[Openswan Users] Openswan 2.4.0 + Linux 2.6.12 + Klips?

Martin Bene martin.bene at icomedias.com
Wed Nov 2 15:11:10 CET 2005 

Ok, I've now spent quite some hours compiling kernels and trying to get
openswan 2.4.0 working with klips and a linux 2.6 kernel.

(BTW, fixup for awk/"default" function was required on my gentoo box for
openswan 2.4.0)

In all cases, nat-t patch is applied to the kernel and activated;
2.6.12.6 matches 2.6.12 results.

Kernel 	 2.6.11  2.6.11.12  2.6.12
Module SMP   LOCK        LOCK     ERR
Module UP      OK          OK     ERR
Builtin SMP  LOCK        LOCK    LOCK
Buildin UP     OK          OK      OK

All tests started with unpack of a fresh kernel tree, so results
shouldn't show strange effects from partial builds. Fiddling with
preemt/smt scheduler/irq balancing didn't influence results.

LOCK: 
=====
System locks up completely - no console message, not pingable, no arp
response. Magic sysreq still reacts but can't list processor status or
tasks etc. reboot still works.

strace -f /usr/local/libexec/ipsec/klipsdebug --none

open("/dev/urandom", O_RDONLY)          = 3
read(3, ":\17t\340", 4)                 = 4
close(3)                                = 0
socket(PF_KEY, SOCK_RAW, 2)             = 3
getpid()                                = 9960
brk(0)                                  = 0x80013000
brk(0x80034000)                         = 0x80034000
write(3, "\2\20\0\0\t\0\0\0\1\0\0\0\350&\0\0\7\0\31\0\0\0\0\0\0\0"...,
72) = 72
close(3
	 ^
	 system hangs.

ERR: 
====
Kernel exception on sk_alloc, see previous mails

System has a P4 w/ hyperthreading, so I'd normaly go for an SMP kernel;
this doesn't seem to be an option at the moment? Given my prior
experience with the stability of freeswan / openswan I find it very hard
to believe that I'm NOT doing something incredibly stupid - I just can't
figure out what it is I'm doing wrong. Or has everyone else on 2.6
switched to the native ipsec implementation? 

If so: how do you deal with firewalling, esp. how do you tell appart
decapsulated packages that came in via VPN from packages that came in
unencrypted?

What I'd really like to know now: 

If you're using Kernel 2.6.x with klips
* which linux kernel and 
* what version of openswan are you using 
* SMP or single processor kernel
* klips module or patched into the kernel

Thanks, Martin

More information about the Users mailing list