[Openswan dev] [PATCH] Tearing down IPsec SAs doesn't work

Paul Wouters paul at xelerance.com
Wed Apr 21 16:44:58 EDT 2010 

On Wed, 21 Apr 2010, Thomas Geulig wrote:

> I'm using openswan 2.6.25 with KLIPS, NETKEY is disabled.
>
> Tearing down IPsec SAs doesn't work because in delete_ipsec_sa()
> kern_interface is still set to AUTO_PICK.
>
> If KLIPS and NETKEY_SUPPORT are not defined both in init_kernel(),
> kern_interface never gets properly set in the following switch.
> It remains set to AUTO_PICK regardless of the actual interface.

Thanks for this bug report! You are right this is a problem.

> The attached patch fixes this.

I have fixed it slightly differently in git commit fdfb59b413e (attached)
splitting up the double define. Let me know if this works for you.

Paul
-------------- next part --------------
commit fdfb59b413eec432969014762ceb847ef7e5e9a4
Author: Paul Wouters <paul at xelerance.com>
Date:   Wed Apr 21 16:39:14 2010 -0400

    Fix for protostack=auto when KLIPS or NETKEY is not compiled in.
    Reported by Thomas Geulig.

diff --git a/Makefile.inc b/Makefile.inc
index 61c31cb..ee76e94 100644
--- a/Makefile.inc
+++ b/Makefile.inc
@@ -293,6 +293,11 @@ USE_KLIPS?=true
 # Build support for 2.6 KLIPS/MAST variation in pluto
 USE_MAST?=true
 
+# MAST requires KLIPS
+ifeq ($(USE_MAST),true)
+USE_KLIPS=true
+endif
+
 # MAST is generally a prerequisite for SAREF support in applications
 USE_SAREF_KERNEL=false
 
diff --git a/programs/pluto/kernel.c b/programs/pluto/kernel.c
index 5bf73b5..0011f2a 100644
--- a/programs/pluto/kernel.c
+++ b/programs/pluto/kernel.c
@@ -2100,7 +2100,6 @@ init_kernel(void)
         return;
     }
 
-#if defined(KLIPS) && defined(NETKEY_SUPPORT)
     if(kern_interface == AUTO_PICK)
     {
         struct stat buf;
@@ -2111,7 +2110,7 @@ init_kernel(void)
 	    /* we don't die, we just log and go to sleep */
 	    openswan_log("Can not run with both NETKEY and KLIPS in the kernel");
 	    openswan_log("Please check your kernel configuration, or specify a stack");
-	    openswan_log("using protostack={klips,netkey}");
+	    openswan_log("using protostack={klips,netkey,mast}");
 	    exit_pluto(0);
 	}
 	
@@ -2123,20 +2122,22 @@ init_kernel(void)
 	}
         else
 #endif
+#if defined(NETKEY_SUPPORT)
 	    if (stat("/proc/net/pfkey", &buf) == 0)
 	{
 	    kern_interface = USE_NETKEY;
 	}
-	else
+# elif defined(KLIPS)
+	    if (stat("/proc/net/pf_key", &buf) == 0)
 	{
 	    kern_interface = USE_KLIPS;
 	}
-    }
 #endif
+    }
 
     switch(kern_interface) {
     case AUTO_PICK:
-	openswan_log("Kernel interface auto-pick fall-through");
+	openswan_log("Kernel interface auto-pick failed - neither KLIPS or NETKEY support detected");
 	/* FALL THROUGH */
 
 #if defined(KLIPS)

More information about the Dev mailing list