Hello all -- I am trying to get Shorewall, ipsec and RedHat ES version 3 to cooperate. Before posting any specific problems, I thought I''d find out if I have the right stuff to work with. (I''ve gotten ipsec to work flawlessly with Shorewall using RH 8 and 9 kernels, so I have some experience with it. Shorewall 2.0.12 works fine on this ES 3 box, except for the ipsec part) The current kernel I''m using is 2.4.21-20.EL. As I understand it, the EL kernels have the 2.6 ipsec code backported. Can anyone confirm this, and if so, should I be following the shorewall guide to the 2.6 kernel ipsec, using Shorewall 2.2? Can anyone tell me how to find out of the Netfilter+ipsec patches are included in the kernel? (not an experienced kernel hacker here.) (I have installed both OpenSwan 2.2 and 1.5 using the RPM for the EL kernels. I get ipsec working in both versions, but can''t sort out the masquerade and routing problems.) Thanks in advance for info you have on this. Links to helpful docs are much appreciated. Jim Werkowski
On Thu, 2004-12-02 at 11:29 -0500, James Werkowski wrote:> Hello all -- > > I am trying to get Shorewall, ipsec and RedHat ES version 3 to cooperate. > Before posting any specific problems, I thought I''d find out if I have the > right stuff to work with. (I''ve gotten ipsec to work flawlessly with > Shorewall using RH 8 and 9 kernels, so I have some experience with it. > Shorewall 2.0.12 works fine on this ES 3 box, except for the ipsec part) > > The current kernel I''m using is 2.4.21-20.EL. > > As I understand it, the EL kernels have the 2.6 ipsec code backported. Can > anyone confirm this, and if so, should I be following the shorewall guide > to the 2.6 kernel ipsec, using Shorewall 2.2? > > Can anyone tell me how to find out of the Netfilter+ipsec patches are > included in the kernel? (not an experienced kernel hacker here.)Try: grep nf_rcv_postxfrm_local /proc/ksyms If that gives you an error, try: grep nf_rcv_postxfrm_local /proc/kallsyms If the patches are in your kernel, you should see a response something like: c029dae0 T nf_rcv_postxfrm_local> > (I have installed both OpenSwan 2.2 and 1.5 using the RPM for the EL > kernels. I get ipsec working in both versions, but can''t sort out the > masquerade and routing problems.)If you have IPSEC working and there is no ''ipsec0'' interface, then you have the 2.6 IPSEC implementation. To have a completely functional setup, you then must have: a) The Netfilter-ipsec patches. b) The policy match patch (both kernel and iptables) c) Shorewall 2.2.0 Beta -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Thank you, Tom. I''ll follow up. At 12:10 PM 12/2/2004, you wrote:>On Thu, 2004-12-02 at 11:29 -0500, James Werkowski wrote: > > Hello all -- > > > > I am trying to get Shorewall, ipsec and RedHat ES version 3 to cooperate. > > Before posting any specific problems, I thought I''d find out if I have > the > > right stuff to work with. (I''ve gotten ipsec to work flawlessly with > > Shorewall using RH 8 and 9 kernels, so I have some experience with it. > > Shorewall 2.0.12 works fine on this ES 3 box, except for the ipsec part) > > > > The current kernel I''m using is 2.4.21-20.EL. > > > > As I understand it, the EL kernels have the 2.6 ipsec code backported. Can > > anyone confirm this, and if so, should I be following the shorewall guide > > to the 2.6 kernel ipsec, using Shorewall 2.2? > > > > Can anyone tell me how to find out of the Netfilter+ipsec patches are > > included in the kernel? (not an experienced kernel hacker here.) > >Try: > > grep nf_rcv_postxfrm_local /proc/ksyms > >If that gives you an error, try: > > grep nf_rcv_postxfrm_local /proc/kallsyms > >If the patches are in your kernel, you should see a response something >like: > >c029dae0 T nf_rcv_postxfrm_local > > > > > (I have installed both OpenSwan 2.2 and 1.5 using the RPM for the EL > > kernels. I get ipsec working in both versions, but can''t sort out the > > masquerade and routing problems.) > >If you have IPSEC working and there is no ''ipsec0'' interface, then you >have the 2.6 IPSEC implementation. To have a completely functional >setup, you then must have: > >a) The Netfilter-ipsec patches. >b) The policy match patch (both kernel and iptables) >c) Shorewall 2.2.0 Beta > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm
? Marcelo F. Mujica Tel : 4348-8380 mmujica@medioambiente.gov.ar Sistema de Informacion Ambiental Nacional SecretarÃa de Ambiente y Desarrollo Sustentable Ministerio de Salud y Ambiente de La Naciòn San Martin 459 Ciudad Autonoma de Buenos Aires Buenos Aires - Argentina
On Wed, 2004-12-29 at 12:50 -0300, Marcelo Mujica wrote:> ?2.0.13 (or 2.2.0 RC2 if you are adventurous). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> > If you have IPSEC working and there is no ''ipsec0'' interface, then you > have the 2.6 IPSEC implementation. To have a completely functional > setup, you then must have: > > a) The Netfilter-ipsec patches. > b) The policy match patch (both kernel and iptables) > c) Shorewall 2.2.0 Beta > > -TomI found a reference link on the Shorewall site, but now that I am trying to do something about it, i can''t find it =(. Anyone? thanks, joshua
Joshua Schmidlkofer wrote:>> >> If you have IPSEC working and there is no ''ipsec0'' interface, then you >> have the 2.6 IPSEC implementation. To have a completely functional >> setup, you then must have: >> >> a) The Netfilter-ipsec patches. >> b) The policy match patch (both kernel and iptables) >> c) Shorewall 2.2.0 Beta >> -Tom > > > > I found a reference link on the Shorewall site, but now that I am trying > to do something about it, i can''t find it =(. Anyone? >If you have a specific question, please ask it -- what you''ve written above could mean anything. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>>>If you have IPSEC working and there is no ''ipsec0'' interface, then you >>>have the 2.6 IPSEC implementation. To have a completely functional >>>setup, you then must have: >>> >>>a) The Netfilter-ipsec patches. >>>b) The policy match patch (both kernel and iptables) >>>c) Shorewall 2.2.0 Beta >> >>I found a reference link on the Shorewall site, but now that I am trying >>to do something about it, i can''t find it =(. Anyone? > > If you have a specific question, please ask it -- what you''ve written > above could mean anything.I think he is looking for the link: http://www.shorewall.net/IPSEC-2.6.html Or maybe these: https://lists.netfilter.org/pipermail/netfilter-devel/2004-October/017254.html And I couldn''t find the message with patches for 2.6.10. A.
Adam Sherman wrote:> Tom Eastep wrote: > >>>> If you have IPSEC working and there is no ''ipsec0'' interface, then you >>>> have the 2.6 IPSEC implementation. To have a completely functional >>>> setup, you then must have: >>>> >>>> a) The Netfilter-ipsec patches. >>>> b) The policy match patch (both kernel and iptables) >>>> c) Shorewall 2.2.0 Beta >>> >>> >>> I found a reference link on the Shorewall site, but now that I am trying >>> to do something about it, i can''t find it =(. Anyone? >> >> >> If you have a specific question, please ask it -- what you''ve written >> above could mean anything. > > > I think he is looking for the link: > > http://www.shorewall.net/IPSEC-2.6.html > > Or maybe these: >Exactly -- or he could be looking at the moon.> And I couldn''t find the message with patches for 2.6.10.Search the archives for "ipsec-netfilter" (Yes, I''m not consistent in which way I write it). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key