Tom Eastep
2004-Oct-01 21:15 UTC
Re: Error: Your kernel and/or iptables does not not support policy match: ipsec
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote:> Hello, > > > I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9 running, > but I still have a problem: > > Validating hosts file... > Error: Your kernel and/or iptables does not not support policymatch: ipsec> > I had a look for netfilter patch-o-matic, but I did not find thepolicy match> support there.http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-policy> > I have enabled CONFIG_IP_NF_MATCH_AH_ESP in kernel config as a module(M), but> it seems that this isn''t it.Completely unrelated.> > any ideas? >You might consider doing what I have done -- install SuSE 9.1. The current SuSE 9.1 kernels include everything you need already. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXcjpO/MAbZfjDLIRAu8qAKCM9+tEtf1vEGlJJ8gQeXeZHKIGxgCgozNp LrYLFQzQFcEk8twDqUVKKl8=Lii1 -----END PGP SIGNATURE-----
Tom Eastep
2004-Oct-01 22:09 UTC
Re: Error: Your kernel and/or iptables does not not support policy match: ipsec
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote:> Hello Tom, > > thanks for your fast reply. > > >>>I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9 running, >>>but I still have a problem: >>> >>>Validating hosts file... >>> Error: Your kernel and/or iptables does not not support policy >>> match: ipsec >> >>http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-policy > > > I tried to use p-o-m CVS, but I could not find this patch :( >Well, this is not the list to get any help with that problem... - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXdWvO/MAbZfjDLIRAvp7AJ9FT68EcdqHCI+R4LST671FbLnRswCgsXCp ulIYQc+isUohWtNUe5Vqn7k=nBWN -----END PGP SIGNATURE-----
Tom Eastep
2004-Oct-01 22:26 UTC
Re: Error: Your kernel and/or iptables does not not support policy match: ipsec
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> claas@rootdir.de wrote: > >>>Hello Tom, >>> >>>thanks for your fast reply. >>> >>> >>> >>>>>I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9running,>>>>>but I still have a problem: >>>>> >>>>>Validating hosts file... >>>>> Error: Your kernel and/or iptables does not not support policy >>>>> match: ipsec >>>> >>>>http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-policy >>> >>> >>>I tried to use p-o-m CVS, but I could not find this patch :( >>>You did checkout patch-o-matic-ng, rather that patch-o-matic right? patch-o-matic was replaced some time ago with patch-o-matic-ng. I just checked out patch-o-matic-ng and the policy match patch is there... teastep@ursa:~> ls patch-o-matic-ng/policy CVS help info iptables linux-2.4 linux-2.6 teastep@ursa:~> - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXdmGO/MAbZfjDLIRAp4HAKDC9o7EM3U7oEtiV44Q8rWwgk+gKQCgxk9P eW/MjVF5e6Urfq2e16j15tM=L2al -----END PGP SIGNATURE-----
Tom Eastep
2004-Oct-02 15:45 UTC
Re: Error: Your kernel and/or iptables does not not support policy match: ipsec
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote:> Hello Tom! > > > >>You did checkout patch-o-matic-ng, rather that patch-o-matic right? > > unfortunately not :( > > >>patch-o-matic was replaced some time ago with patch-o-matic-ng. >> >>I just checked out patch-o-matic-ng and the policy match patch is there... >> >>teastep@ursa:~> ls patch-o-matic-ng/policy >>CVS help info iptables linux-2.4 linux-2.6 > > > good, thanks for your fast help.And be sure to also install the ipsec-xxx patches. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBXs0MO/MAbZfjDLIRAjf2AJ9OCaUIXjl7eqCVbU6tM0sMZ/ArrACfTPbl ZRd2vyBPhFWM722SwRERX4M=SiEG -----END PGP SIGNATURE-----
Tom Eastep
2004-Oct-04 21:27 UTC
Re: Error: Your kernel and/or iptables does not not support policy match: ipsec
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote:> Hello Tom! > > >>>>I just checked out patch-o-matic-ng and the policy match patch isthere...>>>> >>>>teastep@ursa:~> ls patch-o-matic-ng/policy >>>>CVS help info iptables linux-2.4 linux-2.6 >>> >>>good, thanks for your fast help. >> >>And be sure to also install the ipsec-xxx patches. > > > I only patched policy inside, and it works to set up the > "IPSec Gateway on the Firewall System" as described in IPSEC-2.6.html. > > So I didn''t need to patch ipsec-xx inside.Be careful -- without those patches, packets are probably not taking the path through Netfilter that you think they are (in other words, your firewall may have holes in it). - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBYcA5O/MAbZfjDLIRAhjCAKCMNC5HAmj1TomcLG+4oR5Marb7LQCfeW1Z QTe2Jbm5nvi2CpeUDuJcHtQ=VjnV -----END PGP SIGNATURE-----