[Openswan Users] Problem KLIPS INSTALLATION :-)

conn intel connintel at gmail.com
Thu Nov 2 08:22:57 EST 2006


Hello friends,

I am using the method in which ipsec.ko module generated from openswan
rather then patching the kernel using klips patch.

I am following the following steps as paul has mentioned nicely ::

1) Patch kernel using Natt

    export KERNELSRC=/usr/src/linux-2.6.17
    cd /home/software/openswan/openswan-2.4.6
    make natt-patch > /usr/src/linux-2.6.17/natt.patch
    cd /usr/src/kernel-source-2.6.8
    patch -p1 -s < natt.patch

RESULT :: Works successfully

2) Compiled kernel successfully. Then booting into new nattpatched kernel,
compiled the openswan by enabling  USE_EXTRACRYPTO & USE_WEAKSTUFF flags.
   Following by ::

    make KERNELSRC=/usr/src/linux-2.6.17 programs module
    make KERNELSRC=/usr/src/linux-2.6.17 install minstall

RESULT :: success Compiled.

  Now when I use combinations like ike=aes or 3des with esp=aes or 3des both
works perfect,  but when i try to use blowfish or twofish or serpent they
are giving the following error..

 For Example :: using ike=blowfish and esp=blowfish i am getting following
errormessage in /var/log/syslog :


    Nov  2 23:58:53 localhost kernel: klips_info:ipsec_init: KLIPS startup,
Openswan KLIPS IPsec stack version: 2.4.6
    Nov  2 23:58:53 localhost kernel: NET: Registered protocol family 15
    Nov  2 23:58:53 localhost kernel: klips_info:ipsec_alg_init: KLIPS alg
v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251)
    Nov  2 23:58:53 localhost kernel: klips_info:ipsec_alg_init: calling
ipsec_alg_static_init()
    Nov  2 23:58:53 localhost kernel: ipsec_aes_init(alg_type=15 alg_id=12
name=aes): ret=0
    Nov  2 23:58:53 localhost kernel: klips_debug: experimental
ipsec_alg_AES_MAC not registered [Ok] (auth_id=0)
    Nov  2 23:58:53 localhost kernel: ipsec_3des_init(alg_type=15 alg_id=3
name=3des): ret=0
    Nov  2 23:58:53 localhost ipsec_setup: KLIPS debug `none'
    Nov  2 23:58:53 localhost kernel:
    Nov  2 23:58:53 localhost ipsec_setup: KLIPS ipsec0 on eth0
192.168.1.4/255.0.0.0 broadcast 192.255.255.255
    Nov  2 23:58:53 localhost ipsec_setup: ...Openswan IPsec started
    Nov  2 23:58:53 localhost ipsec_setup: Starting Openswan IPsec 2.4.6...
    Nov  2 23:58:53 localhost ipsec_setup: WARNING: changing route filtering
on eth0 (changing /proc/sys/net/ipv4/conf/eth0/rp_filter from 1 to 0)
    Nov  2 23:58:53 localhost ipsec__plutorun: 003 "netone": requested
kernel enc ealg_id=7 not present
    Nov  2 23:58:53 localhost ipsec__plutorun: 003 "netone": requested
kernel enc ealg_id=7 not present
    Nov  2 23:58:53 localhost ipsec__plutorun: 034 "netone": can not
initiate: no acceptable kernel algorithms loaded
    Nov  2 23:58:53 localhost ipsec__plutorun: ...could not start conn
"netone"

  && using ike=1des and esp=aes getting following error ::

    Nov  3 00:05:06 localhost ipsec__plutorun: 034 esp string error: enc_alg
not found, enc_alg="1des", auth_alg="", modp=""



  Now do i forgot any step or if there is any issue with the kernel.. Do
kernel is not able to find the functions defined in the module or there is
some problem with the openswan compiliation waiting for your suggestions.. I
am using fresh sources for compilation.. :-)

    Thank You.

    Ankur.

    More Information ::

    debian:/home/software/openswan/openswan-2.4.6# ipsec verify
    Checking your system to see if IPsec got installed and started
correctly:
    Version check and ipsec on-path                                 [OK]
    Linux Openswan 2.4.6 (klips)
    Checking for IPsec support in kernel                            [OK]
    Checking for RSA private key (/etc/ipsec.secrets)               [OK]
    Checking that pluto is running                                  [OK]
    Checking for 'ip' command                                       [OK]
    Checking for 'iptables' command                                 [OK]
    Opportunistic Encryption Support
[DISABLED]


    debian:/home/software/openswan/openswan-2.4.6# ipsec setup restart
    ipsec_setup: ERROR: Module ipsec is in use
    ipsec_setup: Stopping Openswan IPsec...
    ipsec_setup: Starting Openswan IPsec 2.4.6...

On 10/31/06, Paul Wouters <paul at xelerance.com> wrote:
>
> On Mon, 30 Oct 2006, conn intel wrote:
>
> > Thanx... for quick reply..
> >
> > a) Do i also need to set CONFIG_KLIPS as (module or built in). ?
> >
> > b) Am I wrong ? I think there are two ipsec modules generated
> > 1) By compiling the kernel with CONFIG_KLIPS as modules 2) By "make
> > kernelsrc=/usr/src/linux-2.6.17 minstall install" which will copy the
> > ipsec.ko to /lib/modules/...ipsec/ipsec.ko. And thus overwriting the
> > ipsec.ko generated by compiled patched kernel.
>
> Either patch the kernel with the klips patch and use 'make config' to
> configure it,
> or don't patch the kernel with the klips patch and use openswan's make
> module module_install,
> but don't use both. also, regarless of the method, you will need to patch
> your kernel for
> with nat-t patch (and configure and rebuild kernel + modules).
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20061102/e8b0ecb1/attachment-0001.html 


More information about the Users mailing list