[Openswan Users] Openswan 2.4.0 + Linux 2.6.12 + Klips?
Martin Bene
martin.bene at icomedias.com
Wed Nov 2 15:11:10 CET 2005
Ok, I've now spent quite some hours compiling kernels and trying to get
openswan 2.4.0 working with klips and a linux 2.6 kernel.
(BTW, fixup for awk/"default" function was required on my gentoo box for
openswan 2.4.0)
In all cases, nat-t patch is applied to the kernel and activated;
2.6.12.6 matches 2.6.12 results.
Kernel 2.6.11 2.6.11.12 2.6.12
Module SMP LOCK LOCK ERR
Module UP OK OK ERR
Builtin SMP LOCK LOCK LOCK
Buildin UP OK OK OK
All tests started with unpack of a fresh kernel tree, so results
shouldn't show strange effects from partial builds. Fiddling with
preemt/smt scheduler/irq balancing didn't influence results.
LOCK:
=====
System locks up completely - no console message, not pingable, no arp
response. Magic sysreq still reacts but can't list processor status or
tasks etc. reboot still works.
strace -f /usr/local/libexec/ipsec/klipsdebug --none
open("/dev/urandom", O_RDONLY) = 3
read(3, ":\17t\340", 4) = 4
close(3) = 0
socket(PF_KEY, SOCK_RAW, 2) = 3
getpid() = 9960
brk(0) = 0x80013000
brk(0x80034000) = 0x80034000
write(3, "\2\20\0\0\t\0\0\0\1\0\0\0\350&\0\0\7\0\31\0\0\0\0\0\0\0"...,
72) = 72
close(3
^
system hangs.
ERR:
====
Kernel exception on sk_alloc, see previous mails
System has a P4 w/ hyperthreading, so I'd normaly go for an SMP kernel;
this doesn't seem to be an option at the moment? Given my prior
experience with the stability of freeswan / openswan I find it very hard
to believe that I'm NOT doing something incredibly stupid - I just can't
figure out what it is I'm doing wrong. Or has everyone else on 2.6
switched to the native ipsec implementation?
If so: how do you deal with firewalling, esp. how do you tell appart
decapsulated packages that came in via VPN from packages that came in
unencrypted?
What I'd really like to know now:
If you're using Kernel 2.6.x with klips
* which linux kernel and
* what version of openswan are you using
* SMP or single processor kernel
* klips module or patched into the kernel
Thanks, Martin
More information about the Users
mailing list