PK
2006-Mar-20 02:05 UTC
Error: Your kernel and/or iptables does not support policy match: ipsec
hi I have debian sarge stable. I''d like to get shorewall & ipsec running, but cannot due to following errors: # shorewall show capabilities Shorewall-2.2.3 Chain capabilities at server.net - Mon Mr 20 02:28:22 CET 2006 Counters reset Sun Mar 19 14:44:48 CET 2006 iptables: Table does not exist (do you need to insmod?) ipsec works, but if I save the shorewall config files with webmin, then I get following error: Error: Your kernel and/or iptables does not support policy match: ipsec: my system: # uname -a Linux server.net 2.6.8-2-686 #1 Tue Aug 16 13:22:48 UTC 2005 i686 GNU/Linux # iptables -V iptables v1.2.11 # shorewall version 2.2.3 # modprobe ip_tables # lsmod | grep ip_tables ip_tables 18464 13 ipt_MASQUERADE,ipt_REJECT,ipt_LOG,ipt_state,ipt_pkttype,ipt_recent,ipt_iprange,ipt_physdev,ipt_multiport,ipt_conntrack,iptable_mangle,iptable_nat,iptable_filter my shorewall configurations: zones: net Internet loc Local vpn VPN interfaces: net eth0 loc eth1 ipsec: vpn Yes hosts: vpn eth0:192.168.0.0/24,10.0.0.0/8,192.168.1.0/24,202.X.X.2 ipsec masq: eth0 eth1 eth0:192.168.0.0/24 192.168.115.0/24 eth0:10.0.0.0/8 192.168.115.0/24 eth0:192.168.1.0/24 192.168.115.0/24 policy: loc all ACCEPT fw net ACCEPT fw loc ACCEPT net all DROP info # The FOLLOWING POLICY MUST BE LAST all all REJECT info loc vpn ACCEPT vpn loc ACCEPT tunnels: ipsec net 202.X.X.2 rules: ACCEPT net $FW tcp ssh,www,https,ftp,50 ACCEPT net fw udp https,domain,500,4500 ACCEPT fw net udp domain ACCEPT net:202.X.X.2 $FW tcp ACCEPT net:202.X.X.2 $FW udp # /etc/init.d/shorewall start Starting "Shorewall firewall": /etc/init.d/shorewall: line 121: 32087 Beendet $SRWL start >>$INITLOG 2>&1 not done (check /var/log/shorewall-init.log). # cat /var/log/shorewall-init.log Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Stopping Shorewall...Processing /etc/shorewall/stop ... Processing /etc/shorewall/stopped ... done. Loading /usr/share/shorewall/functions... Processing /etc/shorewall/params ... Processing /etc/shorewall/shorewall.conf... Loading Modules... Starting Shorewall... Initializing... Shorewall has detected the following iptables/netfilter capabilities: NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Not available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Not available Physdev Match: Available IP range Match: Available Recent Match: Available Determining Zones... Zones: net loc vpn Validating interfaces file... Validating hosts file... Error: Your kernel and/or iptables does not support policy match: ipsec what''s wrong or missing on my system and howto solve this problem ? _______________________________________________ Join Excite! - http://www.excite.com The most personalized portal on the Web! ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep
2006-Mar-20 03:41 UTC
Re: Error: Your kernel and/or iptables does not support policy match: ipsec
On Sunday 19 March 2006 18:05, PK wrote:> hi > > > > I have debian sarge stable. > > I''d like to get shorewall & ipsec running, but cannot due to following > errors: > > > > # shorewall show capabilities > > Shorewall-2.2.3 Chain capabilities at server.net - Mon Mär 20 02:28:22 CET > 2006Shorewall 2.2.3 didn''t have the "show capabilities" command.> > Error: Your kernel and/or iptables does not support policy match: ipsec >a) You are using an ancient (and unsupported) version of Shorewall. b) You are running an ancient kernel. c) *No* Debian release supports 2.6 kernel IPSEC with Netfilter without patching. In short, if you run Debian stable, you will always be a year or two behind the rest of the world. But your system will be stable and you will get prompt security updates. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Paul Gear
2006-Mar-20 04:14 UTC
Re: Error: Your kernel and/or iptables does not support policy match: ipsec
