[Openswan dev] ip_hdr discrepancies

Sybille Ebert sybille.ebert at gmx.net
Fri Dec 19 18:23:07 EST 2008

>> I have compiled OpenSwan 2.6.19 on CentOS 5.2 kernel 2.6.18-92.1.22.el5.
>> In order to make it work, I had to comment out the following in
>> ipsec_kversion.h:
>> #if !(defined(CONFIG_SLE_VERSION) && defined(CONFIG_SLE_SP) &&
>> # define ip_hdr(skb) ((skb)->nh.iph)
>> #endif
>> (Note COINFIG instead of CONFIG. Redhat backport-avoiding #if above this
>> works fine, though.)
> Yeah, that was fixed and you can see it in openswan 2.6.20rc1

Yes, it compiles now.

>> The packet's destination is within rightsubnet. Eliminating any other
>> causes (routing, firewalling, NAT, setups), I am suspecting that this
>> could be due to conflict in ip_hdr definition. RedHat clearly uses a
>> different ip_hdr:
>> In include/linux/ip.h:
>> static inline struct iphdr *ip_hdr(const struct sk_buff *skb) {
>> 	return (struct iphdr *)skb_network_header(skb);
>> }
>> In include/linux/skbuff.h:
>> static inline unsigned char *skb_network_header(const struct sk_buff *skb) {
>> 	return skb->nh.raw;
>> }
>> Any advice?
> Please try 2.6.20rc1 (its in openswan/testing on the ftp site)

Now the "shunt SA of DROP or no eroute" is gone, but I get:

klips_debug:ipsec_xmit_send: ip_route_output failed with error code -22,

As with 2.6.19, I can establish a SA, ping appears on ipsec0, but there
is still no ESP traffic. I've checked my routing at least a dozen times.

If I change to protostack=netkey, it works.

Could this be related to

I am attaching my ipsec barf. Please feel free to move this discussion
to uses list.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: barf.bz2
Type: application/octet-stream
Size: 139330 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/dev/attachments/20081220/23eafddc/attachment-0001.obj 

More information about the Dev mailing list