[Openswan dev] problems with 2.4.10

Paul Wouters paul at xelerance.com
Wed Dec 5 14:08:17 EST 2007

On Wed, 5 Dec 2007, Laszlo Attila Toth wrote:

> 1)
> There are scripts in packaging/utils started by '#!/bin/sh'
> however they are using the "source" command which doesn't exist in sh, only in
> bash, also the scripts should be started with "#!/bin/bash" or
> use dot (.) instead of source.
> for instance in:
> packaging/utils/kernelpatch

I will fix these.

> 2) KLIPS should be depend on NF_CONNTRACK but it isn't. Without it (kernel
> 2.6.22, ubuntu gutsy):

That is fixed in 2.4.11, released yesterday.

> 3) natt or klips patch doesn't contains include/net/xfrmudp.h
> (the klips patch is made by make kpatch)

The include file comes from the nat-t patch. If you want KLIPS with
NAT-T you have to apply the NAT-T patch. Are you saying you compiled
without NAT-T support and still got this error?

> 4) The natt patch can't be applied properly (some parts of net/ipv4/udp.c is
> rejected). It is attached (as an stgit patch).

Against which kernel? AFAIK, it works against vanilla 2.6.22.

> 5) undeclared variables
> /home/panther/src/kernel-2.6.x/net/ipsec/ipsec_xmit.c: In function
> 'ipsec_xmit_encap_bundle':
> /home/panther/src/kernel-2.6.x/net/ipsec/ipsec_xmit.c:1343: error: 'ixt_e'
> undeclared (first use in this function)
> /home/panther/src/kernel-2.6.x/net/ipsec/ipsec_xmit.c:1343: error: (Each
> undeclared identifier is reported only once
> /home/panther/src/kernel-2.6.x/net/ipsec/ipsec_xmit.c:1343: error: for each
> function it appears in.)
> /home/panther/src/kernel-2.6.x/net/ipsec/ipsec_xmit.c:1345: error: 'blocksize'
> undeclared (first use in this function)
> /home/panther/src/kernel-2.6.x/net/ipsec/ipsec_xmit.c:1354: error: 'ixt_a'
> undeclared (first use in this function)
> This is because CONFIG_KLIPS_ALG is unset, but CONFIG_KLIPS_ESP is set.

Are you building using openswan's "make module", or a kernel build after
running make kpatch? We define CONFIG_KLIPS_ALG in KLIPSCOMPILE in Makefile.inc

> I found:
> ./net/ipsec/Kconfig:130:# remove all of CONFIG_KLIPS_ALG
> Why this define is used if it is unused? It quite confusing.

Michael removed some of these at some point because KLIPS depended
on CONFIG_KLIPS_ALG anyway. But to better support the OCF patch, some
of that code again needed to be coditional for the OCF code. Since for
2.4.x, the OCF code is a seperate patch, that might not be obvious when
you look at it from just the openswan source code point of view. In
openswan 2.5/3.x the OCF code has been integrated.

> Please remove from ipsec_xmit_encap_bundle(), and so on, here is the list.
> Which one is required and which is pontless?
> net/ipsec/pfkey_v2_ext_process.c:146:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_init.c:245:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_sa.c:1020:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_sa.c:1046:#if defined CONFIG_KLIPS_ALG
> net/ipsec/ipsec_sa.c:1271:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_proc.c:119:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_proc.c:863:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_esp.c:156:#ifdef CONFIG_KLIPS_ALG
> net/ipsec/ipsec_esp.c:216:#ifdef CONFIG_KLIPS_A

I think what is needed is a way to define CONFIG_KLIPS_ALG per default,
even when not building within he openswan source tree. I'll look at
fixing this.

> I tried 2.4.11 but it is also buggy, I couldn't compile it.

You mean the same issues? Or other issues? If other issues, please
give us more information so we can address them.

Building and integrating Virtual Private Networks with Openswan:

More information about the Dev mailing list