Fw: [Openswan Users]
Gbenga
stjames08 at yahoo.co.uk
Thu Apr 20 03:02:22 CEST 2006
Hi all,
I recompiled the kernel again, this time with kernel 2.6.16 and enabled CONFIG_IPSEC_NAT_TRAVERSAL=y and CONFIG_KLIPS=m.
This compiled ok and I was able to compile and install user-land: modprobe ipsec (ok)
However, when I ran ipsec verify, NAT Traversal support failed ??
aparo:/home/osogbetun# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan 2.4.5 (klips)
Checking for IPsec support in kernel [OK]
KLIPS detected, checking for NAT Traversal support [FAILED]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
I need NAT-T for my setup and I will appreciate if someone can explain why despite enabling NAT-T in the kernel, it would not compile properly. ipsec barf output is attached.
Also, how long does it take to for ipsec newhostkey takes to generate a key? Or what is the best way to generate keys for ipsec.secrets file?
Rgds,
Gbenga
On Sat, 15 Apr 2006, Gbenga wrote:
> Next I compiled the openswan userland. which compiled well. To install I run, "make module minstall". I however, I have trouble inserting/modprobing the new ipsec.ko.
>
> I get the error output:
>
> aparo:~# modprobe ipsec
> FATAL: Error inserting ipsec (/lib/modules/2.6.16.5/kernel/net/ipsec/ipsec.ko): Unknown symbol in module, or unknown parameter (see dmesg)
What did dmesg say? This could be for instance a different c compiler that was
used for the kernel and the kernel module compile.
> ipsec verify :
>
> aparo:/home/osogbetun# ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan 2.4.5 (klips)
Odd, it seems you have the module loaded anyway?
> Checking for IPsec support in kernel [OK]
> KLIPS detected, checking for NAT Traversal support [FAILED]
Did you boot into the new kernel? For the nat-t patch, which patches the
kernel's udp.c, you must rebuild both the kernel and all modules.
> However, I need some clarification regarding compiling klip, because there are many procedures from different sources.
> a.) the openswan book, it says to "For NAT-T patch: KERNELSRC=/source_to_kernel_source; cd openswan; make nattpatch > /usr/src/openswan-ipsec-natt.patch; cd $kernelsource_dir; cat /usr/src/openswan-ipsec-natt.patch | patch -p1 -s; make clean; make oldconfig
>
> b.) openswan wiki (http://wiki.openswan.org/index.php/Building%20from%20tarballs%20for%202.6) gives a different angle to how compile for kernel26. (note the line: export KERNELSRC=/lib/modules/`uname -r`/build)
>
> c.) from the README file in openswan source dir:
> make nattpatch | (cd /usr/src/linux-2.6 && patch -p1 && make bzImage)
These are three different ways that accomplish the same, though c) needs to
have KERNELSRC set as well. KERNELSRC points to the kernel header files. These
can come from the full kernel source, but are also often installed in the
directory /lib/modules/kernel-version/build
> From the openswan source directory, build the userland tools, and ipsec.o kernel module:
> "make KERNELSRC=/usr/src/linux-2.6 programs module"
> to install "make KERNELSRC=/usr/src/linux-2.6 install minstall"
>
> I would appreciate if someone can give me a working step-by-step guide to getting kernel 2.6.16.X working with native i.e compiled in klip, openswan 2.4.5
Either works, it depends on where/how your kernel source is. The /lib/modules/kernel-version method
only works for kernel modules. If you want the NAT-T patch, you will need the full kernel source.
Though on fedora for example, when installing the kernel-devel package, your kernel source will be
available through /lib/modules/kernel-version/build, or in /usr/src/kernels/kernel-version
Paul
More information about the Users
mailing list