Re: [Ipsec-tools-devel] 0.6 doesn't configure

[Uri <urimobile@op...>]

Ganesan Rajagopal wrote:

>>>>>>"Uri" == Uri  <urimobile@...> writes: The weird thing is, that this darn "configure" thing detects GNUTLS
>>>>>>and *not* OpenSSL!
>>>>>>            
>>>>>>
>
>Curious! AFAIK gnutls has a openssl.h header but ipsec-tools configure.ac
>explicitly checks for openssl/opensslv.h header. Can you try looking at the
>config.log file to see if you have a clue.
>  
>
No I don't have a clue - because indeed config.log mentions 
openssl/opensslv.h and not openssl.h.

And opensslv.h clearly says VERSION "0.9.7"...

I don't know.

Re: [Ipsec-tools-devel] 0.6 doesn't configure

[<urimobile@op...>]

In my humble opinion, "configure" part of ipsec-tools is broken. Here's why:

1. It doesn't detect the correct version of OpenSSL:

checking openssl version... too old
configure: error: OpenSSL version must be 0.9.6 or higher. Aborting.

[root@... ~]# rpm -q openssl
openssl-0.9.7a-40

note that adding "--with-openssl=/usr" is a tested work-around.

2. On some Linux machines it cannot detect kernel support for  NAT. When forced to accept kernel NAT (by hacking "configure" script), it correctly determines that the types present are rfc,00,02.

3.  src/include-glibc and rpm directories are empty:

config.status: creating src/include-glibc/Makefile
config.status: error: cannot find input file: src/include-glibc/Makefile.in

config.status: creating rpm/Makefile
config.status: error: cannot find input file: rpm/Makefile.in

4. FWD detection is broken: it says that FWD is not supported:

configure:26416: checking whether we support FWD policy 
configure:26441: gcc -c -g -O2 -I/usr/include  conftest.c >&5
In file included from conftest.c:66:
/usr/include/linux/ipsec.h:18:22: net/sock.h: No such file or directory
conftest.c: In function `main':
conftest.c:72: error: `IPSEC_DIR_FWD' undeclared (first use in this function)
conftest.c:72: error: (Each undeclared identifier is reported only once
conftest.c:72: error: for each function it appears in.)

while on Linux 2.6.11 "IPSEC_DIR_FWD" is part of enum located in "linux/ipsec.h" file in the kernel includes:

enum {
        IPSEC_DIR_ANY           = 0,
        IPSEC_DIR_INBOUND       = 1,
        IPSEC_DIR_OUTBOUND      = 2,
        IPSEC_DIR_FWD           = 3,    /* It is our own */
        IPSEC_DIR_MAX           = 4,
        IPSEC_DIR_INVALID       = 5
};

P.S. I don't know whose "our own" is - but it's not my hack. :-)

In short - tarball still not working.


----- Original Message -----
From: manu@... (Emmanuel Dreyfus)
Date: Tuesday, June 28, 2005 6:00 pm
Subject: Re: [Ipsec-tools-devel] 0.6 doesn't configure

> <urimobile@...> wrote:
> 
> > I solved those problems by simply copying stuff from relevant  
> 0.6rc1> directories to 0.6.  Probably the release tarball should be
> > updated/fixed.
> 
> I fixed and updated the tarball. It has the same name, which makes 
> sensesince it's the same tag in CVS, but it can be confusing. 
> Hint: the
> previous (wrong) file is 443088 bytes long, the good file is 660938
> bytes long.
> 
> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
> 

Re: [Ipsec-tools-devel] 0.6 doesn't configure

[<manu@ne...>]

<urimobile@...> wrote:

> In my humble opinion, "configure" part of ipsec-tools is broken. Here's why:

Somewhat broken: none of the problem you describe happen at mine.
 
> 1. It doesn't detect the correct version of OpenSSL:
> 
> checking openssl version... too old
> configure: error: OpenSSL version must be 0.9.6 or higher. Aborting.
> 
> [root@... ~]# rpm -q openssl
> openssl-0.9.7a-40
> 
> note that adding "--with-openssl=/usr" is a tested work-around.

I have OpenSSL 0.9.7d and it is correctly detected. Can you show the
relevant part of config.log?
 
