config setup # Normally, pluto logs via syslog. #logfile=/var/log/pluto.log # # Do not enable debug options to debug configuration issues! # # plutodebug="control parsing" # plutodebug="all crypt" plutodebug=none # # NAT-TRAVERSAL support # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their wireless networks. # This range has never been announced via BGP (at least up to 2015) nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:184.108.40.206/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# ipsec verify Verifying installed system and configuration files
Version check and ipsec on-path [OK] Libreswan 3.25 (netkey) on 3.10.0-862.el7.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ens33/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabled Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OBSOLETE] 003 WARNING: using a weak secret (PSK) Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD] Warning: ignored obsolete keyword 'nat_traversal'
ipsec verify: encountered 11 errors - see 'man ipsec_verify' for help