[Openswan Users] RES: KLIPS and Ubuntu 8.04.3

David McCullough David_Mccullough at securecomputing.com
Wed Jul 22 18:53:16 EDT 2009 

Jivin Giovani Moda lays it down ...
> > Edit linux/include/openswan/ipsec_kversion.h and undef 
> > HAVE_UDP_ENCAP_CONVERT
> 
> Yeah, done that already. I don't think the problem is that it's
> compiling using the new style NAT-T. The error occurs when using the old
> style code, after undef HAVE_UDP_ENCAP_CONVERT.
> 
> I was messing around just now and found a way to compile it against FC7
> with kernel-2.6.23. Here is the patch I used for KLIPS:
> 
> --- openswan-2.6.22/linux/net/ipsec/ipsec_init.c.orig   2009-07-22
> 06:54:24.000000000 -0300
> +++ openswan-2.6.22/linux/net/ipsec/ipsec_init.c        2009-07-22
> 06:54:44.000000000 -0300
> @@ -361,7 +361,7 @@
>          ipsec_sysctl_unregister();
>  #endif
>  #if defined(NET_26) && defined(CONFIG_IPSEC_NAT_TRAVERSAL)
> -       if(udp4_unregister_esp_rcvencap(klips26_rcv_encap,
> klips_old_encap) < 0) {
> +       if(udp4_unregister_esp_rcvencap(klips_old_encap) < 0) {
>                 printk(KERN_ERR "KLIPS: can not unregister
> klips_rcv_encap function\n");
>         }
>  #endif
> 
> 
> And also the NF_INET_LOCAL_OUT stuff:
> 
> 
> --- openswan-2.6.22/linux/net/ipsec/ipsec_xmit.c.orig   2009-07-11
> 12:07:31.000000000 -0300
> +++ openswan-2.6.22/linux/net/ipsec/ipsec_xmit.c        2009-07-11
> 12:07:43.000000000 -0300
> @@ -2068,7 +2068,7 @@
>         {
>                 int err;
> 
> -               err = NF_HOOK(PF_INET, NF_INET_LOCAL_OUT, ixs->skb,
> NULL,
> +               err = NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, ixs->skb, NULL,
>                               ixs->route->u.dst.dev,
>                               ipsec_xmit_send2);
>                 if(err != NET_XMIT_SUCCESS && err != NET_XMIT_CN) {
> 
> 
> Can someone tell me if this would break something?

No you should be good.  You just have the older NAT-T patch.  Some of the
API's were changed a little to allow proper driver unloading etc IIRC.

I'd say at a glance everything you have above is safe,

Cheers,
Davidm

-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org

More information about the Users mailing list