> 2. On some Linux machines it cannot detect kernel support for  NAT. When
> forced to accept kernel NAT (by hacking "configure" script), it
> correctly determines that the types present are rfc,00,02.

That one if for our Linux persons. Maybe Michal is around and can help?
We will also need a snipet of config.log 
 
> 3.  src/include-glibc and rpm directories are empty:
> 
> config.status: creating src/include-glibc/Makefile
> config.status: error: cannot find input file: src/include-glibc/Makefile.in
> 
> config.status: creating rpm/Makefile
> config.status: error: cannot find input file: rpm/Makefile.in

This was with the broken tarball I produced at once. The updated one
(it's around 660 kB large) has some content in rpm and src/include-glibc
 
> 4. FWD detection is broken: it says that FWD is not supported:
> 
> configure:26416: checking whether we support FWD policy 
> configure:26441: gcc -c -g -O2 -I/usr/include  conftest.c >&5
> In file included from conftest.c:66:
> /usr/include/linux/ipsec.h:18:22: net/sock.h: No such file or directory
> conftest.c: In function `main':
> conftest.c:72: error: `IPSEC_DIR_FWD' undeclared (first use in this function)
> conftest.c:72: error: (Each undeclared identifier is reported only once
> conftest.c:72: error: for each function it appears in.)
> 
> while on Linux 2.6.11 "IPSEC_DIR_FWD" is part of enum located in
> "linux/ipsec.h" file in the kernel includes:

I suspect your includes could be broken: the config test does include
the right file <linux/ipsec.h>. Then <linux/ipsec.h> tries to include
<net/sock.h> and fails to do so. Why? Is there some ifdef around
<net/sock.h> inclusion? Where is <net/sock.h>?  

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

Re: [Ipsec-tools-devel] 0.6 doesn't configure

[Ganesan Rajagopal <rganesan@us...>]

>>>>> "urimobile" == urimobile  <urimobile@...> writes:

> In my humble opinion, "configure" part of ipsec-tools is broken. Here's why:
> 1. It doesn't detect the correct version of OpenSSL:

> checking openssl version... too old
> configure: error: OpenSSL version must be 0.9.6 or higher. Aborting.

> [root@... ~]# rpm -q openssl
> openssl-0.9.7a-40

What does rpm -q openssl-devel say? You need the development libraries too.

Ganesan

-- 
Ganesan Rajagopal (rganesan at debian.org) | GPG Key: 1024D/5D8C12EA
Web: http://employees.org/~rganesan        | http://rganesan.blogspot.com

Re: [Ipsec-tools-devel] 0.6 doesn't configure

[VANHULLEBUS Yvan <vanhu@fr...>]

On Wed, Jun 29, 2005 at 03:38:09PM -0400, urimobile@... wrote:
> In my humble opinion, "configure" part of ipsec-tools is broken. Here's why:
> 
> 1. It doesn't detect the correct version of OpenSSL:
> 
> checking openssl version... too old
> configure: error: OpenSSL version must be 0.9.6 or higher. Aborting.
> 
> [root@... ~]# rpm -q openssl
> openssl-0.9.7a-40
> 
> note that adding "--with-openssl=/usr" is a tested work-around.

Check your openssl devel files, the openssl.h is used to get OpenSSL's
version.


> 2. On some Linux machines it cannot detect kernel support for
>    NAT. When forced to accept kernel NAT (by hacking "configure"
>    script), it correctly determines that the types present are
>    rfc,00,02. 

NAT-T support will be detected using kernel includes, maybe you have
problem there on some of your boxes.

And if you force NAT-T support, it will automatically enable RFC,
draft 00 and draft 02 support, without "detecting" anything.

But if such NAT-T support works on that hosts, then you "just" have
some includes problems.


[Don't know for other things]



Yvan.

Re: [Ipsec-tools-devel] 0.6 doesn't configure

[Uri <urimobile@op...>]

Ganesan Rajagopal wrote:

>>In my humble opinion, "configure" part of ipsec-tools is broken. Here's why:
>>1. It doesn't detect the correct version of OpenSSL:
>>    
>>
>
>  
>
>>checking openssl version... too old
>>configure: error: OpenSSL version must be 0.9.6 or higher. Aborting.
>>    
>>
>
>  
>
>>[root@... ~]# rpm -q openssl
>>openssl-0.9.7a-40
>>    
>>
>
>What does rpm -q openssl-devel say? You need the development libraries too.
>  
>
Oh, of course it says "openssl-devel-0.9.7a-40". I.e. - installed.

