[Openswan Users] KLIPS and 802.1q on openswan-2.4.11 (and compiled on centos5)
nospam2craig at remex.com.au
nospam2craig at remex.com.au
Sun Feb 3 22:39:31 EST 2008
Hi Guys,
I recently upgraded from 2.4 kernel to a 2.6 kernel in moving from FC1 to
Centos 5 (yeah, I know, it has been a long time coming)
anyway, I worked out how to get KLIPS compiled for Centos 5 using the
instructions in the wiki.
I was having trouble with setting up KLIPS to use the VLAN interface I use
for the uplink. As the firewalling and configurations were basically
unchanged from the original working system, I was confused.
Symptoms:
1) TX error counter on interface ipsec0 was incrementing when looking at
ifconfig
2) packets were going out the VLAN interface (in this case eth1.101)
unencrypted
3) when they were forced in to the ipsec0 interface correctly as seen in
tcpdump they disappeared. (manually routing packets)
4) turning on KLIPS debugging caused a kernel oops.
Solution:
looking around I found the following patch on the dev site:
http://lists.openswan.org/pipermail/dev/2007-May/001580.html
which was not applied to the current distro openswan-2.4.11 (may 2007, so
was probably OK for 2.4.7 I suppose). I did work out what needed to be
changed from the patch files attached to the above message, however it
seems 2.4.11 has moved on a fair bit since then so I had to wing it.
Attached is the patch that I carried out on ipsec_tunnel.c. If it is
correct, then can it be applied to the distro for all to enjoy? Was there
a reason that it wasn't???
(Please feel free to flame me if I should be putting this to the dev
group, I am happy to be corrected, however some people not on the dev list
might be interested as I was)
I think I have changed the correct areas, however I have made one more
change than was on the original post. In particular, I am not sure about
the following change:
<snip>
@@ -588,14 +589,14 @@
ixs->pass ? 0 :
ip_hdr(ixs->skb)->saddr,
RT_TOS(ip_hdr(ixs->skb)->tos),
/* mcr->rgb: should this be 0
instead? */
- ixs->physdev->iflink))) {
+ /*ixs->physdev->iflink))) {*/
+ ixs->physdev->ifindex))) {
#endif
<snip>
because it only occurs under certain circumstances and it was not
mentioned in the original post.
cheers
Craig
PS: email text version of patch below
--- ../openswan/openswan-2.4.11/linux/net/ipsec/ipsec_tunnel.c 2007-09-19
04:26:18.000000000 +1000
+++ linux/net/ipsec/ipsec_tunnel.c 2008-02-03 23:34:55.000000000
+1100
@@ -575,7 +575,8 @@
ixs->skb->dev = ixs->physdev;
#ifdef NETDEV_25
memset (&fl, 0x0, sizeof (struct flowi));
- fl.oif = ixs->physdev->iflink;
+ /*fl.oif = ixs->physdev->iflink;*/
+ fl.oif = ixs->physdev->ifindex;
fl.nl_u.ip4_u.daddr = ip_hdr(ixs->skb)->daddr;
fl.nl_u.ip4_u.saddr = ixs->pass ? 0 : ip_hdr(ixs->skb)->saddr;
fl.nl_u.ip4_u.tos = RT_TOS(ip_hdr(ixs->skb)->tos);
@@ -588,14 +589,14 @@
ixs->pass ? 0 :
ip_hdr(ixs->skb)->saddr,
RT_TOS(ip_hdr(ixs->skb)->tos),
/* mcr->rgb: should this be 0
instead? */
- ixs->physdev->iflink))) {
+ /*ixs->physdev->iflink))) {*/
+ ixs->physdev->ifindex))) {
#endif
ixs->stats->tx_errors++;
KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
"klips_debug:ipsec_xmit_send: "
- "ip_route_output failed with error code %d,
rt->u.dst.dev=%s, dropped\n",
- ixs->error,
- ixs->route->u.dst.dev->name);
+ "ip_route_output failed with error code %d,
dropped\n",
+ ixs->error);
return IPSEC_XMIT_ROUTEERR;
}
if(ixs->dev == ixs->route->u.dst.dev) {
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080204/6efe012f/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec_tunnel.c.patch
Type: application/octet-stream
Size: 1322 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080204/6efe012f/attachment.obj
More information about the Users
mailing list