I was able to get the openswan-modules to compile into a deb with the follwing
steps and the patch shown below. However I could not establish a tunnel, but
that's not related to this bug as far as I know (unless there is a compile time
option I'm missing). Info included on this anyway.
Linux mahogany 2.4.27-2-686 #1 Thu Jan 20 11:10:41 JST 2005 i686 GNU/Linux
openswan-modules-source: 2.3.0-2
gcc version 3.3.5 (Debian 1:3.3.5-12)
# cd /usr/src
# apt-get install kernel-source-2.4.27 kernel-headers-2.4.27-2-686
# tar xfj kernel-source-2.4.27.tar.bz2
# cp -r kernel-headers-2.4.27-2-686/* kernel-source-2.4.27
# tar xfz openswan-modules.tar.gz
# cd modules/openswan
# cp linux/net/ipsec/Makefile.fs2_4 linux/net/ipsec/Makefile
# patch -p1 < /usr/src/openswan-modules.patch (below)
# debian/rules binary-modules KVERS="2.4.27-2-686"
KSRC="/usr/src/kernel-source-2.4.27"
While the modules loaded without complaint, I could not establish a tunnel with
netgear's VPN client (3des or aes-128), an openswan 2.2.0-4 debian/testing, nor
an openswan 2.3.0-2 box. The remote debian box and netgear vpn clients work
fine with my x509 certs and a 2.2.0-4 debian/testing server.
The specific problem log entries are below, followed by the patch. Regarding
the ESP_3DES and HMAC_MD5 noted below, I had these modules loaded during
testing (noninclusive):
ipsec
ipsec_cryptoapi
ipsec_aes
aes
des
twofish
serpent
blowfish
sha1
sha256
md5
crypto_null
ipcomp
esp4
ah4
Cory
pluto[2401]: "hnr_imperial" #6: responding to Quick Mode
pluto[2401]: "hnr_imperial" #6: ESP transform ESP_3DES / auth
AUTH_ALGORITHM_HMAC_MD5 not implemented yet
pluto[2401]: | pfkey_lib_debug:pfkey_msg_parse: satype 0 conversion to proto
failed for msg_type 4 (delete).
pluto[2401]: | pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built
pfkey message, error=-22.
pluto[2401]: "hnr_imperial" #6: pfkey_msg_build of Delete SA [EMAIL PROTECTED]
failed, code -22
pluto[2401]: | pfkey_lib_debug:pfkey_msg_parse: satype 0 conversion to proto
failed for msg_type 4 (delete).
pluto[2401]: | pfkey_lib_debug:pfkey_msg_build: Trouble parsing newly built
pfkey message, error=-22.
pluto[2401]: "hnr_imperial" #6: pfkey_msg_build of Delete SA [EMAIL PROTECTED]
failed, code -22
pluto[2401]: "hnr_imperial" #6: ASSERTION FAILED at demux.c:1799:
STATE_IKE_FLOOR <= from_state && from_state <= STATE_IKE_ROOF
pluto[2401]: "hnr_imperial" #6: interface ipsec0/eth0 xx.xx.xx.xx
pluto[2401]: "hnr_imperial" #6: %myid = (none)
pluto[2401]: "hnr_imperial" #6: debug none
pluto[2401]: "hnr_imperial" #6:
pluto[2401]: "hnr_imperial" #6:
pluto[2401]: "hnr_imperial" #6: algorithm IKE encrypt: id=7,
name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
pluto[2401]: "hnr_imperial" #6: algorithm IKE encrypt: id=5,
name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
pluto[2401]: "hnr_imperial" #6: algorithm IKE hash: id=2, name=OAKLEY_SHA1,
hashsize=20
pluto[2401]: "hnr_imperial" #6: algorithm IKE hash: id=1, name=OAKLEY_MD5,
hashsize=16
pluto[2401]: "hnr_imperial" #6: algorithm IKE dh group: id=2,
name=OAKLEY_GROUP_MODP1024, bits=1024
pluto[2401]: "hnr_imperial" #6: algorithm IKE dh group: id=5,
name=OAKLEY_GROUP_MODP1536, bits=1536
pluto[2401]: "hnr_imperial" #6: algorithm IKE dh group: id=14,
name=OAKLEY_GROUP_MODP2048, bits=2048
pluto[2401]: "hnr_imperial" #6: algorithm IKE dh group: id=pluto[2401]:
"hnr_imperial" #6: algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072,
bits=3072
pluto[2401]: "hnr_imperial" #6: algorithm IKE dh group: id=16,
name=OAKLEY_GROUP_MODP4096, bits=4096
pluto[2401]: "hnr_imperial" #6: algorithm IKE dh group: id=17,
name=OAKLEY_GROUP_MODP6144, bits=6144
pluto[2401]: "hnr_imperial" #6: algorithm IKE dh group: id=18,
name=OAKLEY_GROUP_MODP8192, bits=8192
pluto[2401]: "hnr_imperial" #6:
pluto[2401]: "hnr_imperial" #6: stats db_ops.c: {curr_cnt,total_cnt, maxsz}
:context={0,0,0} trans={0,0,0} attrs={0,0,0}
------- openswan-modules.patch --------
diff -ru openswan.1/lib/libcrypto/libaes/Makefile
openswan/lib/libcrypto/libaes/Makefile
--- openswan.1/lib/libcrypto/libaes/Makefile 2005-01-27 09:45:13.000000000
-0800
+++ openswan/lib/libcrypto/libaes/Makefile 2005-03-24 13:19:30.000000000
-0800
@@ -14,7 +14,7 @@
# RCSID $Id: Makefile,v 1.5 2004/07/10 19:06:39 mcr Exp $
-OPENSWANSRCDIR=../../..
+OPENSWANSRCDIR=../../../../..