Tom Eastep wrote:> ... > a) You are using an ancient (and unsupported) version of Shorewall.PK, i''d suggest pinning Shorewall to testing, as described here: http://sourceforge.net/mailarchive/message.php?msg_id=13995291> b) You are running an ancient kernel. > c) *No* Debian release supports 2.6 kernel IPSEC with Netfilter without > patching. > > In short, if you run Debian stable, you will always be a year or two behind > the rest of the world. But your system will be stableIt would be nice if someone experienced in the "Debian way" of building kernels would put together a quick howto for us on building the kernel to get the most out of Shorewall. I use Debian, but i''ve never used anything but the default kernel builds.> you will get prompt security updates.Don''t go making promises that Debian can''t keep, Tom. ;-) Paul ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Alex Martin
2006-Mar-20 05:39 UTC
Re: Re: Error: Your kernel and/or iptables does not support policy match: ipsec
Paul Gear wrote:> It would be nice if someone experienced in the "Debian way" of building > kernels would put together a quick howto for us on building the kernel > to get the most out of Shorewall. I use Debian, but i''ve never used > anything but the default kernel builds. >I used to recompile kernels "the debian way" using ''make-kpkg''. What follows is an accurate (IIRC), though overly detailed, and lacking kernel configuration, way to make debian kernel packages. http://newbiedoc.sourceforge.net/system/kernel-pkg.html#INSTALL-KERNEL-PKG In my experience, in the section above the above linked document ''make menu-config'', which is the method I would suggest using (not much reason to have xwindows on a firewall in most cases) the lacking kernel configuration options for iptables, etc, can all be modularized, (ie it is safe to enable them all as modules using shorewall''s website kernel config as a guide) minus the backwards compatibility ipchains etc that interfere with iptables (warning usually included in the make menu-config about these incompatibilities). I am sure that the kernel config descriptions on the shorewall website documentation will suffice for most peoples needs. So, this above document, plus an accurate kernel config, minus extra stuff (ie a nice command based condensed version), is a pretty good intro to using debian''s tools to create custom kernel packages. Last, I recommend using the apt-pinning such as the what Paul below suggests, to have a current version. In my experience, for a vanilla Debian firewall, the testing branch has had no problems with security holes, especially if you update your system regulary. (Debian''s apt tools are the best!) One more thing to look at is Debian''s kernel-patch packages, one of those may solve your problem without recompiling your kernel. "PK, i''d suggest pinning Shorewall to testing, as described here: http://sourceforge.net/mailarchive/message.php?msg_id=13995291" I have been out of the business lately, but next time I build up a debian box, I will use the above document or something similar to create a condensed, shorewall specific debian kernel package building howto. (I should do this in the next month or two, as Shorewall''s original break from serving www.shorewall.net off of Tom''s DSL line was in an nice facility in Seattle (now internap) and is back in action. I will get a couple boxes in a rack in there pretty soon...) So, for debian people trying to build shorewall specific kernels, check out the above link, and use apt-pinning to make your distribution up to date. Hopefully you will hear back from me soon when the boxes are installed and I get my (remote) hands on the things. Good luck, Alex Martin http://www.rettc.com ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Paul Gear
2006-Mar-20 08:19 UTC
Re: Error: Your kernel and/or iptables does not support policy match: ipsec
Alex Martin wrote:> Paul Gear wrote: > >> It would be nice if someone experienced in the "Debian way" of building >> kernels would put together a quick howto for us on building the kernel >> to get the most out of Shorewall. I use Debian, but i''ve never used >> anything but the default kernel builds. >> > > I used to recompile kernels "the debian way" using ''make-kpkg''. What > follows is an accurate (IIRC), though overly detailed, and lacking > kernel configuration, way to make debian kernel packages.Thanks for that, Alex. -- Paul <http://paulgear.webhop.net> -- Be nice to apostrophes! http://www.apostrophe.fsnet.co.uk/