[Openswan dev] Problem with KLIPS for kernel 2.4

Rene Mayrhofer rene.mayrhofer at gibraltar.at
Thu Jun 8 00:56:12 CEST 2006


Dear all,

There seems to be a problem with KLIPS for kernel 2.4, tested with openswan 
2.4.0.  Corey Satten from the University of Washington discovered that the 
KLIPS ipsec.o module can only be loaded a finite number of times and then 
failes to create the /proc/net/ipsec_version entry, causing _startklips to 
fail. His analysis is as follows:

> And here's the final evidence:
>
> On "dv2" a (non-bridging) regular logical firewall running 2.4beta1
> (under vmware) I just ran an experiment.  I ran:
>
> modprobe ipsec; a=1; while [ -f /proc/net/ipsec_version ]; do let a=a+1;
> echo $a; modprobe -r ipsec; modprobe ipsec; done
>
> and it counted to 3466 and stopped.  That's very close to the number of
> ipsec restarts logged on nfstun before ipsec stopped working! :)
>
> On "dv2", trying to start ipsec now results in:
>
> dv2:/var/log# ipsec setup start
> ipsec_setup: Starting Openswan IPsec 2.4.0...
> ipsec_setup: modprobe: Can't locate module af_key
> ipsec_setup: kernel appears to lack IPsec support (neither CONFIG_KLIPS or
> CONFIG_NET_KEY are set)

The problem was discovered because of the pluto crash I reported a while ago 
(the "DoS after authentication" problem that pluto >= 2.3.0 causes to pluto < 
2.3.0). 

Can you make anything of it?

with best regards,
Rene

-- 
-------------------------------------------------
Gibraltar firewall       http://www.gibraltar.at/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20060607/8dc694c3/attachment.bin


More information about the Dev mailing list