[Openswan Users] HOWTO: Building an Ubuntu SAREF kernel with KLIPS for l2tp support

Paul Wouters paul at xelerance.com
Mon Jun 21 17:36:07 EDT 2010


On Mon, 21 Jun 2010, Majid Khonji wrote:

> Subject: [Openswan Users] Which Klips version works for which linux kernel??
> 
> I have been working hard to deploy a L2tp/Ipsec roadwarrior system in which clients are mobile devices behind nat. Openswan 2.6.26 works
> well with netkey except the issue of multiple clients behind the same. I read couple of mailing lists and seems that Netkey doesn't support
> such a feature. Therefore I decided to move to Klips kernel stack. I tried different kernels such 2.6.34 , 2.6.33 , 2.6.23 ..etc. The only
> kernel which patches properly is 2.6.23 (but again I have problem with the linux distribution - gentoo , ubuntu 9.10). 

Note that what you want is currently under heavy development. Keep an eye
on the git repository.  We have only tested this using the 2.6.32 kernel,
though it should work on later kernels too, though it might require some
manual patching.

You should openswan 2.6.27, released this morning. You will find Ubuntu
packages on ftp://ftp.openswan.org/openswan/binaries/ubuntu/ A Linux
kernel package with SAREF patch will show up there too in the next
few days.  We'll provide rhel6 kernel and userland rpms over the next
few days as well.

> I want to compile klips for kernel 3.6.3x (2.6.34 for now) and don't know whether I need to patch the kernel or not and which openswan
> version to use (I used 2.4.15 , 2.6.26 which compiles but klips can't insert the ipsec.ko module).

with openswan 2.6.27, you should be able to only apply the SAREF patches, and build KLIPS as a module.

> Please give me a simple working instruction for both openswan(V.2.xx.xx) and kernel 2.6.3x

For Ubuntu, Simon Deziel wrote some instructions for building on Ubuntu. Roughly:

1) get a git checkout of the Ubuntu kernel. We place that in /vol/kernel-ubuntu-saref/

2) Get openswan

wget ftp://ftp.openswan.org/openswan/openswan-2.6.27.tar.gz
tar xzf openswan-2.6.27.tar.gz

3) patch kernel

cd /vol/kernel-ubuntu-saref/source

# Get clean tree
git branch master
git reset --hard
git clean -xdf

# Branch to saref
git checkout Ubuntu-2.6.32-22.33 -b saref

# Apply SAref patch
# patch -p1 < ../openswan-2.6.27/patches/kernel/2.6.32/saref-2.6.32.patch 
patching file include/linux/in.h
patching file include/net/ip.h
patching file include/net/xfrm.h
patching file net/ipv4/icmp.c
patching file net/ipv4/ip_output.c
patching file net/ipv4/ip_sockglue.c
patching file net/ipv4/raw.c
patching file net/ipv4/udp.c
patching file include/linux/in.h

# Commit the changes

# git commit -a -m "SAref patch applied"

# Apply SAref bind patch

# patch -p1 < ../openswan-2.6.27/patches/kernel/2.6.32/saref-bind-2.6.32.patch 
patching file include/linux/in.h
patching file include/net/sock.h
patching file include/net/xfrm.h
patching file net/core/sock.c
patching file net/ipv4/ip_sockglue.c
patching file net/ipv4/tcp.c

# Commit the changes

# git commit -a -m "SAref-bind patch applied"

# Manually edit the file net/Makefile

# git diff
diff --git a/net/Makefile b/net/Makefile
index 1542e72..62eb286 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -18,6 +18,7 @@ obj-$(CONFIG_NET)             += ethernet/ 802/ sched/ netlink/
  obj-$(CONFIG_NETFILTER)                += netfilter/
  obj-$(CONFIG_INET)             += ipv4/
  obj-$(CONFIG_XFRM)             += xfrm/
+obj-$(CONFIG_KLIPS)            += ipsec/
  obj-$(CONFIG_UNIX)             += unix/
  ifneq ($(CONFIG_IPV6),)
  obj-y                          += ipv6/

