[Openswan Users] Openswan 2.6.18 on a Linux 2.6 kernel

Michael H. Warfield mhw at WittsEnd.com
Fri Oct 10 12:44:51 EDT 2008

On Wed, 2008-10-08 at 08:01 -0700, Chris The One and Only wrote:
> Hi,

> I tried configuring a ipsec tunnel, specifying the output interface
> like the examples I found on the internet:
>         interfaces="ipsec0=eth0:1"

> but it seems that something is wrong.
> When running "ipsec setup start" it states the the interface is not
> understood:
> ipsec_setup: Starting Openswan IPsec U2.6.18/K2.6.25.3 ...
> ipsec_setup: interface `ipsec0=eth0:1' not understood

> I tried with eth0 only (without the subinterface :10), even with eth1,
> but still the same result.
> Of course I could start it using:
>         interfaces=%defaultroute
> but I don't want to do it that way, as I need to use another interface
> as tunnel start.
> Does anybody know what is wrong?

	You don't say what distribution you are using but I can take a wild
guess from the "" kernel you are probably on Fedora 8 or Fedora
9 or something very similar and have not recently updated.  A fresh
install of Fedora 9 will give you that.

	Just a warning for everyone else on Fedora 8 and Fedora 9, there is a
serious bug in the kernel (current released update for both)
which will cause the entire system to hang at random if you use IPsec!
It seems to be fixed in (there were two IPSec related fixes in and, presumably, 2.6.27.

	As to your problem...  You are probably using the native netkey stack
instead of the klips stack in the kernel (this would be the default for
Fedora).  You don't get the ipsec* interfaces under netkey.  If you need
them for some overpowering reason, you'll have to switch to using the
klips stack in the kernel.

	I can sympathize with you.  Without the ipsec interfaces, I can't get
proxy arp to work for my tunnels and OSPF dynamic routing is iffy at
best and advertises the wrong routes (but BGP is fine, which is really
strange) because the kernel doesn't recognize those routes as distinct
forwarding.  I've just figured out other ways around the problem (use
BGP to advertise routes to my other OSPF routers in the zone and let
them carry the routes into OSPF).  I'm not inclined to go back to the
klips stack, even with the limitations of the netkey stack.

> Thank you.

> Chris

Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20081010/1f1cbffe/attachment.bin 

More information about the Users mailing list