[Openswan Users] Questions regarding firewall and routing accommodations for openswan 2.6.28

Paul Wouters paul at xelerance.com
Wed Sep 15 19:45:56 EDT 2010


On Wed, 15 Sep 2010, Neal Murphy wrote:

> I had previously built the kernel applying the SAREF and klips patches. But
> that hardly worked.

> SRC=10.20.30.20 DST=10.20.31.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=41759 DF
> PROTO=TCP SPT=1673 DPT=222 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x80010000

Where is that MARK coming from? Openswan has "taken" the hight bit to mean "This
mark is an SAref". If smoothwall is using it for something else, we have a problem.

> What am I missing? It has something to do with the 'new' mast0 interface, but
> I've nary a clue!

That would only be if you have protostack=mast in your config. The default
protostack (=auto) tries netkey first, then klips.

> Next, since /proc/net/ipsec_eroute no longer shows the state of the tunnel(s),
> what exactly do I look for in the output of 'ipsec auto status' to determine
> which tunnels are up? Is there no other place where tunnel status is stored?

In 2.6.29rc1 and onwards, you can use "ipsec policy" to get an "eroute like"
output.

> Finally, would someone take a gander at the makefile for 'make minstall' and
> verify that setting DESTDIR does NOT work as expected? My experience is that
> it always intalls the module in the chroot jail's root and not in the
> specified package directory.

Are you confusing DESTDIR with FINALDESTDIR? The first is the physical location,
eg ~/BUILD/openswan/usr/lib/ipsec/pluto while the latter is the location of the file after
the package install, on the live system, eg /usr/lib/ipsec/pluto

Paul


More information about the Users mailing list