Re: [Devil-Linux-discuss] ipsec not working in 1.2.7/8

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On November 24, 2005 09:51, Heiko Zuerker wrote:
> On Thu, November 24, 2005 10:22, Martin Glazer wrote:
> > On November 23, 2005 20:44, Heiko Zuerker wrote:
> >> On Wed, November 23, 2005 20:44, Martin Glazer wrote:
> >>> On November 23, 2005 18:10, Heiko Zuerker wrote:
> >>>> On Wed, November 23, 2005 16:17, Martin Glazer wrote:
> >>>>> On November 22, 2005 09:29, Martin Glazer wrote:
> >>>>>> Looks like Openswan (ipsec) is also not working in the latest
> >>>>>> builds - upon start, it complains about missing ipsec modules.
> >>>>>>
> >>>>>> I don't know if this is related to the other missing module
> >>>>>> posts - missing ip_ttl and ipt_connmark.
> >>>>>>
> >>>>>> Unfortunately, I don't have much time now to take a look for
> >>>>>> the cause of the problems or if they are even related.
> >>>>>
> >>>>> I looked into this a bit further and it looks like the ipsec
> >>>>> module is being built, but then it is being installed in the
> >>>>> /lib/modules/{kernel_version}
> >>>>> directory of the lfssystem and not into the cdtree.
> >>>>>
> >>>>> The kernel install also clears out the
> >>>>> cdtree/lib/modules{kernel_version} before installing the kernel
> >>>>> modules there, so a manual copy will not help.
> >>>>>
> >>>>> How was this handled before (prior to openswan 2.4.4)?
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> Any suggestions to work around this or where else to look for a
> >>>>> solution?
> >>>>
> >>>> I fixed the problem with the missing module.
> >>>
> >>> Thanks - I thought I tried your solution manually and found that
> >>> because the kernel modules were installed after openswan, they deleted
> >>> the ipsec.o module - I will try again with your solution from CVS.
> >>
> >> The Openswan makefile doesn't honor the DESTDIR variable when
> >> installing the module, that was the reason why it was missing.
> >
> > The fix still does not work...
> >
> >
> > Even though you copy the ipsec.o file into the kenel module directory,
> > the kernel is installed after openswan and during the kernel install, it
> > deletes everything in the module directory first.
> >
> > I see 2 possible solutions -
> > - Place a conditional copy of the ipsec module in the linux kernel
> > install script after the kernel modules are installed.
> >
> > - Change the order of compilation and compile/install openswan after the
> > kernel compile - as openswan does not patch the kernel any longer, this
> > should work. The only issue is with the nat-t patch, which does patch the
> >  kernel, so one would have to do a conditional patch during the kernel
> > build of the nat-t patch.
> >
> >>>> What was that klips spelling error you mentioned?
> >>>
> >>> in scrips/super-freeswan under the build option --->
> >>> set_kernel_option CONFIG_KLIPS m
> >>> set_kernel_option CONFIG_IPSEC_ALG y set_kernel_option
> >>> CONFIG_IPSEC_ENC_AES set_kernel_option CONFIG_IPSEC_ALG_NON_LIBRE n
> >>> set_kernel_option CONFIG_IPSEC_ALG_CRYPTOAPI m --->  set_kernel_option
> >>> CONFIG_KLIPS m
> >>> set_kernel_option CONFIG_KLIPS_IPIP y
> >>>
> >>> the line is repeated as well it says CONFIG_KLIBS and should read
> >>> CONFIG_KLIPS
> >>> P instead of B
> >>
> >> The module is not anymore compiled as part of the Kernel
> >> We can remove all this stuff from the script (I should have enough time
> >> this weekend ... hopefully).
> >
> > I'll play aroundand see if I can get it to work using the solutions
> > above.
>
> I think I found a better solution.
> Looking at the Kernel Makefile, it only wipes out 'kernel' directory, but
> leaves the rest alone.
> I'll move the ipsec.o file into the '/lib/modules/2.4.*/net' directory.

Excellent...

thats why they pay you the big $$$ :-)