[Swan] protostack=mast

Pavel Kopchyk pkopchyk at gmail.com
Wed Mar 20 21:19:12 EET 2013


Hi,

As I said before, I'm trying to setup libreswan 3.1 on CentOS 6.4 with
SAref support.

Another problem was found:

I added "set -x" to /usr/libexec/ipsec/_stackmanager:

# service ipsec start
Starting pluto IKE daemon for IPsec: + '[' '!' -f /proc/modules ']'
+ IPSEC_CONF=/etc/ipsec.conf
+ PATH=/usr/sbin:/usr/sbin:/sbin:/usr/sbin:/usr/local/bin:/bin:/usr/bin
+ export PATH
+ test
+ kamepfkey=/proc/net/pfkey
+ ipsecpfkey=/proc/net/ipsec/version
+ action=start
+ '[' -z start ']'
++ id -u
+ '[' 0 -ne 0 ']'
++ ipsec addconn --config /etc/ipsec.conf --liststack
+ stack=mast
+ case $stack in
+ case $action in
+ case $stack in
+ startmast
+ startklips
+ cryptomodules
+ modprobe -q hw_random
*
* snip...
*
+ modprobe -q camellia
+ '[' -f /proc/net/pfkey ']'
+ '[' '!' -f /proc/net/ipsec/version ']'
++ uname -r
++ sed -e 's/\.nptl//'
++ sed -e 's/^\(2\.[0-9]\.[1-9][0-9]*-[1-9][0-9]*\(\.[0-9][0-9]*\)*\(\.x\)*\).*$/\1/'
+ bareversion=2.6.32-358.2.1
+ case $bareversion in
+ modulename=ipsec.ko
++ basename modprobe -q
+ '[' modprobe = modprobe ']'
+ modprobe -q ipsec
+ '[' '!' -f /proc/net/ipsec/version ']'
+ '[' -d /sys/module/ocf ']'
+ '[' mast = mast ']'
+ virt=mast0
+ '[' '!' -d /sys/devices/virtual/net/mast0 ']'
+ ipsec tncfg --clear
++ sort -r
++ cut -d: -f2
++ ip -oneline link show
++ grep ipsec
+ for device in '$(ip -oneline link show | grep ipsec | cut -d: -f2 | sort -r)'
+ ipsec tncfg --delete ipsec1
+ for device in '$(ip -oneline link show | grep ipsec | cut -d: -f2 | sort -r)'
+ ipsec tncfg --delete ipsec0
+ exit 0

# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
        link/ether 00:c2:01:c4:ef:49 brd ff:ff:ff:ff:ff:ff
21: ipsec0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
        link/void
23: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
        link/[65534]


And this is on another system with openswan 2.6.38:

ipsec_setup: + ipsec tncfg --create mast0
ipsec_setup: + ip link set mast0 up
ipsec_setup: + false
ipsec_setup: + ip link show dev mast0
ipsec_setup: + grep -q 'mtu 0 '
ipsec_setup: + RETVAL=0
ipsec_setup: + '[' 0 -eq 0 ']'
ipsec_setup: + echo 'Fixup of mtu on mast0 to 16260'
ipsec_setup: Fixup of mtu on mast0 to 16260
ipsec_setup: + ip link set mtu 16260 dev mast0


May be needed an additional check for the link state on the mast0 -
when the interface mast0 present?


More information about the Swan mailing list