<div dir="ltr"><div style>Thanks for Paul's packaging pointers, I was able to create a 3.0.1 from tip of the src tree and tested it on centos6.3 physical box.</div><div style><br></div><div style>Another question, why ipsec verify is saying "13 errors" found while I count it on my scree for reds(8) and even yellows(4) ?</div>
<div style><br></div><div>[tjyang@centos63-2 ~]$ sudo ipsec verify</div><div>Verifying installed system and configuration files</div><div><br></div><div>Version check and ipsec on-path [OK]</div><div>
Libreswan 3.0.1 (netkey) on 2.6.32-279.22.1.el6.x86_64</div><div>Checking for IPsec support in kernel [OK]</div><div> NETKEY: Testing XFRM related proc values</div><div> ICMP default/send_redirects [NOT DISABLED]</div>
<div><br></div><div> Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause act on or ause sending of bogus ICMP redirects!</div><div><br></div><div> ICMP default/accept_redirects [NOT DISABLED]</div>
<div><br></div><div> Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will cause act on o cause sending of bogus ICMP redirects!</div><div><br></div><div> XFRM larval drop [OK]</div>
<div>Pluto ipsec.conf syntax [OK]</div><div>Hardware random device [N/A]</div><div>Two or more interfaces found, checking IP forwarding [FAILED]</div><div>
Checking rp_filter [ENABLED]</div><div> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]</div><div> /proc/sys/net/ipv4/conf/lo/rp_filter [ENABLED]</div>
<div> /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]</div><div> /proc/sys/net/ipv4/conf/pan0/rp_filter [ENABLED]</div><div> rp_filter is not fully aware of IPsec and should be disabled</div>
<div>Checking that pluto is running [OK]</div><div> Pluto listening for IKE on udp 500 [OK]</div><div> Pluto listening for IKE on tcp 500 [NOT IMPLEMENTED]</div>
<div> Pluto listening for IKE/NAT-T on udp 4500 [OK]</div><div> Pluto listening for IKE/NAT-T on tcp 4500 [NOT IMPLEMENTED]</div><div> Pluto listening for IKE on tcp 10000 (cisco) [NOT IMPLEMENTED]</div>
<div> Pluto ipsec.secret syntax [OK]</div><div>Checking NAT and MASQUERADEing [TEST INCOMPLETE]</div><div>Checking 'ip' command [OK]</div>
<div>Checking 'iptables' command [OK]</div><div>Checking for obsolete ipsec.conf options [OK]</div><div>Opportunistic Encryption [DISABLED]</div>
<div><br></div><div>ipsec verify: encountered 13 errors - see 'man ipsec_verify' for help</div><div>[tjyang@centos63-2 ~]$</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Mar 1, 2013 at 6:04 AM, T.J. Yang <span dir="ltr"><<a href="mailto:tjyang2001@gmail.com" target="_blank">tjyang2001@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="im">On Thu, Feb 28, 2013 at 11:02 PM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>On Thu, 28 Feb 2013, T.J. Yang wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I don't do linux kernel compiling and rpm packaging often, excuse me if the is is not a good<br>
question.<br>
</blockquote>
<br></div>
You should start with packaging/rhel/6/libreswan.<u></u>spec<br>
<br>
It should do everything for you already? Or tell you what you need to<br>
install.<div><br>
<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
I am able to built the src tree with latest patches.<br>
</blockquote>
<br></div>
Which patches?</blockquote><div><br></div></div><div>Not patches exactly, I am referring to your latest two fixes for my issue report on github.</div><div><br></div><div><a href="https://github.com/libreswan/libreswan/commit/ab5d71709978bcdf4bed7d2927afc8f6c03aa571" target="_blank">https://github.com/libreswan/libreswan/commit/ab5d71709978bcdf4bed7d2927afc8f6c03aa571</a></div>
<div class="im">
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Following is the error log after "make programs;make module" works.<br>
<br>
[tjyang@centos631 centos]$ rpmbuild -ba libreswan.spec<br>
error: File /home/tjyang/rpmbuild/SOURCES/<u></u>libreswan-IPSECBASEVERSION.<u></u>tar.gz: No such file or directo<br>
ry<br>
</blockquote>
<br></div>
If you want to package from git instead of from a full release tar ball,<br>
you need to do this:<br>
<br>
git tag v3.1_tjyang<br>
make release<br>
<br>
That will give you a tar ball where the proper version (not<br>
IPSECBASEVERSION) is present. That file you can use on centos:<br>
<br>
cp libreswan-3.1_tjyang.tar.gz ~/rpmbuild/SOURCES/<br>
tar zxf libreswan-3.1_tjyang.tar.gz<br>
rpmbuild -ba libreswan-3.1_tjyang/<u></u>packaging/rhel/6/libreswan.<u></u>spec<span><font color="#888888"><br>
<br></font></span></blockquote><div><br></div></div><div>Thanks for these pointers.</div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<span><font color="#888888">
Paul<span class="HOEnZb"><font color="#888888"><br>
</font></span></font></span></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><div><br></div>-- <br>T.J. Yang
</font></span></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>T.J. Yang
</div>