[Openswan Users] KIPS broken, NETKEY works

Turbo Fredriksson turbo at bayour.com
Sun Nov 5 14:20:48 EST 2006 

Quoting Paul Wouters <paul at xelerance.com>:

> On Sat, 4 Nov 2006, Turbo Fredriksson wrote:
>
>> >>> Looking at this again, I see that the 'ipsec.ko' module
>> >>> is NOT loaded!
>> >>> Any ideas?
>> >>
>> >> I suppose your KLIPS setup is borken (is that Swedish? :-)
>> >> and if you use NETKEY it works.
>> >
>> > Any idea WHY it's broken? What's the difference between KLIPS
>> > and NETKEY, and why exactly (short if you may :) should I use
>> > the one before the other?
>>
>> This is (part of) my .config (output from 'ipsec barf') if that
>> helps figuring out why KLIPS don't work:
>
> It looks fine, except for CONFIG_IPSEC_NET_TRAVERSAL missing. so you did not
> appply the nat-t patch, so KLIPs won't support nat-t packets (but NETKEY will).

Previosly I had the following packages installed:

----- s n i p -----
linux-patch-openswan_2.4.6+dfsg.2-0.1_all.deb
 Description: IPSEC Linux kernel support for Openswan
  This package contains the patches for the Linux kernel to get the necessary
  kernel support to use Openswan. If you want to build a kernel module for
  IPSec, it is much easier to use the openswan-modules-source package instead.
  This kernel-patch package should probably only be used when building a
  non-modular kernel or when compiling IPSec non-modular.
  .
  It includes the NAT Traversal patches and applies them automatically to the
  kernel after inserting KLIPS.

openswan-modules-source_2.4.6+dfsg.2-0.1_all.deb
 Description: IPSEC kernel modules source for Openswan
  This package contains the source for the Openswan modules to get the necessary
  kernel support to use Openswan.
  .
  It includes the NAT Traversal patches, which will need to be applied to the
  kernel tree if NAT Traversal is needed.
----- s n i p -----

So, looking at the linux-patch-openswan, I should NOT have that installed
(since I want a modular kernel). But looking through the openswan-modules-source
package, it does not contain ANY reference to CONFIG_IPSEC_NET_TRAVERSAL.
Although it DO have references to 'CONFIG_IPSEC_NAT_TRAVERSAL' - spelling error
on you part I guess :). But I don't have that either in my .config).

This might be why i got TWO ipsec.ko modules - one in the 'kernel-image-2.6.17'
package and one in the 'openswan-modules-2.6.17' package.  It (KLIPS) didn't
work with EITHER of the modules, so there might be some clashes there...
I'm trying again WITHOUT the 'linux-patch-openswan' package...


Oki, it seems like I STILL have to apply a patch manually before running 
'make-kpkg binary-arch modules'. This patch is in /usr/src/modules/openswan/debian/nat-t-2.6.diff.

This kernel STILL doesn't work. And what's worse, I can't ping anything
on the work network.

When I remove the ipsec.ko module, this is what happens when I (re)start
pluto:
----- s n i p -----
ipsec_setup: Starting Openswan IPsec 2.4.6...
ipsec_setup: FATAL: Could not open '/lib/modules/2.6.17/kernel/net/ipsec/ipsec.ko': No such file or directory
ipsec_setup: insmod /lib/modules/2.6.17/kernel/net/key/af_key.ko
ipsec_setup: insmod /lib/modules/2.6.17/kernel/net/ipv4/xfrm4_tunnel.ko
ipsec_setup: insmod /lib/modules/2.6.17/kernel/net/xfrm/xfrm_user.ko
----- s n i p -----

And these are the modules loaded:
----- s n i p -----
workfw:/lib/modules/2.6.17/kernel/net/ipsec# lsmod | egrep 'ipsec|af_key|xfrm'
xfrm_user              22784  2
xfrm4_tunnel            3840  0
af_key                 33296  0
tunnel4                 4484  1 xfrm4_tunnel
----- s n i p -----

These are also the modules that's loaded when the machine is just started
(i.e. no 'ipsec' module loaded!).

