[Openswan Users] build openswan 2.6.26 rpm with klips kernel module

Michael H. Warfield mhw at WittsEnd.com
Fri May 28 09:27:48 EDT 2010


On Thu, 2010-05-27 at 22:37 -0700, Steve Zeng wrote: 
> Thanks, Michael. I am looking for a .spec file to build openswan rpm with klips included. The reason for klips is, I have a problem related to routing (I think) when trying openswan with amazon VPC. What I've been given regarding the IPSec tunnel is:

> My_network (192.168.1.0/24) 
>        ||
> my IPSec VPN gateway (tunnel interface: 169.254.255.2)
>        ||  
>     Internet
>        ||  
> Amazon VPN gateway   (tunnel interface: 169.254.255.1)
>        ||  
> vpc (10.0.0.0/24)

> with netkey I have difficulty to implement the routing. My understanding is,  klips will give me a tunnel interface and so I can ajust my routing table to let all traffic to 10.0.0.0/24 go through the tunnel interface. Correct me if I am wrong. 

1) I do this sort of thing all the time with netkey with no problem
(although my environment is public addresses and I don't have to resort
to private addresses at either end).  I have run into some problems with
the local net talking to the local gateway that require one or more
bypass routes to be installed with netkey which are not required for
klips, as I understand, and I even had to write some patches to make
that work (which were incorporated into openswan 2.6 some time ago).

2) You don't have to "implement" the routing.  It's handled by the VPN
policies and transforms.  IOW, get the connections right and your done.
If by "getting the routing right" you mean you're doing something with
"ip route" or "route", then you're doing something wrong.

3) Even with klips, IPSec is still fundamentally, by spec, a policy VPN.
Merely setting routes through the interfaces without having set the
tunnel policies properly with still probably fail for you.

I'm not sure if you provided fake addresses up there but, obviously
"169.254.*" addresses are not going to work as interface addresses.

I can't tell how the Amazon VPN gateway is set up.  I'm not familiar
with that at all.  Is it configured to tunnel your private /24 back
through it?  How would any of the other addresses in that 10.* net know
to route to you?  Is that something you can control or you can specify?
I guess I'm really asking how that whole service runs its VPN service.
I often have to include IPv4 NAT on one or more of the gateways because
of reverse routing and the absence of control of the routing to the
other machines when I'm NOT in the default route.

If you're really dead set on using klips and rpm's, it looks like some
people have created kernel rpm's with klips (which makes a hell of a lot
more sense than trying to build Openswan with a kernel module) but it
was some time ago.  Here's a SmoothWall refererence to a procedure that
might work for you:

https://support.smoothwall.net/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=250


> Steve

Regards,
Mike

> 
> -----Original Message-----
> From: Michael H. Warfield [mailto:mhw at WittsEnd.com] 
> Sent: May 27, 2010 6:43 PM
> To: Steve Zeng
> Cc: mhw at WittsEnd.com; Users at openswan.org
> Subject: Re: [Openswan Users] build openswan 2.6.26 rpm with klips kernel module
> 
> On Thu, 2010-05-27 at 17:05 -0700, Steve Zeng wrote: 
> > Anybody has a spec file available to build openswan-2.6.26 rpm with klips kernel module on redhat/Centos/Fedora?
> 
> When you said "spec" file, I presumed you mean the .spec file for building rpm's, especially since you then mentioned Fedora and Redhat.
> I realized later, you didn't really refer to building rpms per se.  Are you building rpm's or what "spec" file do you mean?
> 
> > I tried to run "make KERNELSRC=/lib/modules/`uname -r`/build module minstall" but get the following errors:
> > 
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c: In function âipsec_tunnel_hard_headerâ:
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1072: 
> > error: implicit declaration of function âip_hdrâ
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1072: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1072: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1072: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1072: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1072: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1072: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1098: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1098: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1098: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1098: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1098: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1098: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c: In function âipsec_tunnel_rebuild_headerâ:
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1174: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1174: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1174: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1174: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1174: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1174: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1193: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1193: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1193: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1193: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1193: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1193: 
> > error: invalid type argument of â->â
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c: In function âipsec_tunnel_cache_updateâ:
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1327: 
> > warning: passing argument 1 of ânetdev_privâ discards qualifiers from 
> > pointer target type
> > /usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.c:1376: 
> > warning: passing argument 3 of âprv->header_cache_updateâ discards 
> > qualifiers from pointer target type
> > make[3]: *** 
> > [/usr/src/redhat/BUILD/openswan-2.6.26/modobj26/ipsec_tunnel.o] Error 
> > 1
> > make[2]: *** [_module_/usr/src/redhat/BUILD/openswan-2.6.26/modobj26] 
> > Error 2
> > make[2]: Leaving directory `/usr/src/kernels/2.6.18-53.el5-i686'
> > make[1]: *** [module26] Error 2
> > make[1]: Leaving directory `/usr/src/redhat/BUILD/openswan-2.6.26'
> > make: *** [module] Error 2
> > 
> > Thanks in advance. 
> > 
> > Steve
> 
> Mike
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20100528/fdccbda3/attachment-0001.bin 


More information about the Users mailing list