Jeffrey Young
Very Senior Member
Good afternoon everyone;
I recently installed StrongSwan on my RTAX86U PRO, running 388.8_4 firmware. I elected to go with StrongSwan (IPSec) as the Entware version included the Radius Authentication plug-in so that I could authenticate users to my Active Directory services. I was previously using SoftEtherVPN for this on my AX88U, but found out a bug exists in the 86U PRO where adding a TAP device to the br0 bridge causes the router to crash, with recovery only possible through a power on reboot. I had upgraded from the AX88U to the AX86U PRO to take advantage of the full 1.5Gbit service from my ISP.
After some trial and error, I managed to get StrongSwan running. I had to load the
After configuring the server and setting up the required firewall/NAT rules, I did get a connection from the remote computer to the my router, however, my Radius server complained that the secret key was incorrect. After some more fiddling, it seems the Entware's StrongSwan Radius plugin truncates the secret key, so I had to reduce my key from a 24 character key to a 12 character key. That problem solved.
However, the router now complains that the kernel does not support the agreed upon crypto algorithm.
I was able to overcome this setback by installing the
Looking through the /lib directory, I don't see any crypto modules listed. So, I am now thinking about trying to build either the 388.8_4 firmware or the 3006 firmware with the needed crypto modules enabled.
I am just starting down this path (thanks to @pershoot for the help he has provided thus far). I am currently looking at the build instructions here and using this guide to help with including any required modules.
So, couple of questions for anyone who has had experience with StrongSwan and/or compiling merlin from source;
1. Does the 4.19 kernel even able to support some of the more modern crypto methods such as Chacha20?
2. I did find the kernel config file in the
3. Does the 3006 code base have any other crypto modules already built and ready for use in the
I have not switched over to the 3006 firmware yet. I am waiting for the formal release to come out. Even then I may wait for a few revisions to ensure the codebase is solid. I was really hoping for a 388.9 for the AX86U PRO in hopes that the TAP interface issue would have been fixed, but that is not in the cards (for reasons that Merlin has explained and I agree with).
Any thoughts would be appreciated. I got it working using the userspace crypto tools and the router seems fine using it. HTOP does not show any crazy CPU use on any torture tests so far, but in keeping with the warnings about using the userspace tool, I would like to find a way to keep the crypto stuff in the kernel.
Thanks
I recently installed StrongSwan on my RTAX86U PRO, running 388.8_4 firmware. I elected to go with StrongSwan (IPSec) as the Entware version included the Radius Authentication plug-in so that I could authenticate users to my Active Directory services. I was previously using SoftEtherVPN for this on my AX88U, but found out a bug exists in the 86U PRO where adding a TAP device to the br0 bridge causes the router to crash, with recovery only possible through a power on reboot. I had upgraded from the AX88U to the AX86U PRO to take advantage of the full 1.5Gbit service from my ISP.
After some trial and error, I managed to get StrongSwan running. I had to load the
xfrm_user.ko and xfrm4_tunnel.ko kernel modules from the /lib folder in order to get StrongSwan to even start.After configuring the server and setting up the required firewall/NAT rules, I did get a connection from the remote computer to the my router, however, my Radius server complained that the secret key was incorrect. After some more fiddling, it seems the Entware's StrongSwan Radius plugin truncates the secret key, so I had to reduce my key from a 24 character key to a 12 character key. That problem solved.
However, the router now complains that the kernel does not support the agreed upon crypto algorithm.
Code:
Apr 16 16:19:03 RTAX86UPro charon: 12[CFG] selected proposal: ESP:CHACHA20_POLY1305/NO_EXT_SEQ
Apr 10 16:19:03 RTAX86UPro charon: 12[KNL] received netlink error: Function not implemented (38)
Apr 10 16:19:03 RTAX86UPro charon: 12[KNL] unable to add SAD entry with SPI cd3db6e5 (FAILED)
Apr 10 16:19:03 RTAX86UPro charon: 12[KNL] received netlink error: Function not implemented (38)
Apr 10 16:19:03 RTAX86UPro charon: 12[KNL] unable to add SAD entry with SPI e15468b7 (FAILED)
Apr 10 16:19:03 RTAX86UPro charon: 12[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Apr 10 16:19:03 RTAX86UPro charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SAI was able to overcome this setback by installing the
strongswan-mod-kernel-libipsec package and load the tun.ko module, which moved the crypto services to userspace from the kernel space. But, it is not ideal, as the VPN performance suffers.Looking through the /lib directory, I don't see any crypto modules listed. So, I am now thinking about trying to build either the 388.8_4 firmware or the 3006 firmware with the needed crypto modules enabled.
I am just starting down this path (thanks to @pershoot for the help he has provided thus far). I am currently looking at the build instructions here and using this guide to help with including any required modules.
So, couple of questions for anyone who has had experience with StrongSwan and/or compiling merlin from source;
1. Does the 4.19 kernel even able to support some of the more modern crypto methods such as Chacha20?
2. I did find the kernel config file in the
release/src-rt-5.04axhnd.675x/kernel/linux-4.19directory (after some searching), but there is a warning at the top that says the file should not be edited as it is dynamically built. Is there another location better suited to enable kernel modules?3. Does the 3006 code base have any other crypto modules already built and ready for use in the
/lib directory?I have not switched over to the 3006 firmware yet. I am waiting for the formal release to come out. Even then I may wait for a few revisions to ensure the codebase is solid. I was really hoping for a 388.9 for the AX86U PRO in hopes that the TAP interface issue would have been fixed, but that is not in the cards (for reasons that Merlin has explained and I agree with).
Any thoughts would be appreciated. I got it working using the userspace crypto tools and the router seems fine using it. HTOP does not show any crazy CPU use on any torture tests so far, but in keeping with the warnings about using the userspace tool, I would like to find a way to keep the crypto stuff in the kernel.
Thanks
