[Openswan Users]

panos panos at kamaradata.com
Mon Feb 28 17:48:39 CET 2005 

>> What is NETKEY?...

>CONFIG_NETKEY is the option for the included IPsec stack in 2.6.
>CONFIG_KLIPS
>is the option for the openswan IPsec stack for 2.4 and 2.6

Thanks for your help, I see it in the .config of the kernel.

I have loaded the rpms for 2.3.0 and klips for  FC3 from the openswan
web site.

I also got hold of a 2.6.9-1.724_FC3 kernel.

When I start openswan I get ... Linux Openswan U2.3.0/K2.6.9-1.724_FC3
(netkey)
How do I prevent "netkey" module from being loaded at boot time.

This may also be why I get ipsec_setup: insmod: can't read 'ipsec': No
such file or directory

I did get the correct kernel, 2.6.9-1.724_FC3, with which the
openswan-klips-2.3.0-2.6.9_1.724_FC3_1.i386.rpm was built for.


below are the messages I get when I do an service ipsec start.

I am trying to get klips to load instead of netkey with the hope I will
not get "no IPsec-enabled interfaces found"

I know should be using automatic keying but our vpn server on the other
side is not a linux box, but a sonic wall and it only interops with
manual keying.

========================================================================
==

ipsec_setup: insmod: can't read 'ipsec': No such file or directory
ipsec_setup: insmod
/lib/modules/2.6.9-1.724_FC3/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/ah4.ko
ipsec_setup: insmod /lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/esp4.ko
ipsec_setup: insmod
/lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/ipcomp.ko
ipsec_setup: insmod
/lib/modules/2.6.9-1.724_FC3/kernel/net/ipv4/xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.9-1.724_FC3/kernel/crypto/des.ko
ipsec_setup: insmod
/lib/modules/2.6.9-1.724_FC3/kernel/arch/i386/crypto/aes-i586.ko
ipsec_setup: ipsec manual: fatal error in "kirk-manual": no
IPsec-enabled interfaces found
Linux Openswan U2.3.0/K2.6.9-1.724_FC3 (netkey)


> What is NETKEY?...

CONFIG_NETKEY is the option for the included IPsec stack in 2.6.
CONFIG_KLIPS
is the option for the openswan IPsec stack for 2.4 and 2.6

Paul

> -----Original Message-----
> From: Marcus Leech [mailto:mleech at nortel.com] 
> Sent: Monday, February 28, 2005 10:14 AM
> To: Paul Wouters
> Cc: panos; users at openswan.org
> Subject: Re: [Openswan Users]
> 
> I'm using FC3 with 2.6.10-1.766 kernel.  I couldn't get KLIPS to work
>   beyond the most superficial definition of "work".  I had to revert
to
>   NETKEY, which has its own problems--like you can only do one
>   cycle of connection up/down, between restarts of OpenSwan. [The
EAGAIN
>   problem we were discussing].
> 
> Paul Wouters wrote:
> 
> > On Mon, 28 Feb 2005, panos wrote:
> >
> >> Basically I am trying to setup a simple tunnel in manual mode.
This
> >> worked on 2.4 kernel (RH9) and openswan-2.2.0.  I am now trying the
> same
> >> config under FC3 openswan-2.3.0 and its not working.
> >
> >
> > Manual keying is very likely broken with Openswan when using NETKEY.
> The
> > most sensible thing is not to use manual keying, but automatic
keying.
> If
> > you really insist on manual keying despite the strong recommendation
> to
> > switch, try using KLIPS instead of NETKEY.
> >
> > Paul
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> >
> >
>

More information about the Users mailing list