Openswan in 2.6 kernel with KLIPS
see also: Networking in linux, IPSec, 26sec, Openswan
Compiling the kernel
- get linux 2.6 source
- apply KLIPS26 patch from www.openswan.org
- apply NAT-T (KLIPS) patch from www.openswan.org
configuration: When going through the options, the following changes needs to be made. All are in the networking options.
- The
PF KEYsockets option should be either modular or unset. - The
IPSEC NAT-Traversal (KLIPS compatible)option should be compiled in the kernel. - The Openswan IPsec
(KLIPS26)option should be compiled in the kernel. Then enter theKLIPSoptions and enable every option apart from theCryptoAPIalgorithm interface option.
for all the compiling erros see troubleshooting.
Compile KLIPS modules only (new way)
Download OpenSwan latest&greates (2.6.22 for instance) source
dpkg-build -b dpkg -i *.deb install kernel-headers /usr/src/modules/openswan/# make KERNELSRC=/usr/src/linux-headers-2.6.26-2-686/ module minstall programs install depmod -a
ipsec.conf
config setup
......
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=klips
To verify if everthing works ..
root@rt:/usr/src/modules/openswan# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan 2.6.22 (klips) Checking for IPsec support in kernel [OK] KLIPS detected, checking for NAT Traversal support [OK] Checking for RSA private key (/etc/ipsec.secrets) [OK] Checking that pluto is running [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
Troubleshooting
klips26 < 2.4.6 & kernel 2.6.17.x
net/ipsec/aes/ipsec_alg_aes.c:82: error: syntax error before string constant
See: BUG
Apply this patch: http://bugs.xelerance.com/view.php?id=636, this shoud be fixed in 2.4.6 Openswan.
