Strongswan package from Entware on Asuswrt-Merlin?

[RMerlin]

Since you are recompiling the firmware, why not enable those modules in your config instead of trying to load those precompiled? It eliminate the risk that those modules might not be compatible with this kernel.

 

[chiwalfrm]

Which lines do I change to enable these modules?

insmod: 'ah4.ko': module not found
insmod: 'esp4.ko': module not found
insmod: 'ipcomp.ko': module not found
insmod: 'xfrm4_tunnel.ko': module not found
insmod: 'xfrm_user.ko': module not found

Thank you.

$ grep -i ah4 ./linux/linux-2.6/config_base
$ grep -i esp ./linux/linux-2.6/config_base
CONFIG_INET_ESP=y
CONFIG_INET6_ESP=y
# CONFIG_NETFILTER_XT_MATCH_ESP is not set
$ grep -i ipcomp ./linux/linux-2.6/config_base
CONFIG_INET_IPCOMP=y
CONFIG_INET6_IPCOMP=y
$ grep -i xfrm4_tunnel ./linux/linux-2.6/config_base
$ grep -i xfrm_user ./linux/linux-2.6/config_base
CONFIG_XFRM_USER=y

 

[chiwalfrm]

I can see the source code for these kernel modules but I have no idea how to "include" them in my kernel. I am new at this, sorry for all these questions.

$ find . -print | grep ah4
./linux/linux-2.6/net/ipv4/ah4.mod.c
./linux/linux-2.6/net/ipv4/.ah4.o.cmd
./linux/linux-2.6/net/ipv4/ah4.o
./linux/linux-2.6/net/ipv4/ah4.c
$ find . -print | grep esp4
./linux/linux-2.6/net/ipv4/esp4.mod.c
./linux/linux-2.6/net/ipv4/.esp4.o.cmd
./linux/linux-2.6/net/ipv4/esp4.o
./linux/linux-2.6/net/ipv4/esp4.c
$ find . -print | grep ipcomp
./linux/linux-2.6/include/config/inet/ipcomp.h
./linux/linux-2.6/include/config/inet6/ipcomp.h
./linux/linux-2.6/include/net/ipcomp.h
./linux/linux-2.6/net/ipv6/ipcomp6.c
./linux/linux-2.6/net/ipv6/ipcomp6.o
./linux/linux-2.6/net/ipv6/ipcomp6.mod.c
./linux/linux-2.6/net/ipv6/.ipcomp6.o.cmd
./linux/linux-2.6/net/ipv4/ipcomp.c
./linux/linux-2.6/net/ipv4/ipcomp.o
./linux/linux-2.6/net/ipv4/.ipcomp.o.cmd
./linux/linux-2.6/net/ipv4/ipcomp.mod.c
$ find . -print | grep xfrm4_tunnel
./linux/linux-2.6/net/ipv4/.xfrm4_tunnel.o.cmd
./linux/linux-2.6/net/ipv4/xfrm4_tunnel.c
./linux/linux-2.6/net/ipv4/xfrm4_tunnel.mod.c
./linux/linux-2.6/net/ipv4/xfrm4_tunnel.o
$ find . -print | grep xfrm_user
./linux/linux-2.6/net/xfrm/.xfrm_user.o.cmd
./linux/linux-2.6/net/xfrm/xfrm_user.o
./linux/linux-2.6/net/xfrm/xfrm_user.c
./linux/linux-2.6/net/xfrm/xfrm_user.mod.c

 

[RMerlin]

No idea either as I have never played with IPSEC under Linux.

Try with this site: http://cateee.net/lkddb/web-lkddb/

Do a search for your modules using a query like this:

"module built esp4"

One of the first hits (past the silly ads) should be on that same site, showing you the config option related to that setting.

 

[chiwalfrm]

Great site merlin, you are awesome.

Based on that information, I found only one that I needed to set, as the others were already set.

insmod: 'ah4.ko': module not found ---> CONFIG_INET_AH=y already set
insmod: 'esp4.ko': module not found ---> CONFIG_INET_ESP=y already set
insmod: 'ipcomp.ko': module not found ---> CONFIG_INET_IPCOMP=y already set
insmod: 'xfrm4_tunnel.ko': module not found --> CONFIG_INET_TUNNEL not set
insmod: 'xfrm_user.ko': module not found ---> CONFIG_XFRM_USER=y already set


Will report back later (compiling takes a while).

 

[chiwalfrm]

same error as last time, so frustrating.

# ipsec start
Starting strongSwan 5.0.4 IPsec [starter]...
insmod: 'ah4.ko': module not found
insmod: 'esp4.ko': module not found
insmod: 'ipcomp.ko': module not found
insmod: 'xfrm4_tunnel.ko': module not found
insmod: 'xfrm_user.ko': module not found

# dmesg
ip ah init: can't add xfrm type
ip esp init: can't add xfrm type
ipcomp init: can't add xfrm type
ipip init: can't add xfrm type
Initializing XFRM netlink socket

You know, I think the modules are actually in the kernel. The 'Not found' error is caused by the other error when it tries to load the module from the kernel. The dmesg errors is the answer if you can help me understand it.

