[Openswan Users] Irritating warnings/error messages
Torsten Luettgert
t.luettgert at pressestimmen.de
Fri Apr 18 17:41:17 EDT 2008
On Fri, 2008-04-18 at 16:32 -0400, Paul Wouters wrote:
> No, then it should detect netkey when it fails to detect klips. Did you
> enable all the NETKEY related options? Eg XFRM_* and ESP/AH/IPCOMP ?
Ok, this one intrigued me so I stepped through all those setup scripts
and found the bug in /usr/lib/ipsec/_startklips.
The problem is that $klips is not set to false if you have netkey but no
modules. See line 299ff:
if test -f $modules
then
# we modprobe hw_random so ipsec verify can complain about not using
it
modprobe -q hw_random 2> /dev/null
# padlock must load before aes module
modprobe -q padlock 2> /dev/null
# load the most common ciphers/algo's
modprobe -q sha256 2> /dev/null
modprobe -q sha1 2> /dev/null
modprobe -q md5 2> /dev/null
modprobe -q des 2> /dev/null
modprobe -q aes 2> /dev/null
if test -f $netkey
then
klips=false
modprobe -q ah4 2> /dev/null
$klips is used a lot later, e.g. in klipsinterface() where ipsec tncfg
is called if $klips is true, causing the warnings.
I attached a trivial patch that fixes the problem.
Regards,
Torsten
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.patch
Type: text/x-patch
Size: 508 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080418/d3ea3c3e/attachment.bin
More information about the Users
mailing list