<html>
<head>
<style>
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
FONT-SIZE: 10pt;
FONT-FAMILY:Tahoma
}
</style>
</head>
<body class='hmmessage'>
Paul wrote:<br>> <br>> > In my case, I found that after applying the patch, but before recompiling my kernel, I had to patch the patch as follows.<br>> > Based on comments I read in the source prologues, I think that the various blocks of<br>> > #ifdef CONFIG_KLIPS_ALG<br>> > ,,,<br>> > #endif<br>> > in several c fies in /net/ipsec<br>> > should all be unconditionalised, i.e. remove those macro lines, but I found it easier simply to turn the macro on always.<br>> <br>> That setting was changed in Makefile.inc:<br>> <br>> ~> grep CONFIG_KLIPS_ALG Makefile.inc<br>> KLIPSCOMPILE=-O3 -DCONFIG_KLIPS_ALG<br>> <br>> Are you overriding the KLIPSCOMPILE setting? Or did you copy in an older Makefile.inc?<br><br>No I did not, but I did notice something strange, which explains how CONFIG_KLIPS_ALG=y was lost.<br>After patching the kernel, I then ran make xconfig. I had saved the .config from after patch and before make xconfig<br>and just now compared that with the post-make-xconfig .config - and there are numerous diffs: e.g. a sample:<br>(and note - CONFIG_KLIPS_ALG=y is present as shown below)<br><br>pre-make-xconfig has (for KLIPS section)<br> <br> #<br> # RCSID $Id: defconfig,v 1.28.2.1 2006-10-11 18:14:33 paul Exp $<br> #<br> <br> #<br> # FreeS/WAN IPSec implementation, KLIPS kernel config defaults<br> #<br> <br> #<br> # First, lets override stuff already set or not in the kernel config.<br> #<br> # We can't even think about leaving this off...<br> CONFIG_INET=y<br> <br> #<br> # This must be on for subnet protection.<br> CONFIG_IP_FORWARD=y<br> <br> # Shut off IPSEC masquerading if it has been enabled, since it will <br> # break the compile. IPPROTO_ESP and IPPROTO_AH were included in <br> # net/ipv4/ip_masq.c when they should have gone into include/linux/in.h.<br> CONFIG_IP_MASQUERADE_IPSEC=n<br> <br> #<br> # Next, lets set the recommended FreeS/WAN configuration.<br> #<br> <br> # To config as static (preferred), 'y'. To config as module, 'm'.<br> CONFIG_KLIPS=m<br> <br> # To do tunnel mode IPSec, this must be enabled.<br> CONFIG_KLIPS_IPIP=y<br> <br> # To enable authentication, say 'y'. (Highly recommended)<br> CONFIG_KLIPS_AH=y<br> <br> # Authentication algorithm(s):<br> CONFIG_KLIPS_AUTH_HMAC_MD5=y<br> CONFIG_KLIPS_AUTH_HMAC_SHA1=y<br> <br> # To enable encryption, say 'y'. (Highly recommended)<br> CONFIG_KLIPS_ESP=y<br> <br> # modular algo extensions (and new ALGOs)<br> CONFIG_KLIPS_ALG=y<br><br> [ ... more stuff ...]<br> [... then some comment lines concerning openswan revisions ...]<br><br>but, in the post-make-config, all that was replaced with just this :<br> CONFIG_KLIPS=y<br> <br> #<br> # KLIPS options<br> #<br> CONFIG_KLIPS_ESP=y<br> CONFIG_KLIPS_AH=y<br> CONFIG_KLIPS_AUTH_HMAC_MD5=y<br> CONFIG_KLIPS_AUTH_HMAC_SHA1=y<br> # CONFIG_KLIPS_ENC_CRYPTOAPI is not set<br> CONFIG_KLIPS_ENC_3DES=y<br> CONFIG_KLIPS_ENC_AES=y<br> # CONFIG_KLIPS_ENC_NULL is not set<br> CONFIG_KLIPS_IPCOMP=y<br> CONFIG_KLIPS_DEBUG=y<br><br>(and note - CONFIG_KLIPS_ALG=y is now gone! along with others)<br>
<br>In my make xconfig session, all I did was change the CONFIG_KLIPS from m to y - nothing else.<br><br>It seems to me that whatever additions openswan patch makes to the kernel .config should (well, MUST) somehow survive a make ???config of the .config,<br>provided the user does not actually turn the KLIPS option off. This seems like a bug to me, but whether in openswan patch method or in<br>kernel make ???config I don't know. Or did I do something wrong?<br><br>Anyway, with the post-make-xconfig .config, this KLIPS failed, on both kernel 2.6.22.6 and 2.6.23.1 0<br> . It hung during connect on 2.6.22.6.<br> . It actually created a connection on 2.6.23.1, but soon after I tried to log in through the tunnel in an xterm, that hung<br><br>At some point ni the future, I will try rebuilding the kernel with the post-patch .config (I will manually edit the .config to change KLIPS from m to y<br>as I 've found in past kernels that it essential for it to work with my vpn application) and see if it then works<br><br><br>Meanwhile, I have two other questions:<br><br>. CONFIG_KLIPS_AH<br> in post-patch, it says "Highly recommended"<br> in post-make-xconfig, says don't turn this on.<br>Any comment on that?<br><br>CONFIG_KLIPS_DEBUG<br>where would I see the debug output? I don't see any but where should I look.<br>Note I do set in /etc/syslog.conf<br>*.debug /var/log/debugmsgs<br><br><br>Cheers, John<br><br><br /><hr />Your chance to win great prizes with Telus and Windows Live Messenger for Mobile. <a href='http://www.telusmobility.com/on/wweb/instant_messaging.shtml' target='_new'>Click here for more information!</a></body>
</html>