[Openswan dev] 2.4.7 klips on 2.6 currently requires >= 2.6.18

Paul Wouters paul at xelerance.com
Sat Nov 25 22:13:16 EST 2006

On Sun, 26 Nov 2006, Axel Thimm wrote:

> >     Axel> While building on 2.6.18 kernels is OK, for 2.6.17 (and
> >     Axel> probably earlier kernels therefore) it bails out with
> >
> >   Is this a virgin kernel, or a redhat one?
> It's a Red Hat one.

Yes. And it is RedHat that is causing the problems here.

RedHat adds functionality in their kernel before it merges into Linus'
kernel. As a result, API changes (eg to skb_linearize in this case)
appear in "2.6.17" in redhat's tree, while they only appear in the
official linus tree on 2.6.18. We have #ifdef's for these API changes
in linux/include/ipsec_kversion.h, but we do not know how to detect
the kernel we are compiling for is a "-1" redhat kernel. We have a
choice of either breaking it for redhat, or for everyone else. And
since redhat creates this problem, and they're smaller then everyone
else combined, we decided to break it for them.

I don't know what the proper way to permanently fix these issues is.
For now, you'll have to tweak ipsec_kversion.h and lower certain
checks for the latest kernel release by 1 version number. (for older
checks, the "off by one" no longer bites you)

If you are rebuilding openswan packages for KLIPS, you will also need
to apply the nat-t patch to the kernel, generated by 'make natt-patch'
or openswan, or as seperate source file from the ftp server. We had
one report of the ftp conntrack helping module failing when this patch
was applied.

Openswan-2.4.7 adds support for fedora style "new host key".

Note that I have various bugzilla items open against openswan in fedora,
the most important part being the incorrect call to generate a new host
key which causes rpm/yum/anaconda to hang indefinately when installing
the packge on machines with not enough random. Currently, Xen's random is
broken and installing fedora through virt-install and including redhat's
openswan package will cause indefinate hangs.

Building and integrating Virtual Private Networks with Openswan:

More information about the Dev mailing list