However, when the ipsec.ko module exists, these are the modules loaded:
----- s n i p -----
workfw:/lib/modules/2.6.17/kernel/net/ipsec# lsmod | egrep 'ipsec|af_key|xfrm'
ipsec                 325420  2
----- s n i p -----

This time none of the xfrm*, af_key nor tunnel4 module(s) are loaded. And with
this, the Win2k machine can't connect, and I get this in the logs:

----- s n i p -----
==> /var/log/syslog <==
Nov  5 14:53:38 workfw kernel: klips:pfkey_msg_parse: ext type 27(X-NAT-T-sport) unknown, ignoring.
Nov  5 14:53:38 workfw kernel: klips:pfkey_msg_parse: ext type 28(X-NAT-T-dport) unknown, ignoring.
Nov  5 14:53:38 workfw kernel: klips:pfkey_msg_parse: ext type 29(X-NAT-T-OA) unknown, ignoring.
Nov  5 14:53:38 workfw kernel: klips:pfkey_msg_parse: ext type 30(<NULL>) unknown, ignoring.
Nov  5 14:53:38 workfw kernel: klips:pfkey_msg_parse: ext type 27(X-NAT-T-sport) unknown, ignoring.
Nov  5 14:53:38 workfw kernel: klips:pfkey_msg_parse: ext type 28(X-NAT-T-dport) unknown, ignoring.
Nov  5 14:53:38 workfw kernel: klips:pfkey_msg_parse: ext type 29(X-NAT-T-OA) unknown, ignoring.
Nov  5 14:53:38 workfw kernel: klips:pfkey_msg_parse: ext type 30(<NULL>) unknown, ignoring.
----- s n i p -----

This time I DO have CONFIG_IPSEC_NAT_TRAVERSAL defined. But no IPSEC stuff:

----- s n i p -----
workfw:/lib/modules/2.6.17/kernel/net/ipsec# cat /lib/modules/2.6.17/build/.config | egrep 'CONFIG_IPSEC|CONFIG_KLIPS'
CONFIG_IPSEC_NAT_TRAVERSAL=y
----- s n i p -----

This is starting to drive me nuts!



Now, just for the sake of it, I disabled the openswan-modules-source
package and installed the linux-patch-openswan again (going through
'make menuconfig').  Setting 'CONFIG_KLIPS=m' and add all 'KLIPS
options' (including CONFIG_KLIPS_ENC_CRYPTOAPI but NOT
CONFIG_KLIPS_ENC_1DES).

----- s n i p -----
worksrv:/usr/src/linux-source-2.6.17# egrep 'KLIPS|IPSEC' .config
CONFIG_IPSEC_NAT_TRAVERSAL=y
CONFIG_KLIPS=m
# KLIPS options
CONFIG_KLIPS_ESP=y
CONFIG_KLIPS_AH=y
CONFIG_KLIPS_AUTH_HMAC_MD5=y
CONFIG_KLIPS_AUTH_HMAC_SHA1=y
CONFIG_KLIPS_ENC_CRYPTOAPI=y
# CONFIG_KLIPS_ENC_1DES is not set
CONFIG_KLIPS_ENC_3DES=y
CONFIG_KLIPS_ENC_AES=y
CONFIG_KLIPS_IPCOMP=y
CONFIG_KLIPS_DEBUG=y
----- s n i p -----

Combining the linux-source-2.6.17 and linux-patch-openswan packages
required the /usr/src/linux patch. I didn't notice that before. The
NAT-T patch was never applied due to the missing link. Now it got
applied fine, the .config looked good and the kernel (without the
external openswan-modules-source module) build just fine.

But it won't load the ipsec module!

----- s n i p -----
workfw:/lib/modules/2.6.17# modprobe ipsec
FATAL: Error inserting ipsec (/lib/modules/2.6.17/kernel/net/ipsec/ipsec.ko): Unknown symbol in module, or unknown parameter (see dmesg)
----- s n i p -----

----- s n i p -----
Initializing IPsec netlink socket
ipsec: Unknown symbol udp4_register_esp_rcvencap
ipsec: Unknown symbol udp4_unregister_esp_rcvencap
----- s n i p -----

This is weird because looking at 'net/ipv4/udp.c', I see:

----- s n i p -----
#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)

/* if XFRM isn't a module, then register it directly. */
#if 0 && !defined(CONFIG_XFRM_MODULE) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = xfrm4_rcv_encap;
#else
static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
#endif

int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
                               , xfrm4_rcv_encap_t *oldfunc)
{
  if(oldfunc != NULL) {
    *oldfunc = xfrm4_rcv_encap_func;
  }

#if 0
  if(xfrm4_rcv_encap_func != NULL)
    return -1;
#endif

  xfrm4_rcv_encap_func = func;
  return 0;
}

int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func)
{
  if(xfrm4_rcv_encap_func != func)
    return -1;

  xfrm4_rcv_encap_func = NULL;
  return 0;
}
#endif /* CONFIG_XFRM_MODULE || CONFIG_IPSEC_NAT_TRAVERSAL */
----- s n i p -----

And BOTH of these are defined!!
----- s n i p -----
worksrv:/usr/src/linux-source-2.6.17# egrep 'CONFIG_XFRM|CONFIG_IPSEC_NAT_TRAVERSAL' .config
CONFIG_XFRM=y
CONFIG_XFRM_USER=m
CONFIG_IPSEC_NAT_TRAVERSAL=y
----- s n i p -----



I'm starting to lose hope here...

More information about the Users mailing list