Hello friends,<br>
<br>
I am using the method in which ipsec.ko module generated from openswan rather then patching the kernel using klips patch.<br>
<br>
I am following the following steps as paul has mentioned nicely ::<br>
<br>
1) Patch kernel using Natt <br>
<br>
export KERNELSRC=/usr/src/linux-2.6.17<br>
cd /home/software/openswan/openswan-2.4.6<br>
make natt-patch > /usr/src/linux-2.6.17/natt.patch<br>
cd /usr/src/kernel-source-2.6.8<br>
patch -p1 -s < natt.patch<br>
<br>
RESULT :: Works successfully <br>
<br>
2) Compiled kernel successfully. Then booting into new nattpatched
kernel, compiled the openswan by enabling USE_EXTRACRYPTO &
USE_WEAKSTUFF flags.<br>
Following by ::<br>
<br>
make KERNELSRC=/usr/src/linux-2.6.17 programs module<br>
make KERNELSRC=/usr/src/linux-2.6.17 install minstall<br>
<br>
RESULT :: success Compiled.<br>
<br>
Now when I use combinations like<span style="background-color: rgb(255, 255, 204);"> ike=aes or 3des with esp=aes or 3des both works</span> perfect, but when i try to use b<span style="background-color: rgb(255, 255, 204);">
lowfish or twofish or serpent</span> they are giving the following <span style="background-color: rgb(255, 255, 204);">error..</span><br>
<br>
For Example :: using ike=blowfish and esp=blowfish i am getting following errormessage in /var/log/syslog :<br>
<br>
<br>
Nov 2 23:58:53 localhost kernel:
klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack
version: 2.4.6<br>
Nov 2 23:58:53 localhost kernel: NET: Registered protocol family 15<br>
Nov 2 23:58:53 localhost kernel:
klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255,
AALG_MAX=251)<br>
Nov 2 23:58:53 localhost kernel: klips_info:ipsec_alg_init: calling ipsec_alg_static_init()<br>
Nov 2 23:58:53 localhost kernel: ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0<br>
Nov 2 23:58:53 localhost kernel: klips_debug:
experimental ipsec_alg_AES_MAC not registered [Ok] (auth_id=0)<br>
Nov 2 23:58:53 localhost kernel: ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0<br>
Nov 2 23:58:53 localhost ipsec_setup: KLIPS debug `none'<br>
Nov 2 23:58:53 localhost kernel:<br>
Nov 2 23:58:53 localhost ipsec_setup: KLIPS
ipsec0 on eth0 <a href="http://192.168.1.4/255.0.0.0"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.1.4/255.0.0.0</a> broadcast <a href="http://192.255.255.255"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.255.255.255</a><br>
Nov 2 23:58:53 localhost ipsec_setup: ...Openswan IPsec started<br>
Nov 2 23:58:53 localhost ipsec_setup: Starting Openswan IPsec 2.4.6...<br>
Nov 2 23:58:53 localhost ipsec_setup: WARNING:
changing route filtering on eth0 (changing
/proc/sys/net/ipv4/conf/eth0/rp_filter from 1 to 0)<br>
Nov 2 23:58:53 localhost ipsec__plutorun: 003 "netone": requested kernel enc ealg_id=7 not present<br>
Nov 2 23:58:53 localhost ipsec__plutorun: 003 "netone": requested kernel enc ealg_id=7 not present<br>
Nov 2 23:58:53 localhost ipsec__plutorun: 034
"netone": can not initiate: no acceptable kernel algorithms loaded<br>
Nov 2 23:58:53 localhost ipsec__plutorun: ...could not start conn "netone"<br>
<br>
<span style="background-color: rgb(255, 255, 204);"> && using ike=1des and esp=aes getting following error ::</span><br>
<br>
Nov 3 00:05:06 localhost ipsec__plutorun: 034
esp string error: enc_alg not found, enc_alg="1des", auth_alg="",
modp="" <br>
<br>
<br>
<br>
Now do i forgot any step or if there is any issue with the
kernel.. Do kernel is not able to find the functions defined in the
module or there is some problem with the openswan compiliation waiting
for your suggestions.. I am using fresh sources for compilation.. :-)<br>
<br>
Thank You.<br>
<br>
Ankur.<br>
<br>
More Information ::<br>
<br>
debian:/home/software/openswan/openswan-2.4.6# ipsec verify<br>
Checking your system to see if IPsec got installed and started correctly:<br>
Version check and ipsec
on-path
[OK]<br>
Linux Openswan 2.4.6 (klips)<br>
Checking for IPsec support in
kernel
[OK]<br>
Checking for RSA private key
(/etc/ipsec.secrets)
[OK]<br>
Checking that pluto is
running
[OK]<br>
Checking for 'ip'
command
[OK]<br>
Checking for 'iptables'
command
[OK]<br>
Opportunistic Encryption
Support
[DISABLED]<br>
<br>
<br>
debian:/home/software/openswan/openswan-2.4.6# ipsec setup restart<br>
ipsec_setup: ERROR: Module ipsec is in use <br>
ipsec_setup: Stopping Openswan IPsec...<br>
ipsec_setup: Starting Openswan IPsec 2.4.6...<br>
<br>
<div><span class="gmail_quote">On 10/31/06, <b class="gmail_sendername">Paul Wouters</b> <<a href="mailto:paul@xelerance.com">paul@xelerance.com</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Mon, 30 Oct 2006, conn intel wrote:<br><br>> Thanx... for quick reply..<br>><br>> a) Do i also need to set CONFIG_KLIPS as (module or built in). ?<br>><br>> b) Am I wrong ? I think there are two ipsec modules generated
<br>> 1) By compiling the kernel with CONFIG_KLIPS as modules 2) By "make<br>> kernelsrc=/usr/src/linux-2.6.17 minstall install" which will copy the<br>> ipsec.ko to /lib/modules/...ipsec/ipsec.ko. And thus overwriting the
<br>> ipsec.ko generated by compiled patched kernel.<br><br>Either patch the kernel with the klips patch and use 'make config' to configure it,<br>or don't patch the kernel with the klips patch and use openswan's make module module_install,
<br>but don't use both. also, regarless of the method, you will need to patch your kernel for<br>with nat-t patch (and configure and rebuild kernel + modules).<br><br>Paul<br></blockquote></div><br>