPN LT2P/IPSec on my Debian KVM following this tutorial : http://bailey.st/blog/2011/07/06/secure-ipsecl2tp-vpn-for-on-the-road-android-devices/

Issuing this command :

root@localhost:~# ipsec verify

I got the following output

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.28/K2.6.32-5-686 (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects   [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                              [FAILED]
  Cannot execute command "lsof -i UDP:500": No such file or directory
Pluto listening for NAT-T on udp 4500                       [FAILED]
  Cannot execute command "lsof -i UDP:4500": No such file or directory
Checking for 'ip' command                                   [OK]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption Support                                [DISABLED]

So I edited this setting in /etc/sysctl.conf to

Disable ICMP Redirect Acceptance

net.ipv4.conf.all.accept_redirects = 0

I then restarted networking in /etc/init.d

Now my problem comes : I cannot connect through SSH to my KVM anymore nor ping the ip. (The only thing I can use is VNC)

How could I connect via SSH again without enabling the ICMP Redirect Acceptance?

Was it helpful?

Solution

I find the soluton from github gist: https://gist.github.com/kryptek/7683862

OTHER TIPS

If you just did /etc/init.d/networking restart make sure that your interfaces are up (e.g. with ifconfig). When I restarted networking like that on Debian wheezy it says:

Running /etc/init.d/networking restart is deprecated because it may not re-enable some interfaces ... (warning)

And in fact I did discover that I needed to ifup eth0 (rebooting should also work).

I don't think your problem has anything to do with ICMP redirect. I disabled it on my KVM instance running wheezy and it accepts ping and ssh. If it isn't the above issue then I would suspect something in your IPsec configuration is wrong and breaking netfilter.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top