<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:arial, helvetica, sans-serif;font-size:10pt"><P>Hi Mike,</P>
<P> </P>
<P>I already made some digging and found out that I can not use ipsec interfaces with netkey.</P>
<P>Fortunately, I was able to get things going and the tunnel works fine even without klips. For the moment I think this is enough but I will try klips too as soon as I'll have the chance.</P>
<P>Thank you for you explanation and for the tip regarding the ipsec bug affecting 2.6.25.5 kernels.</P>
<P> </P>
<P>Best regards all of you !</P>
<P><BR>Chris<BR></P>
<DIV style="FONT-SIZE: 10pt; FONT-FAMILY: arial, helvetica, sans-serif"><BR>
<DIV style="FONT-SIZE: 13px; FONT-FAMILY: arial, helvetica, sans-serif">----- Original Message ----<BR>From: Michael H. Warfield <mhw@WittsEnd.com><BR>To: Chris The One and Only <chrisgchrisg@yahoo.com><BR>Cc: mhw@WittsEnd.com; users@lists.openswan.org<BR>Sent: Friday, October 10, 2008 7:44:51 PM<BR>Subject: Re: [Openswan Users] Openswan 2.6.18 on a Linux 2.6 kernel<BR><BR>On Wed, 2008-10-08 at 08:01 -0700, Chris The One and Only wrote:<BR>> Hi,<BR><BR>> I tried configuring a ipsec tunnel, specifying the output interface<BR>> like the examples I found on the internet:<BR><BR>> interfaces="ipsec0=eth0:1"<BR><BR>> but it seems that something is wrong.<BR>> When running "ipsec setup start" it states the the interface is not<BR>> understood:<BR><BR>> ipsec_setup: Starting Openswan IPsec U2.6.18/K2.6.25.3 ...<BR>> ipsec_setup: interface `ipsec0=eth0:1' not understood<BR><BR>> I tried with
eth0 only (without the subinterface :10), even with eth1,<BR>> but still the same result.<BR>> Of course I could start it using:<BR>> interfaces=%defaultroute<BR>> but I don't want to do it that way, as I need to use another interface<BR>> as tunnel start.<BR><BR>> Does anybody know what is wrong?<BR><BR> You don't say what distribution you are using but I can take a wild<BR>guess from the "2.6.25.3" kernel you are probably on Fedora 8 or Fedora<BR>9 or something very similar and have not recently updated. A fresh<BR>install of Fedora 9 will give you that.<BR><BR> Just a warning for everyone else on Fedora 8 and Fedora 9, there is a<BR>serious bug in the 2.6.26.5 kernel (current released update for both)<BR>which will cause the entire system to hang at random if you use IPsec!<BR>It seems to be fixed in 2.6.26.6 (there were two IPSec related fixes in<BR>2.6.26.6) and,
presumably, 2.6.27.<BR><BR> As to your problem... You are probably using the native netkey stack<BR>instead of the klips stack in the kernel (this would be the default for<BR>Fedora). You don't get the ipsec* interfaces under netkey. If you need<BR>them for some overpowering reason, you'll have to switch to using the<BR>klips stack in the kernel.<BR><BR> I can sympathize with you. Without the ipsec interfaces, I can't get<BR>proxy arp to work for my tunnels and OSPF dynamic routing is iffy at<BR>best and advertises the wrong routes (but BGP is fine, which is really<BR>strange) because the kernel doesn't recognize those routes as distinct<BR>forwarding. I've just figured out other ways around the problem (use<BR>BGP to advertise routes to my other OSPF routers in the zone and let<BR>them carry the routes into OSPF). I'm not inclined to go back to the<BR>klips stack, even with the
limitations of the netkey stack.<BR><BR>> Thank you.<BR><BR>> Chris<BR><BR> Mike<BR>-- <BR>Michael H. Warfield (AI4NB) | (770) 985-6132 | <A href="mailto:mhw@WittsEnd.com" ymailto="mailto:mhw@WittsEnd.com">mhw@WittsEnd.com</A><BR> /\/\|=mhw=|\/\/ | (678) 463-0932 | <A href="http://www.wittsend.com/mhw/" target=_blank>http://www.wittsend.com/mhw/</A><BR> NIC whois: MHW9 | An optimist believes we live in the best of all<BR>PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!<BR><BR></DIV></DIV></div><br>
</body></html>