Re: [strongSwan] IPv4 only and minimal kernel modules
Hi, > 1) upgrade to kernel 2.6.29 and apply patch [1] from above, to the linux > kernel. No, 2.6.29 already contains the patch. > 2) stick with kernel 2.6.28 and apply the disable-iaf-tunnels patch to > charon, (this patch will brake v6/v4 mixed operation) Yes, then no kernel patch is required. 3) Apply the patch [1] to your 2.6.28 kernel. No userland patch required. Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPv4 only and minimal kernel modules
Martin Willi wrote: >> It seems that if I remove all of the Ipv6 modules the IPsec doesn't work >> > > Make sure to have at least a 2.6.29 kernel, apply the kernel patch [1] > or use the workaround patch for strongSwan (attached, breaks mixed v4/v6 > tunnels). > > Regards > Martin > > [1]http://kerneltrap.org/mailarchive/linux-netdev/2008/11/25/4231304 > I am using kernel 2.6.28. If I understand well, my options are: 1) upgrade to kernel 2.6.29 and apply patch [1] from above, to the linux kernel. 2) stick with kernel 2.6.28 and apply the disable-iaf-tunnels patch to charon, (this patch will brake v6/v4 mixed operation) Can you confirm that this is correct and complete? I plan to stick with 2.6.28 because changing kernel would require a lot of discussions and testing. Regards, Dimitrios Siganos ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] IPv4 only and minimal kernel modules
Hi, > If we only want Ipv4 support, can this required kernel modules list be > shortened? Yes. > It seems that I I remove all of the Ipv6 modules the IPsec doesn't work Make sure to have at least a 2.6.29 kernel, apply the kernel patch [1] or use the workaround patch for strongSwan (attached, breaks mixed v4/v6 tunnels). Regards Martin [1]http://kerneltrap.org/mailarchive/linux-netdev/2008/11/25/4231304 Index: src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c === --- src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c (revision 4695) +++ src/charon/plugins/kernel_netlink/kernel_netlink_ipsec.c (working copy) @@ -895,10 +895,6 @@ sa->id.proto = proto_ike2kernel(protocol); sa->family = src->get_family(src); sa->mode = mode; - if (mode == MODE_TUNNEL) - { - sa->flags |= XFRM_STATE_AF_UNSPEC; - } sa->replay_window = (protocol == IPPROTO_COMP) ? 0 : 32; sa->reqid = reqid; /* we currently do not expire SAs by volume/packet count */ ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users