openswan klips install / modules

If you want to be able to sniff your IPsec traffic with OpenSwan, you’ll need to get KLIPS instead of the default NETKEY IPsec protocol stack.

Installing that on Ubuntu/Karmic should be a matter of:

~# apt-get install openswan-modules-source
~# cd /usr/src
/usr/src# tar jxvf openswan-modules.tar.bz2
/usr/src# cd modules/openswan
/usr/src/modules/openswan# make KERNELSRC=/lib/modules/`uname -r`/build module module_install

But it’s not.

Right now, we’re running the default Linux kernel 2.6.31-23-server on this Karmic machine. And as it happens, in 2.6.31 they removed networking compatibility code.

Source: http://patchwork.ozlabs.org/patch/27566/

All drivers are already converted to new net_device_ops API and nobody uses old API anymore.

…

-#ifdef CONFIG_COMPAT_NET_DEV_OPS\

• struct {\
• int (*init)(struct net_device *dev);\
• void (*uninit)(struct net_device *dev);\
• int (*open)(struct net_device *dev);\
• int (*stop)(struct net_device *dev);\
• int (*hard_start_xmit) (struct sk_buff *skb,\
• struct net_device *dev);\
• u16 (*select_queue)(struct net_device *dev,
  …

So after a couple of succesful object compilations you get this:

  CC [M]  /usr/src/modules/openswan/modobj26/ipsec_tunnel.o
modobj26/ipsec_tunnel.c: In function ‘ipsec_tunnel_attach’:
modobj26/ipsec_tunnel.c:1117: error: ‘struct net_device’ has no member named ‘set_mac_address’
modobj26/ipsec_tunnel.c:1119: error: ‘struct net_device’ has no member named ‘hard_start_xmit’

The fix: don’t use the old Ubuntu supplied version.

/usr/src# git clone git://git.openswan.org/public/scm/openswan.git openswan-2
/usr/src# cd openswan-2
/usr/src/openswan-2# make KERNELSRC=/lib/modules/`uname -r`/build module module_install
/usr/src/openswan-2# modprobe ipsec

/usr/src/openswan-2# ip addr | grep ipsec
4: ipsec0: <NOARP,PROMISC> mtu 16260 qdisc pfifo_fast state DOWN qlen 10
5: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10

Good! Now we have a nice interface to sniff.