[Swan-dev] How do I prepare my own CentOS libreswan rpm package ?

T.J. Yang tjyang2001 at gmail.com
Fri Mar 1 17:08:15 EET 2013


Thanks for Paul's packaging pointers, I was able to create a 3.0.1 from tip
of the src tree and tested it on centos6.3 physical box.

Another question, why ipsec verify is saying "13 errors" found while I
count it on my scree for reds(8) and even yellows(4) ?

[tjyang at centos63-2 ~]$ sudo ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.0.1 (netkey) on 2.6.32-279.22.1.el6.x86_64
Checking for IPsec support in kernel                    [OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects                    [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act
on or ause sending of bogus ICMP redirects!

         ICMP default/accept_redirects                  [NOT DISABLED]

  Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause
act on o cause sending of bogus ICMP redirects!

         XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Hardware random device                                  [N/A]
Two or more interfaces found, checking IP forwarding    [FAILED]
Checking rp_filter                                      [ENABLED]
 /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
 /proc/sys/net/ipv4/conf/lo/rp_filter                   [ENABLED]
 /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
 /proc/sys/net/ipv4/conf/pan0/rp_filter                 [ENABLED]
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                          [OK]
 Pluto listening for IKE on udp 500                     [OK]
 Pluto listening for IKE on tcp 500                     [NOT IMPLEMENTED]
 Pluto listening for IKE/NAT-T on udp 4500              [OK]
 Pluto listening for IKE/NAT-T on tcp 4500              [NOT IMPLEMENTED]
 Pluto listening for IKE on tcp 10000 (cisco)           [NOT IMPLEMENTED]
 Pluto ipsec.secret syntax                              [OK]
Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking for obsolete ipsec.conf options                [OK]
Opportunistic Encryption                                [DISABLED]

ipsec verify: encountered 13 errors - see 'man ipsec_verify' for help
[tjyang at centos63-2 ~]$



On Fri, Mar 1, 2013 at 6:04 AM, T.J. Yang <tjyang2001 at gmail.com> wrote:

>
>
>
> On Thu, Feb 28, 2013 at 11:02 PM, Paul Wouters <paul at nohats.ca> wrote:
>
>> On Thu, 28 Feb 2013, T.J. Yang wrote:
>>
>>  I don't do linux kernel compiling and rpm packaging often, excuse me if
>>> the is is not a good
>>> question.
>>>
>>
>> You should start with packaging/rhel/6/libreswan.**spec
>>
>> It should do everything for you already? Or tell you what you need to
>> install.
>>
>>
>>
>>  I am able to built the src tree with latest patches.
>>>
>>
>> Which patches?
>
>
> Not patches exactly, I am referring to your latest two fixes for my issue
> report on github.
>
>
> https://github.com/libreswan/libreswan/commit/ab5d71709978bcdf4bed7d2927afc8f6c03aa571
>
>
>>
>>
>>  Following is the error log after "make programs;make module" works.
>>>
>>> [tjyang at centos631 centos]$ rpmbuild -ba libreswan.spec
>>> error: File /home/tjyang/rpmbuild/SOURCES/**libreswan-IPSECBASEVERSION.*
>>> *tar.gz: No such file or directo
>>> ry
>>>
>>
>> If you want to package from git instead of from a full release tar ball,
>> you need to do this:
>>
>> git tag v3.1_tjyang
>> make release
>>
>> That will give you a tar ball where the proper version (not
>> IPSECBASEVERSION) is present. That file you can use on centos:
>>
>> cp libreswan-3.1_tjyang.tar.gz ~/rpmbuild/SOURCES/
>> tar zxf libreswan-3.1_tjyang.tar.gz
>> rpmbuild -ba libreswan-3.1_tjyang/**packaging/rhel/6/libreswan.**spec
>>
>>
> Thanks for these pointers.
>
>
>
>>  Paul
>>
>
>
>
> --
> T.J. Yang
>



-- 
T.J. Yang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20130301/da2652d1/attachment.html>


More information about the Swan-dev mailing list