[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Solved: How to apply IPSec NAT-Traversal Patch to SuSE8.2-Kernel ?



Hi,
special thanks to Andreas and Carl (JJ), due to your hints i solved my problem. Though i don't have a patched *and* running kernel yet, i achieved my goal to connect several Private-IP-Subnets through my VPN. Here's a short summary:

@Andreas:
Andreas Thierer wrote:
> I also needed NAT-Traversal with FreeSWAN.
> First i wanted to apply the NAT-Traversal-Patch, like you,
> but then i saw, that the X.509-Patch has also an NAT-Traversal-
> functionality. This X.509-Patch is applied to the FreeSWAN-
> paket shipped with SuSE 8.2.
Yes, you're right. I just couldn't believe that it's so simple :-). Obviously it's not necessary to apply the kernel patch...

> See http://www.freeswan.ca/patches/www.strongsec.com/freeswan/install.htm#section_4.4
..this brought the solution.
Perhaps one will have trouble when trying to connect several Networks that incidentally use the same private IP-Range, but right now this is not the case in my setup.

@Carl:
J J wrote:
> Is your new kernel missing reiserfs.o in the /lib/modules/<kernel
> version>/kernel/fs/reiserfs/ directory?
no, it's existing there.

> If not then you have probably got a faulty config.
Yes, now i suppose that's the reason, too. Unfortunately i can't imagine why... Just as you described I did a zcat /proc/config.gz > .config and then a make xconfig after i patched the kernel. But unfortunately what you describe in the following lines...

> You've already patched the kernel so future compiles will give you all
> the Ipsec options that you need.
> Then you should have a configuration
> that's identical to your working configuration but with any changes you
> choose to make.  The obvious changes are to switch on Ipsec, the NAT
> traversal and X509 patches...
was not the case, there were no options for ipsec available, before i did that "strange" makefile targets in .../kernel_modules/zz_freeswan. Is it possible that patching went wrong although Ret.Code was 0 ?

> If the build process did make reiserfs.o but you're still getting a
> kernel panic then the problem is probably in the initrd.
I don't think so. I studied mkinitrd -h, think that i did it all correctly and the same procedure is successful at other occasions.

Anyway, in further inquiries i found some hints that Kernel-Parameter CONFIG_REISERFS_FS_POSIX_ACL could be concerned to my problem. In my xconfig this is displayed black, not grey, but anyway it's not possible to change it. Another thing that made me wonder: zcat /proc/config.gz > .config; make xconfig -> save *without any changings* into file .config2 and quit; then a diff .config .config2 shows a lot of differences. Does anybody know why this is so?
Apart from this many thanks to all contributors...:-)
Kind regards
Elmar


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here