[Openswan Users] SLES10 SP1 and openswan 2.4.11

Nicole Hähnel nicole.haehnel at gmx.net
Sun Feb 17 13:14:59 EST 2008 

Paul Wouters schrieb:
> On Fri, 15 Feb 2008, Nicole Hähnel wrote:
>
>   
>> We first tried with klips:
>> - module compiled with a little modification in ipsec_kversion.h
>>
>> #ifdef SLE_VERSION_CODE
>> #define HAVE_NEW_SKB_LINEARIZE
>> #endif
>>     
>
> Can you give me a more precise match for SLE_VERSION_CODE ? If so, I can
> add it to ipsec_kversion.h
>
>   

It's the same SLE_VERSION_CODE like in my post from 09.11.2007 11:32.
#define SLE_VERSION_CODE 655616

>> But after 5 or 10 minutes server hangs, I can't see any errors!
>>     
>
> You can try adding klipsdebug=all, but it might overload your system too.
>
>   
>> Now we're running netkey.
>> But it's not the best.
>> - I can't use "ipsec look" for checking if all tunnels are up.
>>     
>
> ip xfrm state and/or ip xfrm policy
>
>   
With 'ip xfrm state', I see:

src xxx.xxx.xxx.xxx dst xxx.xxx.xxx.xxx
        proto esp spi 0xf643e28a reqid 16393 mode transport
        replay-window 32 flag 4
        auth sha1 0x9a8ede47dc2afccd44b68808d7bfccf2fb6697c2
        enc aes 0x422d0faff53b3ecb8dc58d2fca94fe9e
src xxx.xxx.xxx.xxx dst xxx.xxx.xxx.xxx
        proto comp spi 0x00003a29 reqid 16394 mode tunnel
        replay-window 0 flag 4
        comp deflate 0x 

If I grep for 'mode tunnel', I get 26 lines, but only 12 tunnels are 
configured.
With 'ipsec status' are 13 tunnels up.
I don't understand why.

>> - firewall rules not working like before with klips
>>     
>
> Yes, those need to be redone, since it all comes in on the same interface now.
>
>   
>> - after rebooting the server no tunnels come up, I have to do this manually
>>     
>
> Do what manually?
>
>   

I have to do 'ipsec auto --delete conn', 'ipsec auto --add conn' and 
'ipsec auto --up conn' on the other sides of the gateway.

>> The best solution is klips I think, but all servers I tried with are dead after a few minutes.
>> (We need SLES10 SP1 for running Novell Open Enterprise 2)
>>     
>
> Not having any logs whatsoever makes this impossible to debug though :(
>
> Paul

Yes, it would be nice to have some logfiles for debugging, but all 
SLES10 SP1 servers I tried with just freeze.


Are there still any problems with smp kernels?
Or any problems with fragicmp=yes and compress=yes known?


Thanks!
Nicole

More information about the Users mailing list