include ${OPENSWANSRCDIR}/Makefile.inc
include ${OPENSWANSRCDIR}/Makefile.ver
diff -ru openswan.1/linux/net/ipsec/Makefile openswan/linux/net/ipsec/Makefile
--- openswan.1/linux/net/ipsec/Makefile 2005-03-23 16:48:39.000000000 -0800
+++ openswan/linux/net/ipsec/Makefile 2005-03-24 17:24:14.000000000 -0800
@@ -170,6 +170,14 @@
#EXTRA_CFLAGS += -g
#endif
+EXTRA_CFLAGS += -include ${KLIPS_TOP}/../config-all.h
+EXTRA_CFLAGS += -I${KLIPS_TOP}/include
+EXTRA_CFLAGS += -I${TOPDIR}/include
+EXTRA_CFLAGS += -I${KLIPS_TOP}/lib/zlib
+EXTRA_CFLAGS += -Wall -D__KERNEL__ -DMODULE
+EXTRA_CFLAGS += -DCONFIG_KLIPS_DEBUG -DCONFIG_KLIPS_ESP -DCONFIG_KLIPS_ALG
+EXTRA_CFLAGS += -DCONFIG_KLIPS_IPCOMP
+
# MOST of these flags are in KERNEL_CFLAGS already!
# cannot use both -Wpointer-arith and -Werror with CONFIG_HIGHMEM
@@ -181,7 +189,7 @@
#EXTRA_CFLAGS += -Wmissing-declarations
#EXTRA_CFLAGS += -Wstrict-prototypes
#EXTRA_CFLAGS += -pedantic
-#EXTRA_CFLAGS += -O3
+EXTRA_CFLAGS += -O3
#EXTRA_CFLAGS += -W
#EXTRA_CFLAGS += -Wwrite-strings
#EXTRA_CFLAGS += -Wbad-function-cast
diff -ru openswan.1/linux/net/ipsec/alg/Makefile
openswan/linux/net/ipsec/alg/Makefile
--- openswan.1/linux/net/ipsec/alg/Makefile 2005-01-27 09:45:13.000000000
-0800
+++ openswan/linux/net/ipsec/alg/Makefile 2005-03-24 17:48:21.000000000
-0800
@@ -13,6 +13,9 @@
override EXTRA_CFLAGS += -g
endif
+override EXTRA_CFLAGS += -include ${TOPDIR}/include/linux/modversions.h
+override EXTRA_CFLAGS += -DMODULE -O3
+
# LIBCRYPTO normally comes as an argument from "parent" Makefile
# (this applies both to FS' "make module" and eg. Linux' "make modules"
# But make dep doest follow same evaluations, so we need this default:
@@ -80,7 +83,7 @@
rm -f $@
$(LD) $(LD_EXTRAFLAGS) $(obj-y) -r -o $@
-perlasm: $(LIBCRYPTO)/perlasm
+perlasm: $(LIBCRYPTO)/libdes/asm/perlasm
ln -sf $? $@
$(obj-y) $(obj-m): $(TOPDIR)/include/linux/config.h