"can't add xfrm type"... What does that mean?

 

[chiwalfrm]

Maybe this can help?

http://www.cs.fsu.edu/~baker/devices/lxr/http/source/linux/net/ipv4/ah4.c?v=2.6.11.8

static int __init ah4_init(void)
314 {
315         if (xfrm_register_type(&ah_type, AF_INET) < 0) {
316                 printk(KERN_INFO "ip ah init: can't add xfrm type\n");
317                 return -EAGAIN;
318         }
319         if (inet_add_protocol(&ah4_protocol, IPPROTO_AH) < 0) {
320                 printk(KERN_INFO "ip ah init: can't add protocol\n");
321                 xfrm_unregister_type(&ah_type, AF_INET);
322                 return -EAGAIN;
323         }
324         return 0;
325 }

The error message ""ip ah init: can't add xfrm type" occurs when xfrm_register_type(&ah_type, AF_INET) < 0 but I have no idea what xfrm_register_type function does and when it would return < 0. The others are almost the same, for example esp4.ko has "if (xfrm_register_type(&esp_type, AF_INET) < 0)"

 

[RMerlin]

Take a look at that thread, it might give you some pointers since Asuswrt is originally based on Tomato:

http://tomatousb.org/forum/t-645571

 

[chiwalfrm]

Thank you for the link, but it is only for after the kernel is already configured for IPsec as it covers the other steps to configure Strongswan. Right now, the problem is the ASUSWRT kernel.

At this point, I have run out of ideas. Just to save anyone the time, in config_base, I have enabled everything that starts with:

CONFIG_INET6*
CONFIG_INET*
CONFIG_IPV6*
CONFIG_NET* (except CONFIG_NET_ACT_POLICE since it will not compile with this =y)
CONFIG_NETFILTER*
CONFIG_XFRM and CONFIG_XFRM_USER

But the problem remains the same. Notice that the error is no longer 'not found'. That is because I think the module is actually in the kernel, but trying to use it has a problem. The error text is "Resource temporarily unavailable".

# ipsec start
Starting strongSwan 5.0.4 IPsec [starter]...
insmod: can't insert 'ah4.ko': Resource temporarily unavailable
insmod: can't insert 'esp4.ko': Resource temporarily unavailable
insmod: can't insert 'ipcomp.ko': Resource temporarily unavailable
insmod: can't insert 'xfrm4_tunnel.ko': Resource temporarily unavailable
insmod: can't insert 'xfrm_user.ko': Cannot allocate memory

In the dmesg:

ip ah init: can't add xfrm type
ip esp init: can't add xfrm type
ipcomp init: can't add xfrm type
ipip init: can't add xfrm type
Initializing XFRM netlink socket

In the syslog:

Sep 24 19:37:35 RT-N16 syslog: 00[LIB] opening AF_ALG socket failed: Address family not supported by protocol
(above line repeats many times)

 

[chiwalfrm]

"Resource temporarily unavailable" tells me there is perhaps another module that conflicts with it, or we hit some kind of limit set in the OS... It's not main memory, but maybe limit to number of modules?

 

[RMerlin]

Have a look at this StrongSwan documentation which lists all required modules:

http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules

 

[chiwalfrm]

Yes I have seen that link before and I can confirm that the required modules have been set to =y in config_base, but here is the interesting thing:

Both of the following two configuration items are supposed to exist for compiling Linux kernel:
CONFIG_XFRM and CONFIG_XFRM_USER

http://cateee.net/lkddb/web-lkddb/XFRM.html
http://cateee.net/lkddb/web-lkddb/XFRM_USER.html

In particular, CONFIG_XFRM is very important as everything I've read says that it must be set to =y to run IPsec.

Ref: http://www.linksysinfo.org/index.php?threads/tomato-and-ipsec-why-not.38344/

Robin Battey: As I've mentioned elsewhere, you can't actually do that because of the CONFIG_XFRM option which must be "y", not compiled as a module.

Now I know that I set both to =y in config_base.

$ grep XFRM ./linux/linux-2.6/config_base
[COLOR="Red"]CONFIG_XFRM=y
CONFIG_XFRM_USER=y[/COLOR]
# CONFIG_INET_XFRM_TUNNEL is not set
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET_XFRM_MODE_BEET=y
# CONFIG_INET6_XFRM_TUNNEL is not set
CONFIG_INET6_XFRM_MODE_TRANSPORT=y
CONFIG_INET6_XFRM_MODE_TUNNEL=y
CONFIG_INET6_XFRM_MODE_BEET=y
# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set

But the make log-file makes no mention of CONFIG_XFRM, only CONFIG_XFRM_USER.

