[Swan-dev] How do I prepare my own CentOS libreswan rpm package ?

Paul Wouters pwouters at redhat.com
Fri Mar 1 18:16:39 EET 2013


On Fri, 1 Mar 2013, T.J. Yang wrote:

> Thanks for Paul's packaging pointers, I was able to create a 3.0.1 from tip of the src tree and tested it on centos6.3 physical
> box.
> 
> Another question, why ipsec verify is saying "13 errors" found while I count it on my scree for reds(8) and even yellows(4) ?

It is counting some failures multiple times, eg if you have lots of
interfaces with bad forward/rp_filter settings....

Paul

> [tjyang at centos63-2 ~]$ sudo ipsec verify
> Verifying installed system and configuration files
> 
> Version check and ipsec on-path                         [OK]
> Libreswan 3.0.1 (netkey) on 2.6.32-279.22.1.el6.x86_64
> Checking for IPsec support in kernel                    [OK]
>  NETKEY: Testing XFRM related proc values
>          ICMP default/send_redirects                    [NOT DISABLED]
> 
>   Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or ause sending of bogus ICMP redirects!
> 
>          ICMP default/accept_redirects                  [NOT DISABLED]
> 
>   Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on o cause sending of bogus ICMP redirects!
> 
>          XFRM larval drop                               [OK]
> Pluto ipsec.conf syntax                                 [OK]
> Hardware random device                                  [N/A]
> Two or more interfaces found, checking IP forwarding    [FAILED]
> Checking rp_filter                                      [ENABLED]
>  /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
>  /proc/sys/net/ipv4/conf/lo/rp_filter                   [ENABLED]
>  /proc/sys/net/ipv4/conf/eth0/rp_filter                 [ENABLED]
>  /proc/sys/net/ipv4/conf/pan0/rp_filter                 [ENABLED]
>   rp_filter is not fully aware of IPsec and should be disabled
> Checking that pluto is running                          [OK]
>  Pluto listening for IKE on udp 500                     [OK]
>  Pluto listening for IKE on tcp 500                     [NOT IMPLEMENTED]
>  Pluto listening for IKE/NAT-T on udp 4500              [OK]
>  Pluto listening for IKE/NAT-T on tcp 4500              [NOT IMPLEMENTED]
>  Pluto listening for IKE on tcp 10000 (cisco)           [NOT IMPLEMENTED]
>  Pluto ipsec.secret syntax                              [OK]
> Checking NAT and MASQUERADEing                          [TEST INCOMPLETE]
> Checking 'ip' command                                   [OK]
> Checking 'iptables' command                             [OK]
> Checking for obsolete ipsec.conf options                [OK]
> Opportunistic Encryption                                [DISABLED]
> 
> ipsec verify: encountered 13 errors - see 'man ipsec_verify' for help
> [tjyang at centos63-2 ~]$
> 
> 
> 
> On Fri, Mar 1, 2013 at 6:04 AM, T.J. Yang <tjyang2001 at gmail.com> wrote:
> 
> 
>
>       On Thu, Feb 28, 2013 at 11:02 PM, Paul Wouters <paul at nohats.ca> wrote:
>             On Thu, 28 Feb 2013, T.J. Yang wrote:
>
>                   I don't do linux kernel compiling and rpm packaging often, excuse me if the is is not a
>                   good
>                   question.
> 
> 
> You should start with packaging/rhel/6/libreswan.spec
> 
> It should do everything for you already? Or tell you what you need to
> install.
> 
>
>       I am able to built the src tree with latest patches.
> 
> 
> Which patches?
> 
> 
> Not patches exactly, I am referring to your latest two fixes for my issue report on github.
> 
> https://github.com/libreswan/libreswan/commit/ab5d71709978bcdf4bed7d2927afc8f6c03aa571
>  
> 
>
>             Following is the error log after "make programs;make module" works.
>
>             [tjyang at centos631 centos]$ rpmbuild -ba libreswan.spec
>             error: File /home/tjyang/rpmbuild/SOURCES/libreswan-IPSECBASEVERSION.tar.gz: No such file or
>             directo
>             ry
> 
> 
> If you want to package from git instead of from a full release tar ball,
> you need to do this:
> 
> git tag v3.1_tjyang
> make release
> 
> That will give you a tar ball where the proper version (not
> IPSECBASEVERSION) is present. That file you can use on centos:
> 
> cp libreswan-3.1_tjyang.tar.gz ~/rpmbuild/SOURCES/
> tar zxf libreswan-3.1_tjyang.tar.gz
> rpmbuild -ba libreswan-3.1_tjyang/packaging/rhel/6/libreswan.spec
> 
> 
> Thanks for these pointers.
> 
>  
>       Paul
> 
> 
> 
> 
> --
> T.J. Yang
> 
> 
> 
> 
> --
> T.J. Yang
> 
>


More information about the Swan-dev mailing list