[Openswan Users] Openswan 2.6.18 on a Linux 2.6 kernel

[Chris The One and Only]

Hi Mike,
 
I already made some digging and found out that I can not use ipsec interfaces with netkey.
Fortunately, I was able to get things going and the tunnel works fine even without klips. For the moment I think this is enough but I will try klips too as soon as I'll have the chance.
Thank you for you explanation and for the tip regarding the ipsec bug affecting 2.6.25.5 kernels.
 
Best regards all of you !

Chris



----- Original Message ----
From: Michael H. Warfield <mhw at WittsEnd.com>
To: Chris The One and Only <chrisgchrisg at yahoo.com>
Cc: mhw at WittsEnd.com; users at lists.openswan.org
Sent: Friday, October 10, 2008 7:44:51 PM
Subject: Re: [Openswan Users] Openswan 2.6.18 on a Linux 2.6 kernel

On Wed, 2008-10-08 at 08:01 -0700, Chris The One and Only wrote:
> Hi,

> I tried configuring a ipsec tunnel, specifying the output interface
> like the examples I found on the internet:

>        interfaces="ipsec0=eth0:1"

> but it seems that something is wrong.
> When running "ipsec setup start" it states the the interface is not
> understood:

> ipsec_setup: Starting Openswan IPsec U2.6.18/K2.6.25.3 ...
> ipsec_setup: interface `ipsec0=eth0:1' not understood

> I tried with eth0 only (without the subinterface :10), even with eth1,
> but still the same result.
> Of course I could start it using:
>        interfaces=%defaultroute
> but I don't want to do it that way, as I need to use another interface
> as tunnel start.

> Does anybody know what is wrong?

    You don't say what distribution you are using but I can take a wild
guess from the "2.6.25.3" kernel you are probably on Fedora 8 or Fedora
9 or something very similar and have not recently updated.  A fresh
install of Fedora 9 will give you that.

    Just a warning for everyone else on Fedora 8 and Fedora 9, there is a
serious bug in the 2.6.26.5 kernel (current released update for both)
which will cause the entire system to hang at random if you use IPsec!
It seems to be fixed in 2.6.26.6 (there were two IPSec related fixes in
2.6.26.6) and, presumably, 2.6.27.

    As to your problem...  You are probably using the native netkey stack
instead of the klips stack in the kernel (this would be the default for
Fedora).  You don't get the ipsec* interfaces under netkey.  If you need
them for some overpowering reason, you'll have to switch to using the
klips stack in the kernel.

    I can sympathize with you.  Without the ipsec interfaces, I can't get
proxy arp to work for my tunnels and OSPF dynamic routing is iffy at
best and advertises the wrong routes (but BGP is fine, which is really
strange) because the kernel doesn't recognize those routes as distinct
forwarding.  I've just figured out other ways around the problem (use
BGP to advertise routes to my other OSPF routers in the zone and let
them carry the routes into OSPF).  I'm not inclined to go back to the
klips stack, even with the limitations of the netkey stack.

> Thank you.

> Chris

    Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
  NIC whois: MHW9          | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081010/c66d9753/attachment.html