[Openswan Users] KLIPS on CentOS 5.1

David McCullough David_Mccullough at securecomputing.com
Tue Dec 2 07:06:32 EST 2008


Jivin Sergio Cioban Filho lays it down ...
> Hi David,
> 
> I don't know if I'm using KLIPS+ALG support. How I do to check this?

The config options for your kernel will tell us:

	egrep KLIPS.*=y linux-2.6.*/.config
	egrep CRYPTO.*=y linux-2.6.*/.config

> In my testing my tunnel is also up fine, but can't receive packets from the
> remote end. TX error count is increased in local ipsec0 interface when i try
> sent packets to remote end.

Yes the TX count will go up,  but the packets are junked.
Are you running the same code at each end ?  If so,  then you may not
see traffic in one direction but not the other.

Lets check your config first.  If the following are not set:

	CONFIG_KLIPS_ALG=y
	CONFIG_KLIPS_ENC_CRYPTOAPI=y

then an 'ipsec barf' would be the next thing to get.

Cheers,
Davidm

> On Mon, Dec 1, 2008 at 9:01 PM, David McCullough <
> David_Mccullough at securecomputing.com> wrote:
> 
> >
> > Jivin Paul Wouters lays it down ...
> > > On Mon, 1 Dec 2008, Sergio Cioban Filho wrote:
> > >
> > > > Thanks for yor answer.
> > > > I've tried to use version 2.6.19, but same error has ocurred.
> > > > The SELinux has disabled.
> > > > The output of ipsec barf is attached.
> > >
> > > I don't see anything wrong. Are you using ping -I ? since you did not
> > > add leftsourceip= and rightsourceip= ?
> >
> > I am looking at a problem in this area.
> >
> > Are you using KLIPS + ALG support ?
> >
> > In my testing the tunnel is up fine, can receive packets from the
> > remote end ok, but if you turn on debug at the remote end the packets being
> > by KLIPS+ALG are not healthy.
> >
> > Can you check packets coming the other way ?
> >
> > Cheers,
> > Davidm
> >
> > --
> > David McCullough,  david_mccullough at securecomputing.com,   Ph:+61
> > 734352815
> > Secure Computing - SnapGear  http://www.uCdot.org
> > http://www.snapgear.com
> >

-- 
David McCullough,  david_mccullough at securecomputing.com,   Ph:+61 734352815
Secure Computing - SnapGear  http://www.uCdot.org   http://www.snapgear.com


More information about the Users mailing list