[Openswan Users] OpenSwan and vServer

Christian Bäcker christian.baecker at gmx.eu
Thu Feb 10 03:37:30 EST 2011


Hi Paul,

thanks for your answers.

Am 10.02.2011 um 04:16 schrieb Paul Wouters:

> On Tue, 8 Feb 2011, Christian Bäcker wrote:
> 
>> 
>> I have a problem with ipsec compiled as kernel modules and vServer.
> 
> AFAIK, only very recent versions of vServer support IPsec within the guests.

The vServer with OpenSwan was running since spring 2009, but with a custom kernel and no modules.

>> ipsec_setup: Starting Openswan IPsec 2.4.12...
>> ipsec_setup: ERROR: Failed to load or detect KLIPS and NETKEY
> 
> Looks like you don't have any ipsec visible to your guest. Note that 2.4.12 should
> not be used, and you should go to at least 2.4.15, otherwise you are vulnerable to
> two CVE's.

Hm, lsmod in the vServer shows me all modules and the modules directory is bind mounted into the vServer.
Thanks for hint to the CVEs. I instantly checked the Debian and Openswan changelogs. Debian had patched the security fixes into the 2.4.12 version. Debian does not change the version number in the stable tree, instead they add their own string to point out that only security fixes were added. 

>> openswan: 2.6.28+dfsg-5
> 
> That's not the version of openswan according to your logs.

You are right. The correct version is 2.4.12+dfsg-1.3+lenny2. That happens when testing on to many different machines. :)

> 
>> util-vserver: 0.30.216~r2772-6
>> vserver: 2.3.0.35
> 
> I've CC:ed Patrick who knows a little more about vServer.

Thanks.

Chris


More information about the Users mailing list