[Openswan Users] Irritating warnings/error messages

Torsten Luettgert t.luettgert at pressestimmen.de
Fri Apr 18 17:41:17 EDT 2008

On Fri, 2008-04-18 at 16:32 -0400, Paul Wouters wrote:

> No, then it should detect netkey when it fails to detect klips. Did you
> enable all the NETKEY related options? Eg XFRM_* and ESP/AH/IPCOMP ?

Ok, this one intrigued me so I stepped through all those setup scripts
and found the bug in /usr/lib/ipsec/_startklips.

The problem is that $klips is not set to false if you have netkey but no
modules. See line 299ff:

if test -f $modules
   # we modprobe hw_random so ipsec verify can complain about not using
   modprobe -q hw_random 2> /dev/null
   # padlock must load before aes module
   modprobe -q padlock 2> /dev/null
   # load the most common ciphers/algo's
   modprobe -q sha256 2> /dev/null
   modprobe -q sha1 2> /dev/null
   modprobe -q md5 2> /dev/null
   modprobe -q des 2> /dev/null
   modprobe -q aes 2> /dev/null

   if test -f $netkey
      modprobe -q ah4 2> /dev/null

$klips is used a lot later, e.g. in klipsinterface() where ipsec tncfg
is called if $klips is true, causing the warnings.

I attached a trivial patch that fixes the problem.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec.patch
Type: text/x-patch
Size: 508 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080418/d3ea3c3e/attachment.bin 

More information about the Users mailing list