Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [suse-security] Solved: How to apply IPSec NAT-Traversal Patch to SuSE8.2-Kernel ?
From: J J (c_petohotmail.com)
Date: Thu Oct 02 2003 - 09:59:16 CDT
Apologies to Andreas and Elmar, evidently I didn't read Andreas' posting
properly before I replied! :)
Obviously avoiding recompiling your kernel will make life far simpler for
you and it sounds like you don't need to recompile to get NAT-traversal
running. The only reasons I can see that you might are (i) to enable the
possibility of debugging with ipsec klipsdebug --all and (ii) for
If you did want to pursue recompiling the kernel...
Given that reiserfs.o is being built, my suggestions about configuration
aren't applicable anymore! I have seen the effect you describe before:
where an unchanged configuration still shows a change in .config - it seems
to be harmless. Things like new comments, or sections that don't do
anything (because an option is not switched on higher up) but are still
being written. It's not too surprising if you look at how each file gets
written. zcat /proc/config.gz is effectively an output from the kernel
itself of saved config information so will be minimal. make xconfig is a
complex tcl/tk script.
If you want to progress this any further then we will probably need the
exact error message, word for word, letter for letter that you're getting in
the boot process with the new kernel, and exactly at what point in the boot
process it occurs, what message lines do you see just before it. Does it
occur absolutely immediately (like when the kernel starts) or a bit later,
during the startup scripts? My guess is that it's pretty early.
If you are going to abandon the new kernel build then that's cool and I wish
you luck with freeswan - it's a first-rate product but can be tricky without
kernel debug IMHO!
All the best,
>From: Elmar Marschke <elmar.marschkeepost.de>
>CC: AThiererctl.de, c_petohotmail.com
>Subject: [suse-security] Solved: How to apply IPSec NAT-Traversal Patch to
>Date: Thu, 02 Oct 2003 16:41:06 +0200
>special thanks to Andreas and Carl (JJ), due to your hints i solved my
>problem. Though i don't have a patched *and* running kernel yet, i
>achieved my goal to connect several Private-IP-Subnets through my VPN.
>Here's a short summary:
>Andreas Thierer wrote:
> > I also needed NAT-Traversal with FreeSWAN.
> > First i wanted to apply the NAT-Traversal-Patch, like you,
> > but then i saw, that the X.509-Patch has also an NAT-Traversal-
> > functionality. This X.509-Patch is applied to the FreeSWAN-
> > paket shipped with SuSE 8.2.
>Yes, you're right. I just couldn't believe that it's so simple :-).
>Obviously it's not necessary to apply the kernel patch...
> > See
>..this brought the solution.
>Perhaps one will have trouble when trying to connect several Networks that
>incidentally use the same private IP-Range, but right now this is not the
>case in my setup.
>J J wrote:
> > Is your new kernel missing reiserfs.o in the /lib/modules/<kernel
> > version>/kernel/fs/reiserfs/ directory?
>no, it's existing there.
> > If not then you have probably got a faulty config.
>Yes, now i suppose that's the reason, too. Unfortunately i can't imagine
>why... Just as you described I did a zcat /proc/config.gz > .config and
>then a make xconfig after i patched the kernel. But unfortunately what you
>describe in the following lines...
> > You've already patched the kernel so future compiles will give you all
> > the Ipsec options that you need.
> > Then you should have a configuration
> > that's identical to your working configuration but with any changes you
> > choose to make. The obvious changes are to switch on Ipsec, the NAT
> > traversal and X509 patches...
>was not the case, there were no options for ipsec available, before i did
>that "strange" makefile targets in .../kernel_modules/zz_freeswan. Is it
>possible that patching went wrong although Ret.Code was 0 ?
> > If the build process did make reiserfs.o but you're still getting a
> > kernel panic then the problem is probably in the initrd.
>I don't think so. I studied mkinitrd -h, think that i did it all correctly
>and the same procedure is successful at other occasions.
>Anyway, in further inquiries i found some hints that Kernel-Parameter
>CONFIG_REISERFS_FS_POSIX_ACL could be concerned to my problem. In my
>xconfig this is displayed black, not grey, but anyway it's not possible to
>change it. Another thing that made me wonder: zcat /proc/config.gz >
>.config; make xconfig -> save *without any changings* into file .config2
>and quit; then a
>diff .config .config2 shows a lot of differences. Does anybody know why
>this is so?
>Apart from this many thanks to all contributors...:-)
>Check the headers for your unsubscription address
>For additional commands, e-mail: suse-security-helpsuse.com
>Security-related bug reports go to securitysuse.de, not here
On the move? Get Hotmail on your mobile phone http://www.msn.co.uk/msnmobile
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here