[Openswan Users]

Rodrigo Weymar Fonseca r.weymar at tu-bs.de
Tue Jul 11 18:15:24 CEST 2006

Quoting Paul Wouters <paul at xelerance.com>:

> On Tue, 11 Jul 2006, Rodrigo Weymar Fonseca wrote:
> > I tryied to apply the 2.4.6rc2.kernel-2.6-natt.patch on Suse 10 kernel
> > 2.6.13-15, but I got the following error:
> >
> > suse10:/usr/src/linux # patch -p1 -s < nat-t-patch-2.6.diff
> > The next patch would create the file include/net/xfrmudp.h,
> > which already exists!  Assume -R? [n] y
> > 8 out of 9 hunks FAILED -- saving rejects to file net/ipv4/udp.c.rej
> Looks like the suse kernel already contains the nat-t patch?


despite the error with the NAT-T patch, I applied the KLIPS patch successfully:

patch -p1 -s < ../openswan-2.4.6rc2/openswan-2.4.6rc2.kernel-2.6-klips.patch

and afterwards I did:

make oldconfig
make clean
make bzImage modules modules_install

and got the following errors: 

net/ipsec/ipsec_init.c:95:25: error: net/xfrmudp.h: No such file or directory
net/ipsec/ipsec_init.c:99:2: warning: #warning "You are trying to build KLIPS2.6
with NAT-T support, but you did not"
net/ipsec/ipsec_init.c:100:2: error: #error "properly apply the NAT-T patch to
your 2.6 kernel source tree."
net/ipsec/ipsec_init.c:125: error: syntax error before
âips_old_encapâet/ipsec/ipsec_init.c:125: warning: type defaults to âtân
declaration of âips_old_encapâet/ipsec/ipsec_init.c:125: warning:
initialization makes integer from pointer without a cast
net/ipsec/ipsec_init.c:125: warning: data definition has no type or storage class
net/ipsec/ipsec_init.c: In function
âsec_klips_initânet/ipsec/ipsec_init.c:231: error: implicit declaration of
function âp4_register_esp_rcvencapâet/ipsec/ipsec_init.c: In function
âsec_cleanupânet/ipsec/ipsec_init.c:261: error: implicit declaration of
function âp4_unregister_esp_rcvencapâake[2]: *** [net/ipsec/ipsec_init.o] Error 1
make[1]: *** [net/ipsec] Error 2
make: *** [net] Error 2

Clearly the error comes from the broken NAT-T patch. If the suse kernel already
contains the nat-t patch, would it not compile ok even if the patch was not
successfully applied ?

So, I am trying to enable KLIPS and NAT-T in this 2.6.13-15 kernel because we
are connecting (Road Warrior) from a Suse 10 client to Astaro Security Linux V5
(ASL), which uses KLIPS/ipsec0.

So far, I have successfully established ISAKMP and IPSec SA's (and it is
stable), but pinging from the client gives no response. The packets arrive in
the ASL, but it is not able to reply to the client. I suspect that it is caused
by the missing ipsecX interface on the client, since it uses NETKEY and the ASL
server uses KLIPS. 

Any suggestion on how to get it working, other than recompiling the kernel on
the client to enable KLIPS/ipsecX ? 

At first I was running Openswan 2.4.0-6, delivered with the Suse 10 CD's. Now I
installed 2.4.6rc2, which still works ok (ISAKMP and IPSec SA are established).
I just need to enable KLIPS on it :-)

suse10:~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.6rc2/K2.6.13-15-smp (netkey)
Checking for IPsec support in kernel                            [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Checking for 'setkey' command for NETKEY IPsec stack support    [OK]
Opportunistic Encryption Support                                [DISABLED]

Any help is very appreciated!

Thank you.

More information about the Users mailing list