How to Fix “Two or more interfaces found, checking IP forwarding [FAILED]” Error in IPSec/OpenSwan on Ubuntu 14.04


4 views

html

If you're setting up an IPSec VPN using OpenSwan on Ubuntu 14.04 and encountering the "Two or more interfaces found, checking IP forwarding [FAILED]" message during ipsec verify, you're not alone. This issue persists even after enabling IP forwarding in sysctl.conf, which makes it particularly frustrating.

The ipsec verify script performs several checks, including verifying that IP forwarding is properly configured when multiple network interfaces are detected. The check fails when:

  1. The system has multiple active network interfaces
  2. The IP forwarding setting isn't properly applied or detected
  3. Network interface configurations might be interfering

Here's what actually works to resolve this issue:

1. Permanent IP Forwarding Configuration

Edit /etc/sysctl.conf:

# Uncomment the following line
net.ipv4.ip_forward=1

Then apply the changes:

sudo sysctl -p

2. Interface-Specific Routing Setup

For systems with multiple interfaces, you might need explicit routing rules. Create a new file /etc/ipsec.d/iptables.conf:

#!/bin/sh
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

Make it executable:

chmod +x /etc/ipsec.d/iptables.conf

3. OpenSwan Configuration Adjustment

Edit /etc/ipsec.conf and ensure these settings exist:

config setup
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    protostack=netkey
    nat_traversal=yes
    oe=off

After implementing these changes:

# Reload sysctl settings
sudo sysctl -p

# Restart networking
sudo service networking restart

# Restart IPSec
sudo service ipsec restart

# Run verification
sudo ipsec verify

If you're certain IP forwarding is properly configured but still get the error, you can modify the verification script:

sudo nano /usr/lib/ipsec/verify

Find the IP forwarding check section and either comment it out or modify the interface check logic.

Remember that while the verification failure might be annoying, it doesn't necessarily mean your VPN won't work. The key is ensuring that:

  • IP forwarding is actually enabled (cat /proc/sys/net/ipv4/ip_forward should return 1)
  • Your firewall rules permit VPN traffic
  • All necessary modules are loaded (lsmod | grep ah4 and similar checks)

Many Ubuntu 14.04 users running Openswan U2.6.38/K3.13.0-30-generic encounter this frustrating message when running ipsec verify:

Two or more interfaces found, checking IP forwarding [FAILED]

Despite enabling IP forwarding in sysctl.conf, the error persists. Let's dive deeper into why this happens and how to properly fix it.

The error occurs because Openswan's verification script expects specific conditions for IP forwarding that aren't always met by standard Ubuntu configurations. The check fails when:

  • Multiple network interfaces exist
  • The forwarding flag isn't properly activated
  • Network interface configurations conflict

Here's what actually works (tested on Ubuntu 14.04 LTS):

# First, ensure IP forwarding is truly enabled
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward

# Make it persistent across reboots
echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf

# For Openswan specifically, add this to /etc/ipsec.conf
config setup
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
    protostack=netkey
    nat_traversal=yes

# Then restart services
sudo sysctl -p
sudo service ipsec restart

If the issue persists, try these advanced fixes:

# Check current forwarding status
cat /proc/sys/net/ipv4/ip_forward

# Verify interface configurations
ip link show

# Check routing tables
ip route show

# Examine iptables rules that might block forwarding
sudo iptables -L -n -v

The common suggestion of just enabling net.ipv4.ip_forward often doesn't work because:

  • Openswan performs additional checks beyond kernel parameters
  • Network manager might override settings
  • Firewall rules could interfere with forwarding

For a complete solution, you need to address all these aspects simultaneously.

After applying all fixes, verify with:

sudo ipsec verify

You should now see IP forwarding properly reported as [OK]. If not, check system logs for more details:

tail -f /var/log/syslog
journalctl -u ipsec