[Swan] V3.5 and Kernel 3.9 modprobe ipsec failed

Wed Sep 11 10:52:32 EEST 2013

Am 10.09.2013 17:08, schrieb Paul Wouters:
> What does dmesg say? It looks like it could be that you are using KLIPS
> on a CONFIG_NAMESPACES=y kernel. Or it could be that you were bit by
> this bug after you disabled CONFIG_NAMESPACES:
>
> http://marc.info/?l=linux-netdev&m=137806383327571&w=2
>
> I had to recompile my 3.9 kernel with that patch. Although the real fix
> is to add namespaces support to KLIPS.
>
> Paul
>

I disabled NAMESPACES and recompiled kernel again. With Libreswan 3.5:

dmesg:
[   91.380513] klips_info:ipsec_init: KLIPS startup, Libreswan KLIPS 
IPsec stack version: 3.5
[   91.380570] NET: Registered protocol family 15
[   91.380577] Protocol 50 is not namespace aware, cannot register.
[   91.380733] KLIPS: can not register ESP protocol - recompile with 
CONFIG_INET_ESP disabled or as module
[   91.380844] klips_info:pfkey_cleanup: shutting down PF_KEY domain 
sockets.
[   91.385993] NET: Unregistered protocol family 15
[   91.386002]

auth.log:
Sep 11 09:49:35 host ipsec__plutorun: Starting Pluto subsystem...
Sep 11 09:49:35 host pluto[3922]: nss directory plutomain: /etc/ipsec.d
Sep 11 09:49:35 host pluto[3922]: NSS Initialized
Sep 11 09:49:35 host pluto[3922]: FIPS integrity support [disabled]
Sep 11 09:49:35 host pluto[3922]: libcap-ng support [enabled]
Sep 11 09:49:35 host pluto[3922]: Linux audit support [disabled]
Sep 11 09:49:35 host pluto[3922]: Starting Pluto (Libreswan Version 3.5; 
Vendor ID OEN_RhPPH{d^) pid:3922
Sep 11 09:49:35 host pluto[3922]: Pluto is NOT running in FIPS mode
Sep 11 09:49:35 host pluto[3922]: core dump dir: /var/run/pluto/
Sep 11 09:49:35 host pluto[3922]: secrets file: /etc/ipsec.secrets
Sep 11 09:49:35 host pluto[3922]: LEAK_DETECTIVE support [disabled]
Sep 11 09:49:35 host pluto[3922]: OCF support for IKE [disabled]
Sep 11 09:49:35 host pluto[3922]: SAref support [disabled]: Protocol not 
available
Sep 11 09:49:35 host pluto[3922]: SAbind support [disabled]: Protocol 
not available
Sep 11 09:49:35 host pluto[3922]: NSS crypto [enabled]
Sep 11 09:49:35 host pluto[3922]: XAUTH PAM support [enabled]
Sep 11 09:49:35 host pluto[3922]: HAVE_STATSD notification support 
[disabled]
Sep 11 09:49:35 host pluto[3922]: Setting NAT-Traversal port-4500 
floating to on
Sep 11 09:49:35 host pluto[3922]:    port floating activation criteria 
nat_t=1/port_float=1
Sep 11 09:49:35 host pluto[3922]:    NAT-Traversal support [enabled]
Sep 11 09:49:35 host pluto[3922]: ike_alg_register_enc(): Activating 
OAKLEY_AES_CBC: Ok (ret=0)
Sep 11 09:49:35 host pluto[3922]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_512: Ok (ret=0)
Sep 11 09:49:35 host pluto[3922]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_384: Ok (ret=0)
Sep 11 09:49:35 host pluto[3922]: ike_alg_register_hash(): Activating 
OAKLEY_SHA2_256: Ok (ret=0)
Sep 11 09:49:35 host pluto[3922]: starting up 1 cryptographic helpers
Sep 11 09:49:35 host pluto[3922]: started helper (thread) 
pid=140449899292416 (fd:6)
Sep 11 09:49:35 host pluto[3922]: No Kernel KLIPS interface detected
Sep 11 09:49:35 host pluto[3922]: No Kernel MASTKLIPS interface detected
Sep 11 09:49:35 host pluto[3922]: Using 'no_kernel' interface code on 3.9.11
Sep 11 09:49:35 host pluto[3922]: listening for IKE messages
Sep 11 09:49:35 host pluto[3922]: no public interfaces found
Sep 11 09:49:35 host pluto[3922]: loading secrets from "/etc/ipsec.secrets"

Now I'll try your patch.

Michael

-- 
www.muenz-it.de
- Cisco, Linux, Networks