[Swan-dev] ?==?utf-8?q? protoport don't work with klips in 3.31

Wolfgang Nothdurft wolfgang at linogate.de
Tue May 19 15:39:23 UTC 2020

Am Dienstag, 19. Mai 2020 17:10 CEST, schrieb Paul Wouters <paul at nohats.ca>: 
> On Tue, 19 May 2020, Wolfgang Nothdurft wrote:
> > Unfortunately there is another problem in the last KLIPS version 3.31, in which protoport no longer works with KLIPS.
> >
> > Unfortunately I can't find which change or which commit is responsible for it.
> We have not made any changes to KLIPS for a few releases, so you should
> be able to run git bisect between 3.27 and 3.31 for just the userland 
> install and be able to determine the offending commit. You shouldn't
> need to recompile klips during such a git bisect.

That was, what I've done the last week. Not with bisect, because 3.28/3.29 didn't even compile with KLIPS on. So I tried to find related commits and reverted them without success.
But there are many changes to protoport, kernel functions and the big change with xfrmi, etc., so my hope was that you say, "oh yes we changed something related here" ;)

> > I know KLIPS should no longer be used, but since XFRMi is not yet fully usable for us and implementing it still requires a lot of effort, we have to rely on KLIPS again.
> I'm sorry you haven't been able to migrate to XFRMi yet. We know there
> are some issues left (mostly with rekeying causing packets to not
> arrive) and we are looking into that. If you have other issues, it
> would be good to report those so we can fix things in parallel instead
> of one after the other. The git master tree already has KLIPS fully
> removed. The 3.31 and 3.32 were branches of 3.30 while git master
> moved on.

The main work here would be to get this properly working in our appliance with all configuration possibilities (ikev2, l2tp, xauth, etc). Therefor we can not change it easily and see what happens.

> > So at the moment I only have the option to stay at 3.27 and possibly use the most important patches and maybe some ikve2 fixes, or patch the KLIPS module, ignore the ports and if necessary, use iptables to block all connections that do not match the protoport.
> Unfortunately, one of the reasons for dropping KLIPS is that we don't
> have the resources to maintain it. It is a lot of work we did in the
> last decade, mostly not-funded because it's not something people
> would generally fund due to it being old/obsolete technology.
> If you can do the git bisect to find the commit causing this, we can
> have a look at writing a patch for you.
> Paul
Ok, then I will continue the search or use plan B, so I can start switching to XFRMi as soon as possible. 

Thank you

More information about the Swan-dev mailing list