[Swan] V3.5 and Kernel 3.9 modprobe ipsec failed

Paul Wouters paul at nohats.ca
Sun Jul 21 20:14:47 EEST 2013 

On Sun, 21 Jul 2013, Sven Schiwek wrote:

> I made some testing with Debian stable kernel (3.2) and testing kernel (3.9). Both have set CONFIG_NET_NS but only with kernel 3.2 Libreswan klips is loading fine.
> I also tested Openswan 2.6.39 and ipsec is loading fine with the new 3.9 kernel but Openswan has some other problems with NAT …
> However for me it looks like something changed in Libreswan V3.5 with the result that is's not compatible with Debian testing anymore.
>
> Any help is greatly appreciated.

Perhaps openswan does not enable the cryptoapi for klips per default?

We do have some patches for NAT-T on newer kernels that openswan is
lacking. You can try to backport it for them.

The problem does seem related to namespaces, eg:

https://www.google.ca/search?q=is+not+namespace+aware,+cannot+register

KLIPS needs to be updated to be fully namespace aware. I've done a
little looking around on that topic, but haven't gotten to the point
of writing code yet.

Paul

>
>
> On Jul 15, 2013, at 3:53 PM, Lennart Sorensen <lsorense at csclub.uwaterloo.ca> wrote:
>
>> On Sun, Jul 14, 2013 at 10:24:58PM +0200, Sven Schiwek wrote:
>>> I installed Libreswan 3.5 on a Debian testing (jessie) environment and run into this problem:
>>>
>>> [15:11] root pm-kvm01.test[17]:/home/sysop# modprobe ipsec
>>> [18705.100565] Protocol 50 is not namespace aware, cannot register.
>>> [18705.102096] KLIPS: can not register ESP protocol - recompile with CONFIG_INET_ESP disabled or as module
>>> ERROR: could not insert 'ipsec': Invalid argument
>>>
>>> [15:12] root pm-kvm01.test[20]:/home/sysop# uname -a
>>> Linux pm-kvm01 3.9-1-amd64 #1 SMP Debian 3.9.8-1 x86_64 GNU/Linux
>>
>> Based on the error, I would guess that klips' ESP module isn't compatible
>> with CONFIG_NET_NS.  Debian has that on in their kernels, given is is
>> very useful for things like lxc and other neat things.
>>
>> Just a guess though.  I haven't bothered with klips for years.
>>
>> --
>> Len Sorensen
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>

More information about the Swan mailing list