[Openswan Users]

Rodrigo Weymar Fonseca r.weymar at tu-bs.de
Thu Jul 13 20:03:27 CEST 2006

Hi all,

I am still getting the same errors trying to load the KLIPS module into the Suse
10 kernel.

I tried in different ways, installing the userland first and then applying the
KLIPS patch, and also first applying the KLIPS patch and the installing the
userland. (I gave up installing the NAT-T patch for now). Anyway, I always got
the same errors. Don't know what can be wrong.

I followed the suggestion of Stefan and reinstalled the kernel source tree. I
also tried Openswan version openswan-2.4.5 with
openswan-2.4.5.kernel-2.6-klips.patch and got the same errors.

Below are the steps I did:

export KERNELSRC=/usr/src/linux-2.6.13-15

suse10:/usr/src/linux-2.6.13-15 # patch -p1 <

I got no error message applying the KLIPS patch. Also the KLIPS26 options were
shown when I did "make menuconfig":

suse10:/usr/src/linux-2.6.13-15 # make menuconfig

--- Networking support
       Networking options  --->
    [*]   Amateur Radio support  --->
    <M>   IrDA (infrared) subsystem support  --->
    <M>   Bluetooth subsystem support  --->
    <M>   Openswan IPsec (KLIPS26)
           KLIPS options  --->

suse10:/usr/src/linux-2.6.13-15 # make clean

suse10:/usr/src/linux-2.6.13-15 # make bzImage modules modules_install

In file included from include/net/xfrm.h:11,
                 from include/linux/netfilter_ipv4.h:90,
                 from include/net/ip.h:34,
                 from net/ipsec/ipsec_init.c:57:
include/linux/pfkeyv2.h:335:1: warning: this is the location of the previous
make[2]: *** [net/ipsec/ipsec_init.o] Error 1
make[1]: *** [net/ipsec] Error 2
make: *** [net] Error 2

suse10:/usr/src/openswan-2.4.6rc2 # export

suse10:/usr/src/openswan-2.4.6rc2 # make module module_install
echo 'Building in place is no longer supported. Please set MODBUILDDIR='
Building in place is no longer supported. Please set MODBUILDDIR=
exit 1
make: *** [module] Error 1


Building the userland is ok.

suse10:/usr/src/openswan-2.4.6rc2 # make programs

suse10:/usr/src/openswan-2.4.6rc2 # make install


suse10:~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.6rc2/K2.6.13-15-smp (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [N/A]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

Thank you for your time and help!


Quoting Stefan Denker <Stefan at dn-kr.de>:

> On Tue, Jul 11, 2006 at 05:15:24PM +0200, Rodrigo Weymar Fonseca wrote:
> > Quoting Paul Wouters <paul at xelerance.com>:
> >> On Tue, 11 Jul 2006, Rodrigo Weymar Fonseca wrote:
> >>> suse10:/usr/src/linux # patch -p1 -s < nat-t-patch-2.6.diff
> >>> The next patch would create the file include/net/xfrmudp.h,
> >>> which already exists!  Assume -R? [n] y
>                            ^^^^^^^^^^^^^^^^
> Well, -R reverses this patch, thereby deleting xfrmudp.h
> > despite the error with the NAT-T patch, I applied the KLIPS patch
> successfully:
> > and afterwards I did:
> > make oldconfig
> > make clean
> > make bzImage modules modules_install
> > and got the following errors: 
> > net/ipsec/ipsec_init.c:95:25: error: net/xfrmudp.h: No such file or
> directory
> So this does hardly suprise me. 
> > Clearly the error comes from the broken NAT-T patch. If the suse
> > kernel already contains the nat-t patch, would it not compile ok even
> > if the patch was not successfully applied ?
> You may have ruined your kernel source when trying to patch. I'd suggest
> you start over with fresh kernel sources.
> Stefan
> -- 
> Ertraeglich ist der Mensch als Einzelner.
> Im Haufen steht er der Tierwelt zu nah.
>                                                              [Franz
> Grillparzer]

More information about the Users mailing list