How to apply IPSec NAT-Traversal Patch to SuSE8.2-Kernel ?
Hi all, i installed a VPN with a SuSE8.2 2.4.20-4GB kernel and a freeswan_1.99_0.9.23-20 as provided by the 8.2 distribution. Everything including x509-Support is tested and working fine. Now i want to add NAT-Traversal functionality. As written in /u/s/d/p/freeswan/README.SuSE the NAT-Traversal Patches (written by Mathieu Lafon) for the *freeswan-package* are already inserted in the package provided by SuSE. But to get it running one has also to patch the *kernel* with the fswan-nat-t-kernel.diff, they write, and which is provided in the same directory. I applied the patch to my kernel-sources (Return Code=0) and recompiled the kernel: - make oldconfig (perhaps wrong?? don't know what this exactly is doing..) -i took a look in make xconfig and noticed that there were no possibilities to do configuration for IPSec, but at that moment i did'nt care - changed the Makefile's Extraversion Number.. - make dep - make clean - make bzImage - make modules - make modules_install I prepared my bootloader and did mkinitrd for that kernel. Booting with that kernel was ok, but ipsec did'nt start anymore: "ipsec_setup:modprobe: can't locate module ipsec. Kernel appears to lack KLIPS." I booted my old kernel again and according to some mails of this list i took a look into .../kernel_modules/zz_freeswan/Makefile and tried: in that directory: - make insert Result: make xconfig in /usr/src/linux did'nt work anymore. - make kmodule Result: make xconfig didn't work yet. - make klink Result: make xconfig worked again! And it had configuration-options for IPSec!! I configured this -i took all the defaults i found there, the only thing i changed was the IPSec-Stuff- and compiled another kernel exactly as described above (except that i used xconfig instead oldconfig). Every step gave a Return Code of 0. Result when booting this new kernel: "Kernel panic: unresolved symbol reiserfs.o" (which is my boot partition). Question: can anyone give me a hint about the correct way to apply this patch and get a working kernel? *Which* make -steps / targets do i have to take in .../zz_freeswan/ (e.g. what about oldmod?) and perhaps in /usr/src/linux, and **in which order**? Any help would be greatly appreciated.. thnxalot! Kind regards Elmar
Hi, special thanks to Andreas and Carl (JJ), due to your hints i solved my problem. Though i don't have a patched *and* running kernel yet, i achieved my goal to connect several Private-IP-Subnets through my VPN. Here's a short summary: @Andreas: Andreas Thierer wrote:
I also needed NAT-Traversal with FreeSWAN. First i wanted to apply the NAT-Traversal-Patch, like you, but then i saw, that the X.509-Patch has also an NAT-Traversal- functionality. This X.509-Patch is applied to the FreeSWAN- paket shipped with SuSE 8.2. Yes, you're right. I just couldn't believe that it's so simple :-). Obviously it's not necessary to apply the kernel patch...
See http://www.freeswan.ca/patches/www.strongsec.com/freeswan/install.htm#sectio... ..this brought the solution. Perhaps one will have trouble when trying to connect several Networks that incidentally use the same private IP-Range, but right now this is not the case in my setup.
@Carl: J J wrote:
Is your new kernel missing reiserfs.o in the /lib/modules/<kernel version>/kernel/fs/reiserfs/ directory? no, it's existing there.
If not then you have probably got a faulty config. Yes, now i suppose that's the reason, too. Unfortunately i can't imagine why... Just as you described I did a zcat /proc/config.gz > .config and then a make xconfig after i patched the kernel. But unfortunately what you describe in the following lines...
You've already patched the kernel so future compiles will give you all the Ipsec options that you need. Then you should have a configuration that's identical to your working configuration but with any changes you choose to make. The obvious changes are to switch on Ipsec, the NAT traversal and X509 patches... was not the case, there were no options for ipsec available, before i did that "strange" makefile targets in .../kernel_modules/zz_freeswan. Is it possible that patching went wrong although Ret.Code was 0 ?
If the build process did make reiserfs.o but you're still getting a kernel panic then the problem is probably in the initrd. I don't think so. I studied mkinitrd -h, think that i did it all correctly and the same procedure is successful at other occasions.
Anyway, in further inquiries i found some hints that Kernel-Parameter CONFIG_REISERFS_FS_POSIX_ACL could be concerned to my problem. In my xconfig this is displayed black, not grey, but anyway it's not possible to change it. Another thing that made me wonder: zcat /proc/config.gz > .config; make xconfig -> save *without any changings* into file .config2 and quit; then a diff .config .config2 shows a lot of differences. Does anybody know why this is so? Apart from this many thanks to all contributors...:-) Kind regards Elmar
participants (1)
-
Elmar Marschke