The weird thing is, that this darn "configure" thing detects GNUTLS and 
*not* OpenSSL!

On one machine I have gnutls-1.0.25 (and hand-compiled 1.2.4 in 
/usr/local). Configure has no problem with OpenSSL-0.9.7a there.
On another machne I have gnutls-1.0.20 - and bingo, OpenSSL-0.9.7a is 
not detected.

Re: [Ipsec-tools-devel] 0.6 doesn't configure

[Ganesan Rajagopal <rganesan@us...>]

>>>>> "Uri" == Uri  <urimobile@...> writes:

>> What does rpm -q openssl-devel say? You need the development libraries too.
>> 
>> 
> Oh, of course it says "openssl-devel-0.9.7a-40". I.e. - installed.

> The weird thing is, that this darn "configure" thing detects GNUTLS
> and *not* OpenSSL!

Curious! AFAIK gnutls has a openssl.h header but ipsec-tools configure.ac
explicitly checks for openssl/opensslv.h header. Can you try looking at the
config.log file to see if you have a clue.

> On one machine I have gnutls-1.0.25 (and hand-compiled 1.2.4 in
> /usr/local). Configure has no problem with OpenSSL-0.9.7a there.
> On another machne I have gnutls-1.0.20 - and bingo, OpenSSL-0.9.7a is
> not detected.

Try comparing the config.log on both the machines to see if can find
something.

Ganesan

-- 
Ganesan Rajagopal (rganesan at debian.org) | GPG Key: 1024D/5D8C12EA
Web: http://employees.org/~rganesan        | http://rganesan.blogspot.com

Re: [Ipsec-tools-devel] 0.6 doesn't configure

[Uri <urimobile@op...>]

VANHULLEBUS Yvan wrote:

>On Wed, Jun 29, 2005 at 03:38:09PM -0400, urimobile@... wrote:
>  
>
>>1. It doesn't detect the correct version of OpenSSL:
>>
>>checking openssl version... too old
>>configure: error: OpenSSL version must be 0.9.6 or higher. Aborting.
>>
>>[root@... ~]# rpm -q openssl
>>openssl-0.9.7a-40
>>
>>note that adding "--with-openssl=/usr" is a tested work-around.
>>    
>>
>
>Check your openssl devel files, the openssl.h is used to get OpenSSL's
>version.
>  
>

But!!! "openssl.h" is NOT a part of OpenSSL package. It's part of 
"gnutls".   OpenSSL lives in /usr/include/openssl DIRECTORY, and does 
not have openssl.h there (or anywhere).

So sure enough, on the machine with old gnutls and new openssl, config 
fails. So the check should stop looking for openssl.h and start looking 
for "openssl/opensslv.h" file.

>>2. On some Linux machines it cannot detect kernel support for
>>   NAT. When forced to accept kernel NAT (by hacking "configure"
>>   script), it correctly determines that the types present are
>>   rfc,00,02. 
>>    
>>
>
>NAT-T support will be detected using kernel includes, maybe you have
>problem there on some of your boxes.
>  
>
Precisely. It looks like "--with-kernel-headers=..." doesn't have the 
desired effect. Installing the entire kernel source helps, specifying 
--with-kernel-headers doesn't...

Re: [Ipsec-tools-devel] 0.6 doesn't configure

[Uri <urimobile@op...>]

Ganesan Rajagopal wrote:

>>>>>>"Uri" == Uri  <urimobile@...> writes: The weird thing is, that this darn "configure" thing detects GNUTLS
>>>>>>and *not* OpenSSL!
>>>>>>            
>>>>>>
>
>Curious! AFAIK gnutls has a openssl.h header but ipsec-tools configure.ac
>explicitly checks for openssl/opensslv.h header. Can you try looking at the
>config.log file to see if you have a clue.
>  
>
No I don't have a clue - because indeed config.log mentions 
openssl/opensslv.h and not openssl.h.

And opensslv.h clearly says VERSION "0.9.7"...

I don't know.