Shorewall users - Oct 2004 - Re: Error: Your kernel and/or iptables does not not support policy match: ipsec

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

claas@rootdir.de wrote:
> Hello,
>
>
> I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9 running,
> but I still have a problem:
>
> Validating hosts file...
>    Error: Your kernel and/or iptables does not not support policy
match: ipsec
>
> I had a look for netfilter patch-o-matic, but I did not find the
policy match
> support there.
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-policy
>
> I have enabled CONFIG_IP_NF_MATCH_AH_ESP in kernel config as a module
(M), but
> it seems that this isn''t it.
Completely unrelated.
>
> any ideas?
>
You might consider doing what I have done -- install SuSE 9.1. The
current SuSE 9.1 kernels include everything you need already.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBXcjpO/MAbZfjDLIRAu8qAKCM9+tEtf1vEGlJJ8gQeXeZHKIGxgCgozNp
LrYLFQzQFcEk8twDqUVKKl8=Lii1
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

claas@rootdir.de wrote:
> Hello Tom,
>
> thanks for your fast reply.
>
>
>>>I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9
running,
>>>but I still have a problem:
>>>
>>>Validating hosts file...
>>>   Error: Your kernel and/or iptables does not not support policy
>>>          match: ipsec
>>
>>http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-policy
>
>
> I tried to use p-o-m CVS, but I could not find this patch :(
>
Well, this is not the list to get any help with that problem...

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBXdWvO/MAbZfjDLIRAvp7AJ9FT68EcdqHCI+R4LST671FbLnRswCgsXCp
ulIYQc+isUohWtNUe5Vqn7k=nBWN
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
> claas@rootdir.de wrote:
>
>>>Hello Tom,
>>>
>>>thanks for your fast reply.
>>>
>>>
>>>
>>>>>I am trying to get ipsec with kernel 2.6.8.1 and shorewall
2.1.9
running,
>>>>>but I still have a problem:
>>>>>
>>>>>Validating hosts file...
>>>>>  Error: Your kernel and/or iptables does not not support
policy
>>>>>         match: ipsec
>>>>
>>>>http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-policy
>>>
>>>
>>>I tried to use p-o-m CVS, but I could not find this patch :(
>>>
You did checkout patch-o-matic-ng, rather that patch-o-matic right?
patch-o-matic was replaced some time ago with patch-o-matic-ng.

I just checked out patch-o-matic-ng and the policy match patch is there...

teastep@ursa:~> ls patch-o-matic-ng/policy
CVS  help  info  iptables  linux-2.4  linux-2.6
teastep@ursa:~>

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBXdmGO/MAbZfjDLIRAp4HAKDC9o7EM3U7oEtiV44Q8rWwgk+gKQCgxk9P
eW/MjVF5e6Urfq2e16j15tM=L2al
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

claas@rootdir.de wrote:
> Hello Tom!
>
>
>
>>You did checkout patch-o-matic-ng, rather that patch-o-matic right?
>
> unfortunately not :(
>
>
>>patch-o-matic was replaced some time ago with patch-o-matic-ng.
>>
>>I just checked out patch-o-matic-ng and the policy match patch is
there...
>>
>>teastep@ursa:~> ls patch-o-matic-ng/policy
>>CVS  help  info  iptables  linux-2.4  linux-2.6
>
>
> good, thanks for your fast help.
And be sure to also install the ipsec-xxx patches.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBXs0MO/MAbZfjDLIRAjf2AJ9OCaUIXjl7eqCVbU6tM0sMZ/ArrACfTPbl
ZRd2vyBPhFWM722SwRERX4M=SiEG
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

claas@rootdir.de wrote:
> Hello Tom!
>
>
>>>>I just checked out patch-o-matic-ng and the policy match patch
is
there...
>>>>
>>>>teastep@ursa:~> ls patch-o-matic-ng/policy
>>>>CVS  help  info  iptables  linux-2.4  linux-2.6
>>>
>>>good, thanks for your fast help.
>>
>>And be sure to also install the ipsec-xxx patches.
>
>
> I only patched policy inside, and it works to set up the
> "IPSec Gateway on the Firewall System" as described in
IPSEC-2.6.html.
>
> So I didn''t need to patch ipsec-xx inside.
Be careful -- without those patches, packets are probably not taking the
path through Netfilter that you think they are (in other words, your
firewall may have holes in it).

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBYcA5O/MAbZfjDLIRAhjCAKCMNC5HAmj1TomcLG+4oR5Marb7LQCfeW1Z
QTe2Jbm5nvi2CpeUDuJcHtQ=VjnV
-----END PGP SIGNATURE-----