Re: [strongSwan] IPv4 only and minimal kernel modules

2009-09-03 Thread Martin Willi 
Hi,

> 1) upgrade to kernel 2.6.29 and apply patch [1] from above, to the linux 
> kernel.

No, 2.6.29 already contains the patch.

> 2) stick with kernel 2.6.28 and apply the disable-iaf-tunnels patch to 
> charon, (this patch will brake v6/v4 mixed operation)

Yes, then no kernel patch is required.

3) Apply the patch [1] to your 2.6.28 kernel. No userland patch
required.


Regards
Martin

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] IPv4 only and minimal kernel modules

2009-09-02 Thread Dimitrios Siganos 
Martin Willi wrote:
>> It seems that if I remove all of the Ipv6 modules the IPsec doesn't work 
>> 
>
> Make sure to have at least a 2.6.29 kernel, apply the kernel patch [1]
> or use the workaround patch for strongSwan (attached, breaks mixed v4/v6
> tunnels).
>
> Regards
> Martin
>
> [1]http://kerneltrap.org/mailarchive/linux-netdev/2008/11/25/4231304
>   
I am using kernel 2.6.28. If I understand well, my options are:

1) upgrade to kernel 2.6.29 and apply patch [1] from above, to the linux 
kernel.

2) stick with kernel 2.6.28 and apply the disable-iaf-tunnels patch to 
charon, (this patch will brake v6/v4 mixed operation)

Can you confirm that this is correct and complete?

I plan to stick with 2.6.28 because changing kernel would require a lot 
of discussions and testing.

Regards,
Dimitrios Siganos
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] IPv4 only and minimal kernel modules

2009-09-02 Thread Martin Willi 
Hi,

> If we only want Ipv4 support, can this required kernel modules list be 
> shortened?

Yes.

> It seems that I I remove all of the Ipv6 modules the IPsec doesn't work 

Make sure to have at least a 2.6.29 kernel, apply the kernel patch [1]
or use the workaround patch for strongSwan (attached, breaks mixed v4/v6
tunnels).

Regards
Martin

[1]http://kerneltrap.org/mailarchive/linux-netdev/2008/11/25/4231304

Index: src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c
===
--- src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c	(revision 4695)
+++ src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c	(working copy)
@@ -895,10 +895,6 @@
 	sa->id.proto = proto_ike2kernel(protocol);
 	sa->family = src->get_family(src);
 	sa->mode = mode;
-	if (mode == MODE_TUNNEL)
-	{
-		sa->flags |= XFRM_STATE_AF_UNSPEC;
-	}
 	sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32;
 	sa->reqid = reqid;
 	/* we currently do not expire SAs by volume/packet count */
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users