Re: [Devil-Linux-discuss] ipsec not working in 1.2.7/8

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On November 23, 2005 20:44, Heiko Zuerker wrote:
> On Wed, November 23, 2005 20:44, Martin Glazer wrote:
> > On November 23, 2005 18:10, Heiko Zuerker wrote:
> >> On Wed, November 23, 2005 16:17, Martin Glazer wrote:
> >>> On November 22, 2005 09:29, Martin Glazer wrote:
> >>>> Looks like Openswan (ipsec) is also not working in the latest
> >>>> builds - upon start, it complains about missing ipsec modules.
> >>>>
> >>>> I don't know if this is related to the other missing module posts -
> >>>>  missing ip_ttl and ipt_connmark.
> >>>>
> >>>> Unfortunately, I don't have much time now to take a look for the
> >>>> cause of the problems or if they are even related.
> >>>
> >>> I looked into this a bit further and it looks like the ipsec module
> >>> is being built, but then it is being installed in the
> >>> /lib/modules/{kernel_version}
> >>> directory of the lfssystem and not into the cdtree.
> >>>
> >>> The kernel install also clears out the
> >>> cdtree/lib/modules{kernel_version} before installing the kernel
> >>> modules there, so a manual copy will not help.
> >>>
> >>> How was this handled before (prior to openswan 2.4.4)?
> >>>
> >>>
> >>>
> >>> Any suggestions to work around this or where else to look for a
> >>> solution?
> >>
> >> I fixed the problem with the missing module.
> >
> > Thanks - I thought I tried your solution manually and found that because
> > the kernel modules were installed after openswan, they deleted the
> > ipsec.o module - I will try again with your solution from CVS.
>
> The Openswan makefile doesn't honor the DESTDIR variable when installing
> the module, that was the reason why it was missing.
>

The fix still does not work...

Even though you copy the ipsec.o file into the kenel module directory, the 
kernel is installed after openswan and during the kernel install, it deletes 
everything in the module directory first.

I see 2 possible solutions - 
- Place a conditional copy of the ipsec module in the linux kernel install 
script after the kernel modules are installed.

- Change the order of compilation and compile/install openswan after the 
kernel compile - as openswan does not patch the kernel any longer, this 
should work. The only issue is with the nat-t patch, which does patch the 
kernel, so one would have to do a conditional patch during the kernel build 
of the nat-t patch.

> >> What was that klips spelling error you mentioned?
> >
> > in scrips/super-freeswan under the build option --->  set_kernel_option
> > CONFIG_KLIPS m
> > set_kernel_option CONFIG_IPSEC_ALG y set_kernel_option
> > CONFIG_IPSEC_ENC_AES set_kernel_option CONFIG_IPSEC_ALG_NON_LIBRE n
> > set_kernel_option CONFIG_IPSEC_ALG_CRYPTOAPI m
> > --->  set_kernel_option CONFIG_KLIPS m
> > set_kernel_option CONFIG_KLIPS_IPIP y
> >
> > the line is repeated as well it says CONFIG_KLIBS and should read
> > CONFIG_KLIPS
> > P instead of B
>
> The module is not anymore compiled as part of the Kernel
> We can remove all this stuff from the script (I should have enough time
> this weekend ... hopefully).

I'll play aroundand see if I can get it to work using the solutions above.

Martin