[Openswan Users] ipsec manual problem with 2.4 kernel

Paul Wouters paul at xelerance.com
Wed Oct 11 01:58:00 EDT 2006


On Wed, 11 Oct 2006, Adrian Wee Chin Mun wrote:

>             I am somewhat new to this so pardon the rather newbie questions.
> First of all I am running 2 different Linux boxes, one with 2.4 kernel and
> another with 2.6 kernel. I used rpm for the 2.6 (since it was available) and
> compiled for the 2.4 (no rpm since it is an old FC1). I am just using PC
> host-to-host for testing now.

Okay.

> First of all I am would like to implement
> openswan on an embedded system and I will not need IKE so I am only using
> manual keying.

I don't think you want to implement "just manual keying without IKE".....

openswan runs fine with the IKE daemon on embedded platforms. Everyone is
doing it. buy a linksys router, flash openwrt, and 'ipkg update' and 'ipkg
install openswan' and you have a full IKE daemon on your embedded system.

Manual mode is not secure. Will you replace the keys you manually load into
the kernel every few hours?

> I can get ipsec manual to work with the 2.6 kernel.

> conn formanual
>         left=192.168.1.200
>         right=192.168.1.10
>         spi=0x200
>         esp=3des-md5-96
>         espenckey=0x01234567_89abcdef_02468ace_13579bdf_12345678_9abcdef0
>         espauthkey=0x12345678_9abcdef0_2468ace0_13579bdf

It should work. But it might very well be that manual mode is broken. I'll
issue a complete testrun once we are at 2.4.7dr2, but manual mode bugs are
*really* a low priority for us, as we believe there is no valid use for
manual mode (and on top of that, it is harder to setup then using IKE)

> However this doesn't seem to work with the one running on the 2.4 kernel
>
> ipsec manual -up formanual
>
> gives 'ipsec manual: fatal error in "formanual" no IPsec-enabled interfaces
> found

What does "ipsec --version" say? Do you have an IPsec stack? You should
either see KLIPS or NETKEY. For 2.4 you should probably use KLIPS, as the
backports of the 2.6 NETKEY code tends to be very old and broken.

> So obviously the ipsec manual appears ok with the 2.6 kernel and will not
> start for the 2.4 kernel. I have tried restarting the network and ipsec
> services to no avail. Any help or comments would be appreciated.

I believe this is just because you have no IPsec stack loaded, you just
have the userland tools installed.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list