AW: [Openswan Users] Openswan 2.4.0 + Linux 2.6.12 + Klips?

Martin Bene martin.bene at icomedias.com
Thu Nov 3 11:24:01 CET 2005 

Thanks for your answer,

> That patch should be in already. Perhaps you can try the 
> latest 2.4.2drX
> release?

Sure, will do.

> Thanks for the overview. We know there is a problem with SMP

Seems to be rather new - I'm running 2.6.11 + Openswan 2.3.0 +
klips(builtin) + smp on another system without problems.

> and a general problem with sk_alloc. This function changed 
> between 2.6.11 and 2.6.12. There are a few new defines that 
> regular behaviour of the changed Linux kernel networking code. 
> These do NOT consider subversions of kernels (eg 2.6.11.X)

At least in the cases I tried the subversion kernels didn't add to the
problem; For 2.11 and 2.12 the fixups don't seem to touch parts relevant
to ipsec.

> NET_26_12_SKALLOC - swapped sk_alloc paramters (changed in 2.6.12)

Not only swapped parameters, but completely different parameter as well;
what used to be kmem_cache_t * is now proto *. Looking at different
samples of sk_alloc use from the kernel I still can't see why I get an
error when trying to use klips as a module on linux >= 2.6.12.

> > If so: how do you deal with firewalling, esp. how do you tell appart
> > decapsulated packages that came in via VPN from packages 
> > that came in unencrypted?
> 
> Use the iptables MARK facility to mark encapsulated packets. 
> The mark will survive in the decapsulated packet.

Thanks for that hint - I might have a look at native ipsec; I'd much
rather stay with tried and proven klips where Nat-t and interop with
different peers are known to work.

> > What I'd really like to know now:
> >
> > If you're using Kernel 2.6.x with klips
> > * which linux kernel and
> > * what version of openswan are you using
> > * SMP or single processor kernel
> > * klips module or patched into the kernel
> 
> linus kernels upto 2.6.12 on UP and inline will work. 
> Anything else, as you found out, is risky.

Possibly 2.6.13 UP builtin also works, haven't given that a shot yet -
no need to be THAT near the bleeding edge I guess.

Thanks for your help,

Martin

More information about the Users mailing list