# Commit the changes

# git commit -a -m "Fix net/Makefile to include KLIPS"

# Get the kernel patch for KLIPS
cd /vol/kernel-ubuntu-saref/openswan-2.6.27
make KERNELSRC=/vol/kernel-ubuntu-saref/source/ kpatch
Now performing forward patches
make kernelpatch2.6 | tee /vol/kernel-ubuntu-saref/source//openswan.patch | (cd /vol/kernel-ubuntu-saref/source/ && patch -p1 -b -z .preipsec --forward --ignore-whitespace )
patching file README.openswan-2
patching file include/des/des_locl.h
patching file include/des/des_ver.h
patching file include/des/podd.h
patching file include/des/sk.h
patching file include/des/spr.h
patching file include/klips-crypto/aes.h
patching file include/klips-crypto/aes_cbc.h
patching file include/klips-crypto/aes_xcbc_mac.h
patching file include/klips-crypto/cbc_generic.h
patching file include/klips-crypto/des.h
patching file include/openswan.h
patching file include/openswan/ipcomp.h
patching file include/openswan/ipsec_ah.h
patching file include/openswan/ipsec_alg.h
patching file include/openswan/ipsec_alg_3des.h
patching file include/openswan/ipsec_auth.h
patching file include/openswan/ipsec_encap.h
patching file include/openswan/ipsec_eroute.h
patching file include/openswan/ipsec_errs.h
patching file include/openswan/ipsec_esp.h
patching file include/openswan/ipsec_ipcomp.h
patching file include/openswan/ipsec_ipe4.h
patching file include/openswan/ipsec_ipip.h
patching file include/openswan/ipsec_kern24.h
patching file include/openswan/ipsec_kversion.h
patching file include/openswan/ipsec_life.h
patching file include/openswan/ipsec_mast.h
patching file include/openswan/ipsec_md5h.h
patching file include/openswan/ipsec_param.h
patching file include/openswan/ipsec_param2.h
patching file include/openswan/ipsec_policy.h
patching file include/openswan/ipsec_proto.h
patching file include/openswan/ipsec_radij.h
patching file include/openswan/ipsec_rcv.h
patching file include/openswan/ipsec_sa.h
patching file include/openswan/ipsec_sha1.h
patching file include/openswan/ipsec_stats.h
patching file include/openswan/ipsec_sysctl.h
patching file include/openswan/ipsec_tunnel.h
patching file include/openswan/ipsec_xform.h
patching file include/openswan/ipsec_xmit.h
patching file include/openswan/mast.h
patching file include/openswan/passert.h
patching file include/openswan/pfkey.h
patching file include/openswan/pfkey_debug.h
patching file include/openswan/pfkeyv2.h
patching file include/openswan/radij.h
patching file include/zlib/zconf.h
patching file include/zlib/zlib.h
patching file include/zlib/zutil.h
patching file net/Kconfig
Hunk #1 succeeded at 278 (offset 63 lines).
patching file net/Makefile
Hunk #1 FAILED at 42.
1 out of 1 hunk FAILED -- saving rejects to file net/Makefile.rej
patching file net/ipsec/Kconfig
patching file net/ipsec/Makefile
patching file net/ipsec/README-zlib
patching file net/ipsec/README-zlib.freeswan
patching file net/ipsec/addrtoa.c
patching file net/ipsec/addrtot.c
patching file net/ipsec/addrtypeof.c
patching file net/ipsec/adler32.c
patching file net/ipsec/aes/Makefile
patching file net/ipsec/aes/aes-i586.S
patching file net/ipsec/aes/aes.c
patching file net/ipsec/aes/aes_cbc.c
patching file net/ipsec/aes/aes_xcbc_mac.c
patching file net/ipsec/aes/ipsec_alg_aes.c
patching file net/ipsec/alg/Config.alg_aes.in
patching file net/ipsec/alg/Config.alg_cryptoapi.in
patching file net/ipsec/alg/Config.in
patching file net/ipsec/alg/Makefile.alg_aes
patching file net/ipsec/alg/Makefile.alg_cryptoapi
patching file net/ipsec/alg/ipsec_alg_cryptoapi.c
patching file net/ipsec/alg/scripts/mk-static_init.c.sh
patching file net/ipsec/anyaddr.c
patching file net/ipsec/datatot.c
patching file net/ipsec/defconfig
patching file net/ipsec/deflate.c
patching file net/ipsec/deflate.h
patching file net/ipsec/des/COPYRIGHT
patching file net/ipsec/des/INSTALL
patching file net/ipsec/des/Makefile
patching file net/ipsec/des/README
patching file net/ipsec/des/README.freeswan
patching file net/ipsec/des/VERSION
patching file net/ipsec/des/asm/des-586.pl
patching file net/ipsec/des/asm/des686.pl
patching file net/ipsec/des/asm/desboth.pl
patching file net/ipsec/des/asm/readme
patching file net/ipsec/des/cbc_enc.c
patching file net/ipsec/des/des.doc
patching file net/ipsec/des/des_enc.c
patching file net/ipsec/des/des_opts.c
patching file net/ipsec/des/dx86unix.S
patching file net/ipsec/des/ecb_enc.c
patching file net/ipsec/des/ipsec_alg_3des.c
patching file net/ipsec/des/set_key.c
patching file net/ipsec/goodmask.c
patching file net/ipsec/infblock.c
patching file net/ipsec/infblock.h
patching file net/ipsec/infcodes.c
patching file net/ipsec/infcodes.h
patching file net/ipsec/inffast.c
patching file net/ipsec/inffast.h
patching file net/ipsec/inffixed.h
patching file net/ipsec/inflate.c
patching file net/ipsec/inftrees.c
patching file net/ipsec/inftrees.h
patching file net/ipsec/infutil.c
patching file net/ipsec/infutil.h
patching file net/ipsec/initaddr.c
patching file net/ipsec/ipcomp.c
patching file net/ipsec/ipsec_ah.c
patching file net/ipsec/ipsec_alg.c
patching file net/ipsec/ipsec_alg_cryptoapi.c
patching file net/ipsec/ipsec_esp.c
patching file net/ipsec/ipsec_init.c
patching file net/ipsec/ipsec_ipcomp.c
patching file net/ipsec/ipsec_ipip.c
patching file net/ipsec/ipsec_kern24.c
patching file net/ipsec/ipsec_life.c
patching file net/ipsec/ipsec_mast.c
patching file net/ipsec/ipsec_md5c.c
patching file net/ipsec/ipsec_ocf.c
patching file net/ipsec/ipsec_ocf.h
patching file net/ipsec/ipsec_proc.c
patching file net/ipsec/ipsec_radij.c
patching file net/ipsec/ipsec_rcv.c
patching file net/ipsec/ipsec_sa.c
patching file net/ipsec/ipsec_sha1.c
patching file net/ipsec/ipsec_snprintf.c
patching file net/ipsec/ipsec_tunnel.c
patching file net/ipsec/ipsec_xform.c
patching file net/ipsec/ipsec_xmit.c
patching file net/ipsec/match586.S
patching file net/ipsec/match686.S
patching file net/ipsec/pfkey_v2.c
patching file net/ipsec/pfkey_v2_build.c
patching file net/ipsec/pfkey_v2_debug.c
patching file net/ipsec/pfkey_v2_ext_bits.c
patching file net/ipsec/pfkey_v2_ext_process.c
patching file net/ipsec/pfkey_v2_parse.c
patching file net/ipsec/pfkey_v2_parser.c
patching file net/ipsec/prng.c
patching file net/ipsec/radij.c
patching file net/ipsec/rangetoa.c
patching file net/ipsec/satot.c
patching file net/ipsec/subnetof.c
patching file net/ipsec/subnettoa.c
patching file net/ipsec/sysctl_net_ipsec.c
patching file net/ipsec/trees.c
patching file net/ipsec/trees.h
patching file net/ipsec/ultoa.c
patching file net/ipsec/ultot.c
patching file net/ipsec/version.c
patching file net/ipsec/zutil.c
patching file net/ipv4/af_inet.c
Hunk #1 succeeded at 1629 with fuzz 2 (offset 460 lines).
patching file net/ipsec/Makefile.ver
make: *** [applypatch] Error 1

