<br><font size=2 face="sans-serif">Hi Guys,</font>
<br>
<br><font size=2 face="sans-serif">I recently upgraded from 2.4 kernel
to a 2.6 kernel in moving from FC1 to Centos 5 (yeah, I know, it has been
a long time coming)</font>
<br>
<br><font size=2 face="sans-serif">anyway, I worked out how to get KLIPS
compiled for Centos 5 using the instructions in the wiki.</font>
<br>
<br><font size=2 face="sans-serif">I was having trouble with setting up
KLIPS to use the VLAN interface I use for the uplink. As the firewalling
and configurations were basically unchanged from the original working system,
I was confused. </font>
<br>
<br><font size=2 face="sans-serif">Symptoms:</font>
<br>
<br><font size=2 face="sans-serif">1) TX error counter on interface ipsec0
was incrementing when looking at ifconfig</font>
<br><font size=2 face="sans-serif">2) packets were going out the VLAN interface
(in this case eth1.101) unencrypted</font>
<br><font size=2 face="sans-serif">3) when they were forced in to the ipsec0
interface correctly as seen in tcpdump they disappeared. (manually routing
packets)</font>
<br><font size=2 face="sans-serif">4) turning on KLIPS debugging caused
a kernel oops.</font>
<br>
<br><font size=2 face="sans-serif">Solution:</font>
<br>
<br><font size=2 face="sans-serif">looking around I found the following
patch on the dev site:</font>
<br><font size=2 face="sans-serif">http://lists.openswan.org/pipermail/dev/2007-May/001580.html</font>
<br>
<br><font size=2 face="sans-serif">which was not applied to the current
distro openswan-2.4.11 (may 2007, so was probably OK for 2.4.7 I suppose).
I did work out what needed to be changed from the patch files attached
to the above message, however it seems 2.4.11 has moved on a fair bit since
then so I had to wing it.</font>
<br>
<br><font size=2 face="sans-serif">Attached is the patch that I carried
out on ipsec_tunnel.c. If it is correct, then can it be applied to the
distro for all to enjoy? Was there a reason that it wasn't???</font>
<br>
<br><font size=2 face="sans-serif">(Please feel free to flame me if I should
be putting this to the dev group, I am happy to be corrected, however some
people not on the dev list might be interested as I was)</font>
<br>
<br>
<br>
<br><font size=2 face="sans-serif">I think I have changed the correct areas,
however I have made one more change than was on the original post. In particular,
I am not sure about the following change:</font>
<br>
<br><font size=2 face="sans-serif"><snip></font>
<br><font size=2 face="sans-serif">@@ -588,14 +589,14 @@</font>
<br><font size=2 face="sans-serif">
ixs->pass ? 0 : ip_hdr(ixs->skb)->saddr,</font>
<br><font size=2 face="sans-serif">
RT_TOS(ip_hdr(ixs->skb)->tos),</font>
<br><font size=2 face="sans-serif">
/* mcr->rgb: should this be 0 instead? */</font>
<br><font size=2 face="sans-serif">-
ixs->physdev->iflink)))
{</font>
<br><font size=2 face="sans-serif">+
/*ixs->physdev->iflink)))
{*/</font>
<br><font size=2 face="sans-serif">+
ixs->physdev->ifindex)))
{</font>
<br><font size=2 face="sans-serif"> #endif</font>
<br><font size=2 face="sans-serif"><snip></font>
<br>
<br><font size=2 face="sans-serif">because it only occurs under certain
circumstances and it was not mentioned in the original post.</font>
<br><font size=2 face="sans-serif"><br>
</font>
<br><font size=2 face="sans-serif">cheers</font>
<br>
<br><font size=2 face="sans-serif">Craig</font>
<br>
<br><font size=2 face="sans-serif">PS: email text version of patch below</font>
<br>
<br>
<br><font size=2 face="sans-serif">--- ../openswan/openswan-2.4.11/linux/net/ipsec/ipsec_tunnel.c
2007-09-19 04:26:18.000000000 +1000</font>
<br><font size=2 face="sans-serif">+++ linux/net/ipsec/ipsec_tunnel.c
2008-02-03 23:34:55.000000000 +1100</font>
<br><font size=2 face="sans-serif">@@ -575,7 +575,8 @@</font>
<br><font size=2 face="sans-serif"> ixs->skb->dev
= ixs->physdev;</font>
<br><font size=2 face="sans-serif"> #ifdef NETDEV_25</font>
<br><font size=2 face="sans-serif"> memset
(&fl, 0x0, sizeof (struct flowi));</font>
<br><font size=2 face="sans-serif">- fl.oif
= ixs->physdev->iflink;</font>
<br><font size=2 face="sans-serif">+ /*fl.oif
= ixs->physdev->iflink;*/</font>
<br><font size=2 face="sans-serif">+ fl.oif
= ixs->physdev->ifindex;</font>
<br><font size=2 face="sans-serif"> fl.nl_u.ip4_u.daddr
= ip_hdr(ixs->skb)->daddr;</font>
<br><font size=2 face="sans-serif"> fl.nl_u.ip4_u.saddr
= ixs->pass ? 0 : ip_hdr(ixs->skb)->saddr;</font>
<br><font size=2 face="sans-serif"> fl.nl_u.ip4_u.tos
= RT_TOS(ip_hdr(ixs->skb)->tos);</font>
<br><font size=2 face="sans-serif">@@ -588,14 +589,14 @@</font>
<br><font size=2 face="sans-serif">
ixs->pass ? 0 : ip_hdr(ixs->skb)->saddr,</font>
<br><font size=2 face="sans-serif">
RT_TOS(ip_hdr(ixs->skb)->tos),</font>
<br><font size=2 face="sans-serif">
/* mcr->rgb: should this be 0 instead? */</font>
<br><font size=2 face="sans-serif">-
ixs->physdev->iflink)))
{</font>
<br><font size=2 face="sans-serif">+
/*ixs->physdev->iflink)))
{*/</font>
<br><font size=2 face="sans-serif">+
ixs->physdev->ifindex)))
{</font>
<br><font size=2 face="sans-serif"> #endif</font>
<br><font size=2 face="sans-serif">
ixs->stats->tx_errors++;</font>
<br><font size=2 face="sans-serif">
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,</font>
<br><font size=2 face="sans-serif">
"klips_debug:ipsec_xmit_send: "</font>
<br><font size=2 face="sans-serif">-
"ip_route_output failed with error code %d, rt->u.dst.dev=%s,
dropped\n",</font>
<br><font size=2 face="sans-serif">-
ixs->error,</font>
<br><font size=2 face="sans-serif">-
ixs->route->u.dst.dev->name);</font>
<br><font size=2 face="sans-serif">+
"ip_route_output
failed with error code %d, dropped\n",</font>
<br><font size=2 face="sans-serif">+
ixs->error);</font>
<br><font size=2 face="sans-serif">
return IPSEC_XMIT_ROUTEERR;</font>
<br><font size=2 face="sans-serif"> }</font>
<br><font size=2 face="sans-serif"> if(ixs->dev
== ixs->route->u.dst.dev) {</font>
<br>
<br><font size=2 face="sans-serif"><br>
</font>