====== Openswan in 2.6 kernel with KLIPS ====== see also: [[:linux:networking|Networking in linux]], [[:ipsec|IPSec]], [[:openswan:26sec]], [[:openswan|Openswan]] ===== Compiling the kernel ===== * get linux 2.6 source * apply KLIPS26 patch from www.openswan.org * apply NAT-T (KLIPS) patch from www.openswan.org **configuration:** When going through the options, the following changes needs to be made. All are in the networking options. - The **''PF KEY''** sockets option should be __either modular or unset__. - The **''IPSEC NAT-Traversal (KLIPS compatible)''** option should be compiled in the kernel. - The Openswan IPsec **''(KLIPS26)''** option should __be compiled in the kernel__. Then enter the ''KLIPS'' options and enable every option apart from the ''CryptoAPI'' algorithm interface option. **for all the compiling erros see ''troubleshooting''**. ===== Compile KLIPS modules only (new way) ===== Download OpenSwan latest&greates (2.6.22 for instance) source dpkg-build -b dpkg -i *.deb install kernel-headers /usr/src/modules/openswan/# make KERNELSRC=/usr/src/linux-headers-2.6.26-2-686/ module minstall programs install depmod -a ''**ipsec.conf**''


config setup
             ......
	# which IPsec stack to use. netkey,klips,mast,auto or none
	protostack=klips

To verify if everthing works ..


root@rt:/usr/src/modules/openswan# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan 2.6.22 (klips)
Checking for IPsec support in kernel                        	[OK]
KLIPS detected, checking for NAT Traversal support          	[OK]
Checking for RSA private key (/etc/ipsec.secrets)           	[OK]
Checking that pluto is running                              	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing                              	[OK]
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]

===== Troubleshooting ===== ==== klips26 < 2.4.6 & kernel 2.6.17.x ==== net/ipsec/aes/ipsec_alg_aes.c:82: error: syntax error before string constant See: [[http://bugs.xelerance.com/view.php?id=647|BUG]] **Apply {{openswan:openswan-2.4.5-linux-2.6.17.patch|this}} patch:** [[http://bugs.xelerance.com/view.php?id=636]], this shoud be fixed in 2.4.6 Openswan.