[Openswan Users] klips-ng in openswan 2.6.x

Paul Wouters paul at xelerance.com
Thu Jun 25 14:21:22 EDT 2009


On Thu, 25 Jun 2009, Vincent Bernat wrote:

> I noticed than OpenSWAN 2.6.22 has a target ngpatch-2.6 to get a patch for
> KLIPS-NG. However, the patch is really tiny and only add some things in
> some structs. No real code. Therefore, I have looked at  the patch for
> regular KLIPS and there is some code using the new bits inserted by
> KLIPS-NG patch. However, this code is enclosed between ifdefs and
> HAVE_IPSEC_SAREF symbol needs to be defined to enable the code.

Yes. All the parts of the l2tp patch, support advanced l2tp setups, has been
released. Most of the KLIPS code was released a long time ago already. The
only bits recently released were the patches needed to the kernel outside
of the KLIPS code. The userland also had all the enhanced l2tp support published
already.

> What is the correct way to enable saref feature in OpenSWAN 2.6.22? Should
> I just add #define HAVE_IPSEC_SAREF 1 at the top of some .h file?

Edit Makefile.inc and enable USE_SAREF_KERNEL=true. Set protostack=mast in ipsec.conf.
And set "ipsec saref = yes" in xl2tpd.conf.

Note that we have not had the time to keep this patch up with newer kernels.
Parts of the "ng" patch were merged into the upstream kernel (though slightly
differently). To see how it interacts, have a look at 
programs/_updown.mast/_updown.mast.in

For those not aware what this code accomplishes:

http://www.openswan.org/docs/ipsecsaref.png

You have clashing NAT'ed IP's behind different NAT's and multiple L2TP connections
from behind the same NAT, and combinations there of. This is not supported with
NETKEY.

Paul


More information about the Users mailing list