Table of Contents

Openswan in 2.6 kernel with KLIPS

see also: Networking in linux, IPSec, 26sec, Openswan

Compiling the kernel

configuration: When going through the options, the following changes needs to be made. All are in the networking options.

  1. The PF KEY sockets option should be either modular or unset.
  2. The IPSEC NAT-Traversal (KLIPS compatible) option should be compiled in the kernel.
  3. The Openswan IPsec (KLIPS26) option should be compiled in the kernel. Then enter the KLIPS options and enable every option apart from the CryptoAPI algorithm interface option.

for all the compiling erros see troubleshooting.

Compile KLIPS modules only (new way)

Download OpenSwan latest&greates (2.6.22 for instance) source

 dpkg-build -b
 dpkg -i *.deb
 install kernel-headers
 /usr/src/modules/openswan/# make KERNELSRC=/usr/src/linux-headers-2.6.26-2-686/ module minstall programs install
 depmod -a

ipsec.conf

config setup
             ......
	# which IPsec stack to use. netkey,klips,mast,auto or none
	protostack=klips

To verify if everthing works ..

root@rt:/usr/src/modules/openswan# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             	[OK]
Linux Openswan 2.6.22 (klips)
Checking for IPsec support in kernel                        	[OK]
KLIPS detected, checking for NAT Traversal support          	[OK]
Checking for RSA private key (/etc/ipsec.secrets)           	[OK]
Checking that pluto is running                              	[OK]
Two or more interfaces found, checking IP forwarding        	[OK]
Checking NAT and MASQUERADEing                              	[OK]
Checking for 'ip' command                                   	[OK]
Checking for 'iptables' command                             	[OK]
Opportunistic Encryption Support                            	[DISABLED]

Troubleshooting

klips26 < 2.4.6 & kernel 2.6.17.x

 net/ipsec/aes/ipsec_alg_aes.c:82: error: syntax error before string constant

See: BUG

Apply this patch: http://bugs.xelerance.com/view.php?id=636, this shoud be fixed in 2.4.6 Openswan.