[Swan-dev] How do I prepare my own CentOS libreswan rpm package ?
Paul Wouters
pwouters at redhat.com
Fri Mar 1 18:16:39 EET 2013
On Fri, 1 Mar 2013, T.J. Yang wrote:
> Thanks for Paul's packaging pointers, I was able to create a 3.0.1 from tip of the src tree and tested it on centos6.3 physical
> box.
>
> Another question, why ipsec verify is saying "13 errors" found while I count it on my scree for reds(8) and even yellows(4) ?
It is counting some failures multiple times, eg if you have lots of
interfaces with bad forward/rp_filter settings....
Paul
> [tjyang at centos63-2 ~]$ sudo ipsec verify
> Verifying installed system and configuration files
>
> Version check and ipsec on-path [OK]
> Libreswan 3.0.1 (netkey) on 2.6.32-279.22.1.el6.x86_64
> Checking for IPsec support in kernel [OK]
> NETKEY: Testing XFRM related proc values
> ICMP default/send_redirects [NOT DISABLED]
>
> Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or ause sending of bogus ICMP redirects!
>
> ICMP default/accept_redirects [NOT DISABLED]
>
> Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on o cause sending of bogus ICMP redirects!
>
> XFRM larval drop [OK]
> Pluto ipsec.conf syntax [OK]
> Hardware random device [N/A]
> Two or more interfaces found, checking IP forwarding [FAILED]
> Checking rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/pan0/rp_filter [ENABLED]
> rp_filter is not fully aware of IPsec and should be disabled
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]
> Pluto listening for IKE/NAT-T on udp 4500 [OK]
> Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]
> Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]
> Pluto ipsec.secret syntax [OK]
> Checking NAT and MASQUERADEing [TEST INCOMPLETE]
> Checking 'ip' command [OK]
> Checking 'iptables' command [OK]
> Checking for obsolete ipsec.conf options [OK]
> Opportunistic Encryption [DISABLED]
>
> ipsec verify: encountered 13 errors - see 'man ipsec_verify' for help
> [tjyang at centos63-2 ~]$
>
>
>
> On Fri, Mar 1, 2013 at 6:04 AM, T.J. Yang <tjyang2001 at gmail.com> wrote:
>
>
>
> On Thu, Feb 28, 2013 at 11:02 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 28 Feb 2013, T.J. Yang wrote:
>
> I don't do linux kernel compiling and rpm packaging often, excuse me if the is is not a
> good
> question.
>
>
> You should start with packaging/rhel/6/libreswan.spec
>
> It should do everything for you already? Or tell you what you need to
> install.
>
>
> I am able to built the src tree with latest patches.
>
>
> Which patches?
>
>
> Not patches exactly, I am referring to your latest two fixes for my issue report on github.
>
> https://github.com/libreswan/libreswan/commit/ab5d71709978bcdf4bed7d2927afc8f6c03aa571
>
>
>
> Following is the error log after "make programs;make module" works.
>
> [tjyang at centos631 centos]$ rpmbuild -ba libreswan.spec
> error: File /home/tjyang/rpmbuild/SOURCES/libreswan-IPSECBASEVERSION.tar.gz: No such file or
> directo
> ry
>
>
> If you want to package from git instead of from a full release tar ball,
> you need to do this:
>
> git tag v3.1_tjyang
> make release
>
> That will give you a tar ball where the proper version (not
> IPSECBASEVERSION) is present. That file you can use on centos:
>
> cp libreswan-3.1_tjyang.tar.gz ~/rpmbuild/SOURCES/
> tar zxf libreswan-3.1_tjyang.tar.gz
> rpmbuild -ba libreswan-3.1_tjyang/packaging/rhel/6/libreswan.spec
>
>
> Thanks for these pointers.
>
>
> Paul
>
>
>
>
> --
> T.J. Yang
>
>
>
>
> --
> T.J. Yang
>
>
More information about the Swan-dev
mailing list