[Openswan Users] KLIPS and 802.1q on openswan-2.4.11 (and compiled on centos5)

nospam2craig at remex.com.au nospam2craig at remex.com.au
Sun Feb 3 22:39:31 EST 2008

Hi Guys,

I recently upgraded from 2.4 kernel to a 2.6 kernel in moving from FC1 to 
Centos 5 (yeah, I know, it has been a long time coming)

anyway, I worked out how to get KLIPS compiled for Centos 5 using the 
instructions in the wiki.

I was having trouble with setting up KLIPS to use the VLAN interface I use 
for the uplink. As the firewalling and configurations were basically 
unchanged from the original working system, I was confused. 


1) TX error counter on interface ipsec0 was incrementing when looking at 
2) packets were going out the VLAN interface (in this case eth1.101) 
3) when they were forced in to the ipsec0 interface correctly as seen in 
tcpdump they disappeared. (manually routing packets)
4) turning on KLIPS debugging caused a kernel oops.


looking around I found the following patch on the dev site:

which was not applied to the current distro openswan-2.4.11 (may 2007, so 
was probably OK for 2.4.7 I suppose). I did work out what needed to be 
changed from the patch files attached to the above message, however it 
seems 2.4.11 has moved on a fair bit since then so I had to wing it.

Attached is the patch that I carried out on ipsec_tunnel.c. If it is 
correct, then can it be applied to the distro for all to enjoy? Was there 
a reason that it wasn't???

(Please feel free to flame me if I should be putting this to the dev 
group, I am happy to be corrected, however some people not on the dev list 
might be interested as I was)

I think I have changed the correct areas, however I have made one more 
change than was on the original post. In particular, I am not sure about 
the following change:

@@ -588,14 +589,14 @@
                                    ixs->pass ? 0 : 
                                     /* mcr->rgb: should this be 0 
instead? */
-                                   ixs->physdev->iflink))) {
+                                   /*ixs->physdev->iflink))) {*/
+                                   ixs->physdev->ifindex))) {

because it only occurs under certain circumstances and it was not 
mentioned in the original post.



PS: email text version of patch below

--- ../openswan/openswan-2.4.11/linux/net/ipsec/ipsec_tunnel.c  2007-09-19 
04:26:18.000000000 +1000
+++ linux/net/ipsec/ipsec_tunnel.c      2008-02-03 23:34:55.000000000 
@@ -575,7 +575,8 @@
        ixs->skb->dev = ixs->physdev;
 #ifdef NETDEV_25
        memset (&fl, 0x0, sizeof (struct flowi));
-       fl.oif = ixs->physdev->iflink;
+       /*fl.oif = ixs->physdev->iflink;*/
+       fl.oif = ixs->physdev->ifindex;
        fl.nl_u.ip4_u.daddr = ip_hdr(ixs->skb)->daddr;
        fl.nl_u.ip4_u.saddr = ixs->pass ? 0 : ip_hdr(ixs->skb)->saddr;
        fl.nl_u.ip4_u.tos = RT_TOS(ip_hdr(ixs->skb)->tos);
@@ -588,14 +589,14 @@
                                    ixs->pass ? 0 : 
                                     /* mcr->rgb: should this be 0 
instead? */
-                                   ixs->physdev->iflink))) {
+                                   /*ixs->physdev->iflink))) {*/
+                                   ixs->physdev->ifindex))) {
                KLIPS_PRINT(debug_tunnel & DB_TN_XMIT,
                            "klips_debug:ipsec_xmit_send: "
-                           "ip_route_output failed with error code %d, 
rt->u.dst.dev=%s, dropped\n",
-                           ixs->error,
-                           ixs->route->u.dst.dev->name);
+                            "ip_route_output failed with error code %d, 
+                            ixs->error);
                return IPSEC_XMIT_ROUTEERR;
        if(ixs->dev == ixs->route->u.dst.dev) {

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080204/6efe012f/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ipsec_tunnel.c.patch
Type: application/octet-stream
Size: 1322 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20080204/6efe012f/attachment.obj 

More information about the Users mailing list