[Openswan Users] Centos 6 with SARef support

Wed Jul 27 21:06:34 EDT 2011

On Wed, 27 Jul 2011, Giovani Moda wrote:

> I'm trying to setup Centos6 with SAref support, but I'm facing some
> problems. I've recompiled kernel 2.6.32-71.29.1.el6.centos.plus with
> 0001-SAREF-add-support-for-SA-selection-through-sendmsg.patch and
> 0002-SAREF-implement-IP_IPSEC_BINDREF.patch patches and compiled
> openswan 2.6.35 with klips module. Here is the output of ipsec verify:

> conn l2tp-ipsec
>        pfs=no
>        left=A.B.C.D
>        leftcert=mail.pem
>        leftrsasigkey=%cert
>        leftprotoport=17/1701
>        right=%any
>        rightca=%same
>        rightprotoport=17/1701
>        rightrsasigkey=%cert
>        rightsubnet=vhost:%no,%priv
>        rekey=no
> 	  overlapip=yes
> 	  sareftrack=yes

> Jul 27 18:19:01 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #1: new NAT
> mapping for #1, was E.F.G.H:24192, now E.F.G.H:24193

Note that you are NATed so 1701 is not valid.

You should have rightprotoport=17/%any. You should also have type=transport

> STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Jul 27 18:19:02 mail pluto[22558]: | mast_sag_eroute called op=1/add
> Jul 27 18:19:02 mail pluto[22558]: | mast_raw_eroute called op=1
> said=esp.fa41b0d8 at E.F.G.H
> Jul 27 18:19:02 mail pluto[22558]: "MR-Miguel"[1] E.F.G.H #2: requested
> algorithm is not available in the kernel

That said, I don't understand why you get this error, as mast and klips have
the identical cipher capabilities.

Did you compile klips with CONFIG_KLIPS_CRYPTOAPI=y ? If not, can you try that?

> With protostack=klips all works fine, but I'm trying to get support for
> multiple clients behind the same router, so mast is a requirement. Am I
> missing something? I know that prior to openswan 2.6.27 or so compiling
> kernel with klips inline was a requirement for SARef support. Is this
> still necessary?

No that is no longer neccessary.

Paul