[Openswan Users] Openswan compression

Rolsma, Dan B dbrolsm at sandia.gov
Fri Sep 10 09:28:43 CEST 2004 

Well, based on your answer I gave the latest RHEL kernel releases a try
before changing distributions.  Compression now works.  It appears RH has
been paying attention.  I have OpenSwan 2.1.4 working just fine with RHEL
kernel 2.4.21-15.0.4.EL and 2.4.21-20.EL.  Compress would not work using
2.4.15.EL. It would also not work with any of the stock vanilla kernels.
Well, it would work but I wouldn't get an ipsec0 network device.  I had to
compile a "custom" kernel and run off that.  I also had to do a make clean
before anything else.

In summary, after installing the kernel-source (using the RedHat up2date
service):

	cd /usr/src/linux-2.4
	make clean mrproper oldconfig dep bzImage modules modules_install
install
	vi /etc/grub.conf # edit to make new kernel
(/vmlinuz-2.4.21-20.Elcustom) the default (default=0)
	reboot
	...
	tar zxf openswan-2.1.4.tar.gz
	cd openswan-2.1.4
	make KERNELSRC=/usr/src/linux-2.4 programs module
	make KERNELSRC=/usr/src/linux-2.4 install minstall
	vi /etc/ipsec.conf # configure the tunnel
	service ipsec start
	...

FYI - I'm tunnelling over a fraction of a T3 which typically lets me have
560 KB/sec.  Using a Dell 2650 single CPU 2.8 Ghz Xeon with 512 MB RAM,
7-10% of the CPU is needed to compress and encrypt the link.  I should soon
get a larger slice of that T3, especially off hours, with some new network
equipment.  I think this system could handle the entire T3 bandwidth.  I've
seen 2 to 1 compression typically, 4 to 1 with text files.  Nothing with
compressed files, of course, but also no slowdown.  It stayed at 560 KB/sec.
This has saved $70K for a compression box from a commercial vendor.  It may
actually be $140K, since I would need another box for the other end.  I
didn't stop to ask if that was for one box or two.  The $70K quote knocked
my socks off as it was.  Anyway, OpenSwan is working very nicely.  Nice
product.

Dan.

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Wednesday, September 01, 2004 3:06 PM
To: Rolsma, Dan B
Cc: 'users at openswan.org'
Subject: Re: [Openswan Users] Openswan compression


On Sat, 28 Aug 2004, Rolsma, Dan B wrote:

> 
> When I use compression I get this error:
>
> # ipsec auto --up alice-albuquerque
> 003 "alice-albuquerque" #3: ERROR: netlink_get_spi for 
> comp.0 at xxx.xxx.xxx.xxx failed with errno 22: Invalid argument
>
> I'm running Openswan 2.1.4 and RedHat WS3 Update2.  It comes with 
> kernel 2.4.21-15.Elsmp.  I also compiled a kernel booting off of it, 
> but with the same results.

> If I delete the line with "compress=yes", or make it "compress=no", 
> the link works.

This is a problem of the RHEL kernels. They contain some backported IPsec
code of the 2.6 kernel, but they have not been kept up to date with the
latest 2.6.8.1 fixes for IPsec. RHEL is meant as a stable reliable platform.
Unfortunately they didn't add KLIPS, and now the IPsec development on 2.6 is
going to fast for them to keep updating their stable RHEL kernels.

RHEL kernels are just a bad choice if you want to do IPsec.

Paul

More information about the Users mailing list