[Openswan Users] KLIPS crashes on kernel 2.6.25>
David McCullough
David_Mccullough at securecomputing.com
Thu Oct 29 19:05:07 EDT 2009
Jivin Giovani Moda lays it down ...
> > Were you using the klips ALG stuff or the openswan native crypto ?
> > In other words what is your KLIPS config for the kernel:
>
> > grep KLIPS linux-2.6.*/.config
>
> KLIPS with native crypto, I think. I'm just compiling ipsec module from
> openswan's source, not applying any patch on the kernel. A grep for
> KLIPS in the kernel config file shows no output. That's why I asked how
> KLIPS integrates with the kernel's crypto. Although I'm using openswan's
> native crypto (I think), obviously something broke it in 2.6.25 and
> above. I have not tried to disable OCF support before compiling ipsec
> module. Would it change something, since I don't have OCF patches on my
> kernel?
You don't want OCF, I can figure out the config from the OSW source.
Thanks.
We have a target here running on 2.6.29 (and .30 or .31 IIRC) that is not
using OCF. It is using the kernel crypto API though. You could try that
option. The config options we use are:
CONFIG_KLIPS_ESP=y
# CONFIG_KLIPS_AH is not set
CONFIG_KLIPS_AUTH_HMAC_MD5=y
CONFIG_KLIPS_AUTH_HMAC_SHA1=y
CONFIG_KLIPS_ALG=y
CONFIG_KLIPS_ENC_CRYPTOAPI=y
CONFIG_KLIPS_ENC_1DES=y
# CONFIG_KLIPS_ENC_3DES is not set
# CONFIG_KLIPS_ENC_AES is not set
CONFIG_KLIPS_IPCOMP=y
# CONFIG_KLIPS_OCF is not set
CONFIG_KLIPS_DEBUG=y
CONFIG_KLIPS_IF_MAX=4
I can never figure out how these are set in non patched kernel builds :-(
Paul ?
> Did you have the time to see my post about l2tp/ipsec tunnels not
> holding, even after applying your patches?
Yes I saw it, unfortunately I have been temporarily refocused and I don't
have much time to try things right now.
I'll follow up in that thread,
Cheers,
Davidm
--
David McCullough, david_mccullough at securecomputing.com, Ph:+61 734352815
McAfee - SnapGear http://www.snapgear.com http://www.uCdot.org
More information about the Users
mailing list