[Openswan Users] Openswan 2.1.1 on Debian

Aaron Wirtz awirtz at novapointe.com
Wed May 12 20:12:09 CEST 2004


Just wanted to drop a note to the mailing list so others don't run into the
same problem I did.

The debian 2.4.26 kernel source (and possibly others) contain backported IPSEC
code from the 2.6 series.  There does exist a kernel-patch-openswan package
from debian that can be applied to the debian 2.4 source, but it is overridden
by the 2.6 IPSEC code that is already in the debian kernel source, so it is
useless for recent debian kernels.

I had a little trouble compiling Linus's 2.4.26 kernel (kernel.org) with the
Openswan 2.1.1 patch, so I had to fix a few things.  Use my patch after
applying the Openswan patch, and it might build ok.

Also, I learned that Openswan does not like certificates with commas in any of
the fields, and that for Openswan, it is best to use certs with only C,ST,L,O,
and CN defined.

-Aaron

Patch to fix Linux 2.4.26 + OS 2.1.1:

diff -u3 -r linux-2.4.26/include/freeswan/ipsec_rcv.h linux-2.4.26-fixed/include/freeswan/ipsec_rcv.h
--- linux-2.4.26/include/freeswan/ipsec_rcv.h   2004-05-12 18:46:37.000000000 -0700
+++ linux-2.4.26-fixed/include/freeswan/ipsec_rcv.h     2004-05-12 17:56:39.000000000 -0700
@@ -134,8 +134,10 @@

 #ifdef CONFIG_IPSEC_DEBUG
 extern int debug_rcv;
-#endif /* CONFIG_IPSEC_DEBUG */
 #define ipsec_rcv_dmp(_x,_y, _z) if (debug_rcv && sysctl_ipsec_debug_verbose) ipsec_dmp(_x,_y,_z)
+#else /* CONFIG_IPSEC_DEBUG */
+#define ipsec_rcv_dmp(_x,_y, _z)
+#endif /* CONFIG_IPSEC_DEBUG */

 extern int sysctl_ipsec_inbound_policy_check;
 #endif /* __KERNEL__ */
diff -u3 -r linux-2.4.26/include/freeswan/ipsec_xmit.h linux-2.4.26-fixed/include/freeswan/ipsec_xmit.h
--- linux-2.4.26/include/freeswan/ipsec_xmit.h  2004-05-12 18:46:37.000000000 -0700
+++ linux-2.4.26-fixed/include/freeswan/ipsec_xmit.h    2004-05-12 18:59:59.000000000 -0700
@@ -124,14 +124,15 @@
 extern int ipsec_xmit_trap_count;
 extern int ipsec_xmit_trap_sendcount;

+#define debug_xmit debug_tunnel
+
 #ifdef CONFIG_IPSEC_DEBUG
 extern int debug_tunnel;
 extern int sysctl_ipsec_debug_verbose;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-#define debug_xmit debug_tunnel
-
 #define ipsec_xmit_dmp(_x,_y, _z) if (debug_xmit && sysctl_ipsec_debug_verbose) ipsec_dmp(_x,_y,_z)
+#else /* CONFIG_IPSEC_DEBUG */
+#define ipsec_xmit_dmp(_x,_y, _z)
+#endif /* CONFIG_IPSEC_DEBUG */

 extern int sysctl_ipsec_icmp;
 extern int sysctl_ipsec_tos;
diff -u3 -r linux-2.4.26/include/openswan/ipsec_rcv.h linux-2.4.26-fixed/include/openswan/ipsec_rcv.h
--- linux-2.4.26/include/openswan/ipsec_rcv.h   2004-05-12 18:46:37.000000000 -0700
+++ linux-2.4.26-fixed/include/openswan/ipsec_rcv.h     2004-05-12 18:51:56.000000000 -0700
@@ -134,8 +134,10 @@

 #ifdef CONFIG_IPSEC_DEBUG
 extern int debug_rcv;
-#endif /* CONFIG_IPSEC_DEBUG */
 #define ipsec_rcv_dmp(_x,_y, _z) if (debug_rcv && sysctl_ipsec_debug_verbose) ipsec_dmp(_x,_y,_z)
+#else /* CONFIG_IPSEC_DEBUG */
+#define ipsec_rcv_dmp(_x,_y, _z)
+#endif /* CONFIG_IPSEC_DEBUG */

 extern int sysctl_ipsec_inbound_policy_check;
 #endif /* __KERNEL__ */
diff -u3 -r linux-2.4.26/include/openswan/ipsec_xmit.h linux-2.4.26-fixed/include/openswan/ipsec_xmit.h
--- linux-2.4.26/include/openswan/ipsec_xmit.h  2004-05-12 18:46:37.000000000 -0700
+++ linux-2.4.26-fixed/include/openswan/ipsec_xmit.h    2004-05-12 18:59:58.000000000 -0700
@@ -124,14 +124,15 @@
 extern int ipsec_xmit_trap_count;
 extern int ipsec_xmit_trap_sendcount;

+#define debug_xmit debug_tunnel
+
 #ifdef CONFIG_IPSEC_DEBUG
 extern int debug_tunnel;
 extern int sysctl_ipsec_debug_verbose;
-#endif /* CONFIG_IPSEC_DEBUG */
-
-#define debug_xmit debug_tunnel
-
 #define ipsec_xmit_dmp(_x,_y, _z) if (debug_xmit && sysctl_ipsec_debug_verbose) ipsec_dmp(_x,_y,_z)
+#else /* CONFIG_IPSEC_DEBUG */
+#define ipsec_xmit_dmp(_x,_y, _z)
+#endif /* CONFIG_IPSEC_DEBUG */

 extern int sysctl_ipsec_icmp;
 extern int sysctl_ipsec_tos;


More information about the Users mailing list