[Openswan dev] Problem with KLIPS for kernel 2.4
Rene Mayrhofer
rene.mayrhofer at gibraltar.at
Thu Jun 8 00:56:12 CEST 2006
Dear all,
There seems to be a problem with KLIPS for kernel 2.4, tested with openswan
2.4.0. Corey Satten from the University of Washington discovered that the
KLIPS ipsec.o module can only be loaded a finite number of times and then
failes to create the /proc/net/ipsec_version entry, causing _startklips to
fail. His analysis is as follows:
> And here's the final evidence:
>
> On "dv2" a (non-bridging) regular logical firewall running 2.4beta1
> (under vmware) I just ran an experiment. I ran:
>
> modprobe ipsec; a=1; while [ -f /proc/net/ipsec_version ]; do let a=a+1;
> echo $a; modprobe -r ipsec; modprobe ipsec; done
>
> and it counted to 3466 and stopped. That's very close to the number of
> ipsec restarts logged on nfstun before ipsec stopped working! :)
>
> On "dv2", trying to start ipsec now results in:
>
> dv2:/var/log# ipsec setup start
> ipsec_setup: Starting Openswan IPsec 2.4.0...
> ipsec_setup: modprobe: Can't locate module af_key
> ipsec_setup: kernel appears to lack IPsec support (neither CONFIG_KLIPS or
> CONFIG_NET_KEY are set)
The problem was discovered because of the pluto crash I reported a while ago
(the "DoS after authentication" problem that pluto >= 2.3.0 causes to pluto <
2.3.0).
Can you make anything of it?
with best regards,
Rene
--
-------------------------------------------------
Gibraltar firewall http://www.gibraltar.at/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20060607/8dc694c3/attachment.bin
More information about the Dev
mailing list