[Openswan Users] Do I need to patch the kernel to build OCF with Openswan?

David McCullough David_Mccullough at securecomputing.com
Thu Jul 19 19:47:42 EDT 2007 

Jivin Ankit Parikh lays it down ...
> I tried the attached patch:
> 
> Here,s the output I got
...
> =========================================================
> 
> KLIPS26 module built successfully.
> ipsec.ko is in /root/openswan/openswan-3.0.06/modobj26
> 
> -rw-r--r-- 1 root root 3800436 Jul 19 09:32 ipsec.ko
>   text    data     bss     dec     hex filename
> 270171   19752    5412  295335   481a7 ipsec.ko
> 
> use make minstall as root to install it
> 
> =========================================================

Looks good.

> make[1]: Leaving directory `/root/openswan/openswan-3.0.06'
> which: no git in
> (/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/X11R6/bin:/root/bin)
> make[1]: Entering directory `/root/openswan/openswan-3.0.06'
> ( OSMODLIB=`make -C /lib/modules/2.6.18.8/build -p help | ( sed -n -e
> '/^MODLIB/p' -e '/^MODLIB/q' ; cat > /dev/null ) | sed -e 's/^MODLIB[
> :=]*\([^;]*\).*/\1/'` ; \
>        if [ -z "$OSMODLIB" ] ; then \
>                OSMODLIB=`make -C /lib/modules/2.6.18.8/build -n -p
> modules_install | ( sed -n -e '/^MODLIB/p' -e '/^MODLIB/q' ; cat > /dev/null
> ) | sed -e 's/^MODLIB[ :=]*\([^;]*\).*/\1/'` ; \
>        fi ; \
>        if [ -z "$OSMODLIB" ] ; then \
>                echo "No known place to install module. Aborting." ; \
>                exit 93 ; \
>        fi ; \
>        set -x ; \
>        mkdir -p $OSMODLIB/kernel/net/ipsec ; \
>        cp /root/openswan/openswan-3.0.06/modobj26/ipsec.ko
> $OSMODLIB/kernel/net/ipsec ; \
>        if [ -f /sbin/depmod ] ; then depmod -a ; fi; \
>        if [ -n "net/ipsec" ] ; then \
>        mkdir -p $OSMODLIB/kernel/net/ipsec ; \
>                if [ -f $OSMODLIB/kernel/ipsec.ko -a -f
> $OSMODLIB/kernel/net/ipsec/ipsec.ko ] ; then \
>                        echo "WARNING: two ipsec.ko modules found in
> $OSMODLIB/kernel:" ; \
>                        ls -l $OSMODLIB/kernel/ipsec.ko
> $OSMODLIB/kernel/net/ipsec/ipsec.ko ; \
>                        exit 1; \
>                fi ; \
>        fi ; \
>        set -x ) ;
> + mkdir -p /lib/modules/2.6.18.8/kernel/net/ipsec
> + cp /root/openswan/openswan-3.0.06/modobj26/ipsec.ko
> /lib/modules/2.6.18.8/kernel/net/ipsec
> + '[' -f /sbin/depmod ']'
> + depmod -a
> + '[' -n net/ipsec ']'
> + mkdir -p /lib/modules/2.6.18.8/kernel/net/ipsec
> + '[' -f /lib/modules/2.6.18.8/kernel/ipsec.ko -a -f
> /lib/modules/2.6.18.8/kernel/net/ipsec/ipsec.ko ']'
> + set -x
> make[1]: Leaving directory `/root/openswan/openswan-3.0.06'
> 
> But when i did service ipsec start   , I got the following: Also, it takes a
> around a min to get the output after trying to start the service !
> 
> root at localhost openswan-3.0.06]# service ipsec start
> ipsec_setup: Starting Openswan IPsec 3.0.06GITGITGIT...
> ipsec_setup: FATAL: Error inserting ipsec
> (/lib/modules/2.6.18.8/kernel/net/ipsec/ipsec.ko): Unknown symbol in module,
> or unknown parameter (see dmesg)
> ipsec_setup: calcgoo: warning: 2.6 kernel with kallsyms not supported yet
> ipsec_setup: insmod /lib/modules/2.6.18.8/kernel/drivers/crypto/padlock.ko
> ipsec_setup: FATAL: Error inserting padlock
> (/lib/modules/2.6.18.8/kernel/drivers/crypto/padlock.ko): No such device
> ipsec_setup: insmod /lib/modules/2.6.18.8/kernel/net/ipsec/ipsec.ko
> ipsec_setup: FATAL: Error inserting ipsec
> (/lib/modules/2.6.18.8/kernel/net/ipsec/ipsec.ko): Unknown symbol in module,
> or unknown parameter (see dmesg)
> ipsec_setup: kernel appears to lack IPsec support (neither CONFIG_KLIPS or
> CONFIG_NET_KEY are set)

Ok, so it looks to me like you have not loaded OCF.

If you had run "dmesg" you probably would have seen which modules were
missing and that would be a big help.

Alternatively you are not runnin gteh new kernel that you just build.
Remember you had to patch the kernel,  and unless you are running that
kernel the support for klips will not be there.

Cheers,
Davidm

> Isn't the KLIPS stack set by above make ?
> I have attached both the files for reference !
> 
> Regards,
> Ankit
> 
> 
> 
> On 7/18/07, David McCullough <David_Mccullough at securecomputing.com> wrote:
> >
> >
> >Jivin Ankit Parikh lays it down ...
> >> I recompiled the kernel(ver 2.6.18.8) and did make
> >> KERNELSRC=/lib/modules/'uname -r'/build module minstall
> >
> >Try the attached patch.
> >
> >Cheers,
> >Davidm
> >
> >--
> >David McCullough,  david_mccullough at securecomputing.com,   Ph:+61
> >734352815
> >Secure Computing - SnapGear  http://www.uCdot.org
> >http://www.cyberguard.com
> >
> >
> 
> 
> -- 
> Ankit Parikh
> MS, Computer Science
> University of Southern California
> Los Angeles
> California
> (M) 213.448.9394




-- 
David McCullough,  david_mccullough at securecomputing.com,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org http://www.cyberguard.com

More information about the Users mailing list