Opened 4 years ago

Closed 3 years ago

#14141 closed defect (fixed)

ipsec-tools fails to detect definition of IPSEC_DIR_FWD

Reported by: frodo+openwrt@… Owned by: developers
Priority: normal Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: racoon, setkey, ipsec-tools Cc:


Since ipsec-tools supports {Net,Free}BSD as well as Linux, and *BSD does not define IPSEC_DIR_FWD, it attempts to detect via the configure script the presence of IPSEC_DIR_FWD. The test is defined in as:

AC_MSG_CHECKING(whether we support FWD policy)
case $host in


#include <inttypes.h>
#include <linux/ipsec.h>

], [
int fwd = IPSEC_DIR_FWD;

AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])],






In the current build environment, this test fails to compile, leading configure to erroneously detect the lack of IPSEC_DIR_FWD. The resulting setkey binary thus doesn't create "fwd" policies in the kernel, and the kernel won't route traffic over ipsec tunnels.

Unconditionally enabling support for IPSEC_DIR_FWD fixes the problem. I did this by replacing the above conditional with
AC_DEFINE([HAVE_POLICY_FWD], [], [Have forward policy])
in This isn't an appropriate permanent solution, but since (AFAIK) OpenWRT doesn't support non-Linux kernels, it may be a reasonable workaround.

I'll attach the relevant bits from config.log showing this problem. It looks like an issue with include paths, but I'm not sure what the right fix would be.

Attachments (1)

config.log (5.6 KB) - added by frodo+openwrt@… 4 years ago.
config.log fragment

Download all attachments as: .zip

Change History (5)

Changed 4 years ago by frodo+openwrt@…

config.log fragment

comment:1 Changed 4 years ago by anonymous

Any updates about this bug ?

comment:2 Changed 3 years ago by frodo+openwrt@…

With the recent packages restructuring, ipsec-tools has been relegated to "oldpackages" and is no longer considered part of openwrt. So, if things remain in this state, then this issue can be marked as resolved.

However, because I use this package and want to continue doing so, I've begun work to get ipsec-tools re-introduced to the packages repository. Pull request sent via github at

I'll resolve this issue when that pull request is merged or rejected.

comment:3 Changed 3 years ago by nmeyerhans

The correct pull request was, which has now been merged. ipsec-tools will build with the expected featureset and will install the correct policies. It makes sense to resolve this issue at this time, but I don't seem to have permission to do so...

comment:4 Changed 3 years ago by jogo

  • Resolution set to fixed
  • Status changed from new to closed

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.