$(TOPDIR)/include/linux/autoconf.h $(KLIPS_TOP)/include/freeswan/ipsec_alg.h
diff -ru openswan.1/linux/net/ipsec/alg/ipsec_alg_aes.c
openswan/linux/net/ipsec/alg/ipsec_alg_aes.c
--- openswan.1/linux/net/ipsec/alg/ipsec_alg_aes.c 2005-01-27
09:45:13.000000000 -0800
+++ openswan/linux/net/ipsec/alg/ipsec_alg_aes.c 2005-03-24
13:19:41.000000000 -0800
@@ -46,8 +46,8 @@
#endif
/* Low freeswan header coupling */
-#include "freeswan/ipsec_alg.h"
-#include "libaes/aes_cbc.h"
+#include "openswan/ipsec_alg.h"
+#include "crypto/aes_cbc.h"
#define CONFIG_IPSEC_ALG_AES_MAC 1
@@ -65,7 +65,7 @@
MODULE_PARM(keymaxbits, "i");
#if CONFIG_IPSEC_ALG_AES_MAC
-#include "libaes/aes_xcbc_mac.h"
+#include "crypto/aes_xcbc_mac.h"
/*
* Not IANA number yet (draft-ietf-ipsec-ciph-aes-xcbc-mac-00.txt).
diff -ru openswan.1/linux/net/ipsec/alg/ipsec_alg_cryptoapi.c
openswan/linux/net/ipsec/alg/ipsec_alg_cryptoapi.c
--- openswan.1/linux/net/ipsec/alg/ipsec_alg_cryptoapi.c 2005-01-27
09:45:13.000000000 -0800
+++ openswan/linux/net/ipsec/alg/ipsec_alg_cryptoapi.c 2005-03-24
13:19:41.000000000 -0800
@@ -57,7 +57,7 @@
#define NO_CRYPTOAPI_SUPPORT
#endif
/* Low freeswan header coupling */
-#include "freeswan/ipsec_alg.h"
+#include "openswan/ipsec_alg.h"
#include <linux/crypto.h>
#ifdef CRYPTO_API_VERSION_CODE
diff -ru openswan.1/linux/net/ipsec/ipsec_init.c
openswan/linux/net/ipsec/ipsec_init.c
--- openswan.1/linux/net/ipsec/ipsec_init.c 2005-01-27 09:45:13.000000000
-0800
+++ openswan/linux/net/ipsec/ipsec_init.c 2005-03-24 13:19:41.000000000
-0800
@@ -151,14 +151,14 @@
static inline int
openswan_inet_add_protocol(struct inet_protocol *prot, unsigned protocol)
{
- inet_add_protocol(prot);
+ inet_add_protocol(prot, protocol);
return 0;
}
static inline int
openswan_inet_del_protocol(struct inet_protocol *prot, unsigned protocol)
{
- inet_del_protocol(prot);
+ inet_del_protocol(prot, protocol);
return 0;
}
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
