Re: [Ocf-linux-users] OCF 20080704 and 2.6.21.6 Kernel
Brought to you by:
david-m
Menu
▾
▴
Re: [Ocf-linux-users] OCF 20080704 and 2.6.21.6 Kernel
|
From: David M. <Dav...@se...> - 2008-07-17 23:29:46
|
Jivin "Ramon Schönborn" lays it down ...
> Hello OCF-Linux-Users,
>
> i'm trying to run the latest OCF 20080704 Release together with
> linux-2.6.21.6 Kernel + Openswan 2.6.15dr2 on an IXP4XX Architecture.
>
> I have a Question concerning Config Options:
> - In the OCF Package, in File linux/net/ipsec/defconfig and
> packaging/linux/Config-all.h, CONFIG_KLIPS_OCF is not set while
> CONFIG_KLIPS_ALG is set to y.
This is the default for non-ocf builds.
> According to the info in KConfig,
> KLIPS_ALG should only be disabled when OCF is used - which setting
> is right?
I thought that read "may" only be disabled when using OCF, but perhaps
that fix got lost ;-)
> My guess is: KLIPS_ALG is necessary, but it results in Error when
> used together with KLIPS_OCF set (see ipsec_xmit.c).
If you are going to use OCF and you want to reduce the size of your
kernel then you turn on CONFIG_KLIPS_OCF and turn off CONFIG_KLIPS_ALG.
You can then disable all the crypto options in openswan IIRC, you can
also disable most of the cryptoapi drivers.
The reason you can do this is that OCF is effectively a full replacement
for the ALG code. And if you have a HW driver, you do not need the SW
crypto either.
Does that make any sense ?
> Mysteriously, my IPSec tunnel is established with:
> "IPsecConn-0" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x5f6f06b7 <0x785d1973 xfrm=AES_128-HMAC_MD5 NATOA=none NATD=none DPD=none}"
> , and incomming Packets can be decrypted. Outgoing Packets instead result in increasing TX Error Counter
> and a BADALG Error Message (if both, KLIPS_ALG and KLIPS_OCF are set).
>
> I guess there's a bug in pfkey_v2_parser.c, btw. If you compare the
> old 2.4.8 Version with the current one, a pair of curly braces changed
> the semantic.
> >From Line 2126 it should be like:
> - if ((error = ipsec_cleareroutes())) {
> + if ((error = ipsec_cleareroutes()))
> KLIPS_PRINT(debug_pfkey,
> "klips_debug:pfkey_x_delflow_parse: "
> "cleareroutes returned %d.\n", error);
> SENDERR(-error);
> - }
> +
That is definately a problem but it looks like we already found it :-)
My code has the fix so I am guessing you need to try 2.6.16dr4, which
is what I have running here. It has settled down now but there was a "dr"
release every day there for a bit ;-)
Cheers,
Davidm
--
David McCullough, dav...@se..., Ph:+61 734352815
Secure Computing - SnapGear http://www.uCdot.org http://www.snapgear.com
|
