[Openswan Users] Irritating warnings/error messages

Paul Wouters paul at xelerance.com
Fri Apr 18 11:53:16 EDT 2008


On Fri, 18 Apr 2008, Torsten Luettgert wrote:

> I'm using openswan for IPSEC connections on an embedded box we're
> building. The box runs linux 2.6.24.4 with netkey, but openswan seems to
> try KLIPS first. Every openswan version > 2.4.6 gives me the following
> output on /etc/init.d/ipsec start:
>
> ipsec_setup: Starting Openswan IPsec U2.4.12/K2.6.24.4-blackbox...
> ipsec_setup: WARNING: cannot adjust KLIPS flags, no /proc/sys/net/ipsec
> directory!
> ipsec_setup: /usr/libexec/ipsec/tncfg: Socket ioctl failed on attach --
> No such device.  Is the virtual device valid?  Is the ipsec module
> linked into the kernel or loaded as a module?
> ipsec_setup: SIOCSIFADDR: No such device
> ipsec_setup: ipsec0: unknown interface: No such device
> ipsec_setup: SIOCSIFBRDADDR: No such device
> ipsec_setup: ipsec0: unknown interface: No such device
> ipsec_setup: SIOCSIFNETMASK: No such device
>
> The funny thing is that after this, the tunnels come up. I don't see any
> of those messages on a Fedora desktop box and find them quite annoying;
> how do I make openswan recognize there's no KLIPS there?

have af_key modprobe'ed into the kernel before starting openswan. On
Openswan 2.5.x, you can use protostack=netkey in config setup.

> On an unrelated note: it's not very uncommon to have a read-only root
> directory. So the "if [ ! -w / ]" check in the init script should
> probably be replaced by something like [ "$EUID" != "0" ],
> [ `id -u` != "0" ] or something...

Unfortuately, that's what we used to have, but it ran into problems
with busybox on openwrt:

http://lists.openswan.org/pipermail/cvs/2007-July/006082.html

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155


More information about the Users mailing list