isakmpd on kernel 2.4.x - Security

This is a discussion on isakmpd on kernel 2.4.x - Security ; Greetings: There appears to be a dearth of documentation on configuring an isakmpd-based vpn on linux 2.4.x; I would appreciate pointers to available resources. Basic questions: 1. I have built a 2.4.27 kernel with modules for twofish, blowfish, sha256, crypto_null, ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: isakmpd on kernel 2.4.x

  1. isakmpd on kernel 2.4.x

    Greetings:

    There appears to be a dearth of documentation on configuring
    an isakmpd-based vpn on linux 2.4.x; I would appreciate pointers
    to available resources.

    Basic questions:

    1. I have built a 2.4.27 kernel with modules for twofish, blowfish,
    sha256, crypto_null, sha1, md5, aes, des, ipcomp, xfrm_user, ah4,
    ip_gre and esp4; all of them load except ip_gre and esp4 which
    fail with unresolved symbols:
    ip_gre: nf_hooks, nf_hook_slow
    esp4: skb_cow_data, skb_to_sgvec, pskb_put

    2. With the above modules loaded, there are no additional
    interfaces created (I would expect names like 'enc' tun' , etc)

    3. There do not appear to be any ipsec related variables
    in 'sysctl -a'

    4. Is the utility 'setkey' needed to configure SAs, etc. on this kernel
    (one would think isakmpd would handle this)?

    5. Is a packet filter package required and if so which one?

    My experience is on OpenBSD running 'pf' and 'isakmpd'; I will need to
    configure the linux 2.4.x machine to be an ipsec client to the
    OpenBSD box (X.509-ESP-AES-SHA).

    Kernel 2.6 is not an option, 2.4 is required for other modules.

    All replies much appreciated.

    Michael Grigoni
    Cybertheque Museum


  2. Re: isakmpd on kernel 2.4.x

    On 10.05.2006, msg@waste.org wrote:
    > Greetings:
    >
    > There appears to be a dearth of documentation on configuring
    > an isakmpd-based vpn on linux 2.4.x; I would appreciate pointers
    > to available resources.
    >
    > Basic questions:
    >
    > 1. I have built a 2.4.27 kernel with modules for twofish, blowfish,
    > sha256, crypto_null, sha1, md5, aes, des, ipcomp, xfrm_user, ah4,
    > ip_gre and esp4; all of them load except ip_gre and esp4 which
    > fail with unresolved symbols:
    > ip_gre: nf_hooks, nf_hook_slow
    > esp4: skb_cow_data, skb_to_sgvec, pskb_put


    That is, except GRE tunnels module and ESP (IPsec) module. Great. How
    would you like it to work now, without ESP? Or maybe AH with
    authentication only is enough for you?

    > 2. With the above modules loaded, there are no additional
    > interfaces created (I would expect names like 'enc' tun' , etc)


    Additional interfaces turn up with KLIPS, not with PF_KEY.

    > 4. Is the utility 'setkey' needed to configure SAs, etc. on this kernel
    > (one would think isakmpd would handle this)?


    Dunno. I'm using Openswan with their KLIPS IPsec implementation.

    --
    Feel free to correct my English
    Stanislaw Klekot

  3. Re: isakmpd on kernel 2.4.x

    msg wrote:

    > I have built a 2.4.27 kernel with modules for twofish, blowfish,
    > sha256, crypto_null, sha1, md5, aes, des, ipcomp, xfrm_user, ah4,
    > ip_gre and esp4; all of them load except ip_gre and esp4 which
    > fail with unresolved symbols:
    > ip_gre: nf_hooks, nf_hook_slow
    > esp4: skb_cow_data, skb_to_sgvec, pskb_put


    Apparently an unreported bug: the kernel must be built with
    CONFIG_MODVERSIONS not set; the above symbols are in
    the kernel (seen with 'ksysms') but are suffixed with versioning.

    All modules load correctly now.

    Michael


+ Reply to Thread