[Swan-dev] How do I prepare my own CentOS libreswan rpm package ?
T.J. Yang
tjyang2001 at gmail.com
Fri Mar 1 17:08:15 EET 2013
Thanks for Paul's packaging pointers, I was able to create a 3.0.1 from tip
of the src tree and tested it on centos6.3 physical box.
Another question, why ipsec verify is saying "13 errors" found while I
count it on my scree for reds(8) and even yellows(4) ?
[tjyang at centos63-2 ~]$ sudo ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.0.1 (netkey) on 2.6.32-279.22.1.el6.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act
on or ause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause
act on o cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Hardware random device [N/A]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/pan0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
Pluto ipsec.secret syntax [OK]
Checking NAT and MASQUERADEing [TEST INCOMPLETE]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking for obsolete ipsec.conf options [OK]
Opportunistic Encryption [DISABLED]
ipsec verify: encountered 13 errors - see 'man ipsec_verify' for help
[tjyang at centos63-2 ~]$
On Fri, Mar 1, 2013 at 6:04 AM, T.J. Yang <tjyang2001 at gmail.com> wrote:
>
>
>
> On Thu, Feb 28, 2013 at 11:02 PM, Paul Wouters <paul at nohats.ca> wrote:
>
>> On Thu, 28 Feb 2013, T.J. Yang wrote:
>>
>> I don't do linux kernel compiling and rpm packaging often, excuse me if
>>> the is is not a good
>>> question.
>>>
>>
>> You should start with packaging/rhel/6/libreswan.**spec
>>
>> It should do everything for you already? Or tell you what you need to
>> install.
>>
>>
>>
>> I am able to built the src tree with latest patches.
>>>
>>
>> Which patches?
>
>
> Not patches exactly, I am referring to your latest two fixes for my issue
> report on github.
>
>
> https://github.com/libreswan/libreswan/commit/ab5d71709978bcdf4bed7d2927afc8f6c03aa571
>
>
>>
>>
>> Following is the error log after "make programs;make module" works.
>>>
>>> [tjyang at centos631 centos]$ rpmbuild -ba libreswan.spec
>>> error: File /home/tjyang/rpmbuild/SOURCES/**libreswan-IPSECBASEVERSION.*
>>> *tar.gz: No such file or directo
>>> ry
>>>
>>
>> If you want to package from git instead of from a full release tar ball,
>> you need to do this:
>>
>> git tag v3.1_tjyang
>> make release
>>
>> That will give you a tar ball where the proper version (not
>> IPSECBASEVERSION) is present. That file you can use on centos:
>>
>> cp libreswan-3.1_tjyang.tar.gz ~/rpmbuild/SOURCES/
>> tar zxf libreswan-3.1_tjyang.tar.gz
>> rpmbuild -ba libreswan-3.1_tjyang/**packaging/rhel/6/libreswan.**spec
>>
>>
> Thanks for these pointers.
>
>
>
>> Paul
>>
>
>
>
> --
> T.J. Yang
>
--
T.J. Yang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20130301/da2652d1/attachment.html>
More information about the Swan-dev
mailing list