# Ignore the error and clean bad files

# Make some cleanup

cd /vol/kernel-ubuntu-saref/source
find . -name \*.preipsec -delete
find . -name \*.rej -delete

# Commit the changes

# git commit -a -m "Openswan make kpatch done"
# git add README.openswan-2 include/des/ include/klips-crypto/ include/openswan.h include/openswan/ include/zlib/ net/ipsec/
# git commit -a -m "Openswan make kpatch done + files"

# Enable CONFIG_KLIPS

# cat << EOF >> debian.master/config/config.common.ubuntu
CONFIG_KLIPS=m
CONFIG_KLIPS_IPIP=y
CONFIG_KLIPS_AH=y
CONFIG_KLIPS_AUTH_HMAC_MD5=y
CONFIG_KLIPS_AUTH_HMAC_SHA1=y
CONFIG_KLIPS_ESP=y
CONFIG_KLIPS_ALG=y
CONFIG_KLIPS_ENC_3DES=y
CONFIG_KLIPS_ENC_AES=y
CONFIG_KLIPS_ENC_CRYPTOAPI=n
CONFIG_KLIPS_IPCOMP=y
CONFIG_KLIPS_DEBUG=y
CONFIG_KLIPS_IF_MAX=64
# CONFIG_KLIPS_OCF is not set
EOF

# cat << EOF >> debian.master/config/config.common.ports
CONFIG_KLIPS=m
CONFIG_KLIPS_IPIP=y
CONFIG_KLIPS_AH=y
CONFIG_KLIPS_AUTH_HMAC_MD5=y
CONFIG_KLIPS_AUTH_HMAC_SHA1=y
CONFIG_KLIPS_ESP=y
CONFIG_KLIPS_ALG=y
CONFIG_KLIPS_ENC_3DES=y
CONFIG_KLIPS_ENC_AES=y
CONFIG_KLIPS_ENC_CRYPTOAPI=n
CONFIG_KLIPS_IPCOMP=y
CONFIG_KLIPS_DEBUG=y
CONFIG_KLIPS_IF_MAX=64
# CONFIG_KLIPS_OCF is not set
EOF

# Commit the changes

# git commit -a -m "Enable module supports for KLIPS"

4) Compile the kernel

fakeroot debian/rules clean
skipabi=true skipmodule=true fakeroot debian/rules binary-indep
skipabi=true skipmodule=true fakeroot debian/rules binary-perarch
skipabi=true skipmodule=true fakeroot debian/rules binary-server


More information about the Users mailing list