[Openswan dev] 2.4.7 klips on 2.6 currently requires >= 2.6.18

[Paul Wouters]

On Sun, 26 Nov 2006, Axel Thimm wrote:

> I fully agree that the default behaviour should be matching the
> vanilla kernel. What Red Hat/Fedora users and perhaps other distros
> with extra API-breaking^Wchanging patches would need is some
> documentation (in the wiki perhaps?) of how to manually tune the build
> to match such a mixed kernel.

I think we need to build in some extra logic in ipsec_kversion.h, but
the most elegant want of doing that is to have some C method of
recognising a redhat kernel build automatically.

> > If you are rebuilding openswan packages for KLIPS, you will also need
> > to apply the nat-t patch to the kernel,
>
> I thought that the natt patch was there from kernel 2.6.6 onwards or
> did I misunderstand what I read (it was in the openswan wiki)?

No. For now you will need to apply the nat-t patch. Work is being done
to merge KLIPS and NETKEY into one stack, at which point this will no
longer be needed. You can look at this work in the unstable openswan
tree (aka 3.0.x).

> > generated by 'make natt-patch' or openswan, or as seperate source
> > file from the ftp server. We had one report of the ftp conntrack
> > helping module failing when this patch was applied.
>
> I could add the patch to ATrpms' supplied Fedora kernel & add-ons (as
> I was doing at kernel 2.4 times). It mainly harbors swsusp2 patches
> currently.

please fo. Most people need nat-t because they connect from behind NAT
wifi routers. Without it, openswan is next to useless. And in your own
described laptop case, you will need it yourself as well.

> > Openswan-2.4.7 adds support for fedora style "new host key".
> >
> > Note that I have various bugzilla items open against openswan in fedora,
> > the most important part being the incorrect call to generate a new host
> > key which causes rpm/yum/anaconda to hang indefinately when installing
> > the packge on machines with not enough random. Currently, Xen's random is
> > broken and installing fedora through virt-install and including redhat's
> > openswan package will cause indefinate hangs.
>
> What's the proper call? I'd like to get proper packages out
> there. That would help anaconda installs in xen, although FC6 has the
> ability to add repos during the install, e.g. never to try to install
> the buggy version.

The proper call is to do nothing in the init scripts. Eg rip out the newhostkey
generation from the spec file. openswan will detect there is no default
RSA key when it starts, and then create one *in the background*

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155