[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Solved: How to apply IPSec NAT-Traversal Patch to SuSE8.2-Kernel ?

Apologies to Andreas and Elmar, evidently I didn't read Andreas' posting properly before I replied! :)

Obviously avoiding recompiling your kernel will make life far simpler for you and it sounds like you don't need to recompile to get NAT-traversal running. The only reasons I can see that you might are (i) to enable the possibility of debugging with ipsec klipsdebug --all and (ii) for intellectual satisfaction/training/certainty!

If you did want to pursue recompiling the kernel...

Given that reiserfs.o is being built, my suggestions about configuration aren't applicable anymore! I have seen the effect you describe before: where an unchanged configuration still shows a change in .config - it seems to be harmless. Things like new comments, or sections that don't do anything (because an option is not switched on higher up) but are still being written. It's not too surprising if you look at how each file gets written. zcat /proc/config.gz is effectively an output from the kernel itself of saved config information so will be minimal. make xconfig is a complex tcl/tk script.

If you want to progress this any further then we will probably need the exact error message, word for word, letter for letter that you're getting in the boot process with the new kernel, and exactly at what point in the boot process it occurs, what message lines do you see just before it. Does it occur absolutely immediately (like when the kernel starts) or a bit later, during the startup scripts? My guess is that it's pretty early.

If you are going to abandon the new kernel build then that's cool and I wish you luck with freeswan - it's a first-rate product but can be tricky without kernel debug IMHO!

All the best,

From: Elmar Marschke <elmar.marschke@xxxxxxxx>
To: suse-security@xxxxxxxx
CC: AThierer@xxxxxx, c_peto@xxxxxxxxxxx
Subject: [suse-security] Solved: How to apply IPSec NAT-Traversal Patch to SuSE8.2-Kernel ?
Date: Thu, 02 Oct 2003 16:41:06 +0200

special thanks to Andreas and Carl (JJ), due to your hints i solved my problem. Though i don't have a patched *and* running kernel yet, i achieved my goal to connect several Private-IP-Subnets through my VPN. Here's a short summary:

Andreas Thierer wrote:
> I also needed NAT-Traversal with FreeSWAN.
> First i wanted to apply the NAT-Traversal-Patch, like you,
> but then i saw, that the X.509-Patch has also an NAT-Traversal-
> functionality. This X.509-Patch is applied to the FreeSWAN-
> paket shipped with SuSE 8.2.
Yes, you're right. I just couldn't believe that it's so simple :-). Obviously it's not necessary to apply the kernel patch...

> See http://www.freeswan.ca/patches/www.strongsec.com/freeswan/install.htm#section_4.4
..this brought the solution.
Perhaps one will have trouble when trying to connect several Networks that incidentally use the same private IP-Range, but right now this is not the case in my setup.

J J wrote:
> Is your new kernel missing reiserfs.o in the /lib/modules/<kernel
> version>/kernel/fs/reiserfs/ directory?
no, it's existing there.

> If not then you have probably got a faulty config.
Yes, now i suppose that's the reason, too. Unfortunately i can't imagine why... Just as you described I did a zcat /proc/config.gz > .config and then a make xconfig after i patched the kernel. But unfortunately what you describe in the following lines...

> You've already patched the kernel so future compiles will give you all
> the Ipsec options that you need.
> Then you should have a configuration
> that's identical to your working configuration but with any changes you
> choose to make.  The obvious changes are to switch on Ipsec, the NAT
> traversal and X509 patches...
was not the case, there were no options for ipsec available, before i did that "strange" makefile targets in .../kernel_modules/zz_freeswan. Is it possible that patching went wrong although Ret.Code was 0 ?

> If the build process did make reiserfs.o but you're still getting a
> kernel panic then the problem is probably in the initrd.
I don't think so. I studied mkinitrd -h, think that i did it all correctly and the same procedure is successful at other occasions.

Anyway, in further inquiries i found some hints that Kernel-Parameter CONFIG_REISERFS_FS_POSIX_ACL could be concerned to my problem. In my xconfig this is displayed black, not grey, but anyway it's not possible to change it. Another thing that made me wonder: zcat /proc/config.gz > .config; make xconfig -> save *without any changings* into file .config2 and quit; then a diff .config .config2 shows a lot of differences. Does anybody know why this is so?
Apart from this many thanks to all contributors...:-)
Kind regards

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here

On the move? Get Hotmail on your mobile phone http://www.msn.co.uk/msnmobile

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here