[Openswan Users] openswan 2.4.10 and kernel 2.6.22; missing klips patch - also change in status of the KLIPS patch in

John Lumby johnlumby at hotmail.com
Fri Dec 7 11:31:53 EST 2007 


Paul wrote:
> 
> > In my case, I found that after applying the patch, but before recompiling my kernel, I had to patch the patch as follows.
> > Based on comments I read in the source prologues, I think that the various blocks of
> > #ifdef CONFIG_KLIPS_ALG
> > ,,,
> > #endif
> > in several c fies in /net/ipsec
> > should all be unconditionalised, i.e. remove those macro lines, but I found it easier simply to turn the macro on always.
> 
> That setting was changed in Makefile.inc:
> 
> ~> grep CONFIG_KLIPS_ALG Makefile.inc
> KLIPSCOMPILE=-O3 -DCONFIG_KLIPS_ALG
> 
> Are you overriding the KLIPSCOMPILE setting? Or did you copy in an older Makefile.inc?

No I did not, but I did notice something strange, which explains how CONFIG_KLIPS_ALG=y was lost.
After patching the kernel, I then ran make xconfig.     I had saved the .config from after patch and before make xconfig
and just now compared that with the post-make-xconfig .config - and there are numerous diffs:   e.g.  a sample:
(and note - CONFIG_KLIPS_ALG=y is present as shown below)

pre-make-xconfig has (for KLIPS section)
 
 #
 # RCSID $Id: defconfig,v 1.28.2.1 2006-10-11 18:14:33 paul Exp $
 #
 
 #
 # FreeS/WAN IPSec implementation, KLIPS kernel config defaults
 #
 
 #
 # First, lets override stuff already set or not in the kernel config.
 #
 # We can't even think about leaving this off...
 CONFIG_INET=y
 
 #
 # This must be on for subnet protection.
 CONFIG_IP_FORWARD=y
 
 # Shut off IPSEC masquerading if it has been enabled, since it will 
 # break the compile.  IPPROTO_ESP and IPPROTO_AH were included in 
 # net/ipv4/ip_masq.c when they should have gone into include/linux/in.h.
 CONFIG_IP_MASQUERADE_IPSEC=n
 
 #
 # Next, lets set the recommended FreeS/WAN configuration.
 #
 
 # To config as static (preferred), 'y'.  To config as module, 'm'.
 CONFIG_KLIPS=m
 
 # To do tunnel mode IPSec, this must be enabled.
 CONFIG_KLIPS_IPIP=y
 
 # To enable authentication, say 'y'.   (Highly recommended)
 CONFIG_KLIPS_AH=y
 
 # Authentication algorithm(s):
 CONFIG_KLIPS_AUTH_HMAC_MD5=y
 CONFIG_KLIPS_AUTH_HMAC_SHA1=y
 
 # To enable encryption, say 'y'.   (Highly recommended)
 CONFIG_KLIPS_ESP=y
 
 # modular algo extensions (and new ALGOs)
 CONFIG_KLIPS_ALG=y

    [ ... more stuff ...]
    [... then some comment lines concerning openswan revisions ...]

but, in the post-make-config, all that was replaced with just this :
  CONFIG_KLIPS=y
 
 #
 # KLIPS options
 #
 CONFIG_KLIPS_ESP=y
 CONFIG_KLIPS_AH=y
 CONFIG_KLIPS_AUTH_HMAC_MD5=y
 CONFIG_KLIPS_AUTH_HMAC_SHA1=y
 # CONFIG_KLIPS_ENC_CRYPTOAPI is not set
 CONFIG_KLIPS_ENC_3DES=y
 CONFIG_KLIPS_ENC_AES=y
 # CONFIG_KLIPS_ENC_NULL is not set
 CONFIG_KLIPS_IPCOMP=y
 CONFIG_KLIPS_DEBUG=y

(and note - CONFIG_KLIPS_ALG=y is now gone!   along with others)


In my make xconfig session, all I did was change the CONFIG_KLIPS from m to y -  nothing else.

It seems to me that whatever additions openswan patch makes to the kernel .config should (well, MUST)  somehow survive a make ???config of the .config,
provided the user does not actually turn the KLIPS option off.      This seems like a bug to me, but whether in openswan patch method or in
kernel make ???config I don't know.   Or did I do something wrong?

Anyway, with the post-make-xconfig .config, this KLIPS failed, on both kernel 2.6.22.6 and 2.6.23.1 0
 .  It hung during connect on 2.6.22.6.
 . It actually created a connection on 2.6.23.1, but soon after I tried to log in through the tunnel in an xterm, that hung

At some point ni the future,  I will try rebuilding the kernel with the post-patch .config (I will manually edit the .config to change KLIPS from m to y
as I 've found in past kernels that it essential for it to work with my vpn application) and see if it then works


Meanwhile, I have two other questions:

.  CONFIG_KLIPS_AH
    in post-patch,  it says   "Highly recommended"
    in post-make-xconfig, says don't turn this on.
Any comment on that?

CONFIG_KLIPS_DEBUG
where would I see the debug output?    I don't see any but where should I look.
Note I do set  in /etc/syslog.conf
*.debug                                                 /var/log/debugmsgs


Cheers,   John


_________________________________________________________________
Read what Santa`s been up to! For all the latest, visit asksantaclaus.spaces.live.com!
http://asksantaclaus.spaces.live.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20071207/b64f1ce0/attachment.html

More information about the Users mailing list