[Openswan Users] Fedora with netkey and freeswan with klips

Bob Miller bob at computerisms.ca
Sat Jan 15 17:51:52 EST 2011

> I believe the other system is using klips instead of netkey which would be why
> the systems don't connect.

I dont' use klips, so I can't say for sure, but I would expect them to
still be able to work...

> There don't appear to be any error messages in the logs on either side; the
> systems just don't connect.

This is probably a poor generalization, but if there are no errors, I
would expect that to mean the software is behaving exactly as it is
configured to do.  
Even if there are no errors, you should be able to determine at what
part of the whole process the two ends agree to terminate or not connect
at all, assuming of course that the two ends are even talking to each
other.  hard to say without a look, though...

> I'm unsure what logging or configuration information to provide so that this
> problem can be fixed.

Generally a connection from openswan makes a small handful of lines in
your auth.log (or maybe security.log or some such on RH systems?).  You
can tail the log while you attempt a connection, that will be the part
that is useful.  Also, check the same log for the starting of openswan,
if it has a problem loading the certificates, for example, that should
show up there, too.  You can also use tools like `ipsec verify` to check
for problems, and tcpdump can be useful for verifying traffic is
happening like you think it is (though tcpdump doesn't show as much on a
netkey system as it does on a klips system).  Something in there should
show you a clue as to the issue...

> It looks like even though I've disabled netkey, it likes to use it anyway:
> Jan 15 16:01:19 fc14 ipsec_setup: No KLIPS support found while requested,
> desperately falling back to netkey
> Jan 15 16:01:19 fc14 ipsec_setup: NETKEY support found. Use protostack=netkey in
> /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with
> Jan 15 16:01:19 fc14 ipsec_setup: Using NETKEY(XFRM) stack
> What effect would using these two different methods have?

Based on this, I would guess that you have not disabled netkey, but
rather that you have not enabled klips.  Klips provides an virtual
network interface ipsecX for your IPSec tunnels to run on, allowing you
to treat it much like eth0, while netkey does all the magic
encrypting/sending and decrypting/receiving in the kernel and does not
provide the virtual interface to work with.  My understanding is you
need to compile your openswan with klips support if you want to use

> Thanks,
> Alex
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

Bob Miller
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions

More information about the Users mailing list