[Openswan Users] RES: RES: openswan crashing kernel (long)

Paul Wouters paul at xelerance.com
Wed Jul 8 09:35:23 EDT 2009


On Wed, 8 Jul 2009, Giovani Moda wrote:

>> All klips/userland support is in 2.6.x. You will need to look at hte
>> ng-patch/ directory for an (older) kernel patch, and port it to the
>> newer kernels. The iproute2 patches should no longer be needed, but
>> verify the updown script uses the newer style iproute fwmask.
>
> I'm not sure I understood that. I guess I didn't make myself clear, the
> question was for using multiple clients behind the same router with
> openswan-2.6.22. I know it doesn't work yet due to #1004, but I would
> like to be prepared for when it's fixed.

The "multiple l2tp client behind the same NAT router" and the "using
the same internal IP's before NAT" issues are only solved when you the
"IPsec SA reference tracking" feature. This feature is fully released
now. KLIPS ref tracking is in KLIPS, the userland supports ref tracking
via the overlapip= option) and the xl2tpd has the "ipsec saref" option. It
requires a seperate patch to the kernel code to deal with tracking packets
to see where a packet for 192.168.1.2 needs to go, tunnel A or tunnel B.

We have not been updating this kernel patch with the latest kernels. You
can find the patch in the openswan-2.6.22/ng-patch or you can try to
make the patch using "make ngpatch". This works similarly to the (now no
longer needed) nat-t patch. We have done some work in the past on suse
kernel integration, and I will publish those kernel sources too.

> Sorry for being a pain, but I'm hitting a wall here. I really think I
> need to update openswan because of those vulnerabilities,

Note that we provided seperate patches or those vulnerabilities for both
openswan-2.4.x and openswan-2.6.x on our website.

> seem to find a way to make it play with my systems. If updating the
> fedora release is the way, I'll go ahead and do it, but I need to make
> sure that this will in fact resolve the problem, because there will be a
> lot of effort involved if doing so.

The L2TP solution is not yet a turn-key system. It will require some work.

Paul


More information about the Users mailing list