$ grep XFRM make.log
  [COLOR="Red"]Transformation user configuration interface (XFRM_USER) [Y/n/m/?] y[/COLOR]
  Transformation sub policy support (EXPERIMENTAL) (XFRM_SUB_POLICY) [N/y/?] (NEW)
  Transformation migrate database (EXPERIMENTAL) (XFRM_MIGRATE) [N/y/?] (NEW)
  PF_KEY sockets (NET_KEY) [Y/n/m/?] y
    IP: IPsec transport mode (INET_XFRM_MODE_TRANSPORT) [Y/n/m/?] y
    IP: IPsec tunnel mode (INET_XFRM_MODE_TUNNEL) [Y/n/m/?] y
    IP: IPsec BEET mode (INET_XFRM_MODE_BEET) [Y/n/m/?] y
    IPv6: IPsec transport mode (INET6_XFRM_MODE_TRANSPORT) [Y/n/m/?] y
    IPv6: IPsec tunnel mode (INET6_XFRM_MODE_TUNNEL) [Y/n/m/?] y
    IPv6: IPsec BEET mode (INET6_XFRM_MODE_BEET) [Y/n/m/?] y
    IPv6: MIPv6 route optimization mode (EXPERIMENTAL) (INET6_XFRM_MODE_ROUTEOPTIMIZATION) [N/m/y/?] n

So the question is, is there something wrong with the Makefile that it is not reading CONFIG_XFRM=y from the config_base? Only XFRM_USER can be seen in the log file.

Thank you very much for your continued feedback.

 

[chiwalfrm]

$ find . -name \*\.h -exec grep -il 'ifdef CONFIG_XFRM' {} \;
./linux/linux-2.6/include/net/xfrm.h

 

[RMerlin]

Try issuing a "make cleankernel" before recompiling. Also after done compiling, check if the generated .config file inside linux-2.6/ actually contains your new entries.

 

[saintdev]

Yes I have seen that link before and I can confirm that the required modules have been set to =y in config_base, but here is the interesting thing:

Both of the following two configuration items are supposed to exist for compiling Linux kernel:
CONFIG_XFRM and CONFIG_XFRM_USER

http://cateee.net/lkddb/web-lkddb/XFRM.html
http://cateee.net/lkddb/web-lkddb/XFRM_USER.html

In particular, CONFIG_XFRM is very important as everything I've read says that it must be set to =y to run IPsec.

Ref: http://www.linksysinfo.org/index.php?threads/tomato-and-ipsec-why-not.38344/


Now I know that I set both to =y in config_base.

$ grep XFRM ./linux/linux-2.6/config_base
[COLOR="Red"]CONFIG_XFRM=y
CONFIG_XFRM_USER=y[/COLOR]
# CONFIG_INET_XFRM_TUNNEL is not set
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET_XFRM_MODE_BEET=y
# CONFIG_INET6_XFRM_TUNNEL is not set
CONFIG_INET6_XFRM_MODE_TRANSPORT=y
CONFIG_INET6_XFRM_MODE_TUNNEL=y
CONFIG_INET6_XFRM_MODE_BEET=y
# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set

But the make log-file makes no mention of CONFIG_XFRM, only CONFIG_XFRM_USER.

$ grep XFRM make.log
  [COLOR="Red"]Transformation user configuration interface (XFRM_USER) [Y/n/m/?] y[/COLOR]
  Transformation sub policy support (EXPERIMENTAL) (XFRM_SUB_POLICY) [N/y/?] (NEW)
  Transformation migrate database (EXPERIMENTAL) (XFRM_MIGRATE) [N/y/?] (NEW)
  PF_KEY sockets (NET_KEY) [Y/n/m/?] y
    IP: IPsec transport mode (INET_XFRM_MODE_TRANSPORT) [Y/n/m/?] y
    IP: IPsec tunnel mode (INET_XFRM_MODE_TUNNEL) [Y/n/m/?] y
    IP: IPsec BEET mode (INET_XFRM_MODE_BEET) [Y/n/m/?] y
    IPv6: IPsec transport mode (INET6_XFRM_MODE_TRANSPORT) [Y/n/m/?] y
    IPv6: IPsec tunnel mode (INET6_XFRM_MODE_TUNNEL) [Y/n/m/?] y
    IPv6: IPsec BEET mode (INET6_XFRM_MODE_BEET) [Y/n/m/?] y
    IPv6: MIPv6 route optimization mode (EXPERIMENTAL) (INET6_XFRM_MODE_ROUTEOPTIMIZATION) [N/m/y/?] n

So the question is, is there something wrong with the Makefile that it is not reading CONFIG_XFRM=y from the config_base? Only XFRM_USER can be seen in the log file.

Thank you very much for your continued feedback.

CONFIG_XFRM isn't set directly selected during configuration. It is indirectly enabled by options that need it, such as XFRM_USER (via XFRM_ALGO) or INET_XFRM_MODE_*. So it won't show up in the log (or if you were to run make config manually).

 

[chiwalfrm]

Try issuing a "make cleankernel" before recompiling. Also after done compiling, check if the generated .config file inside linux-2.6/ actually contains your new entries.

Did a "make clean", then "make cleankernel", then "make rt-n16". Also checked the generated .config file in linux-2.6 is correct. Checks out but same errors as before.

After failure of the ipsec start, I have been trying to load kernel modules with insmod. Doing a find for 'ah4.ko' shows that this file does not exist in the filesystem. In fact, the /lib/modules/2.6.22.19/kernel/net/ipv4/ directory only contains tcp_vegas.ko.

# ls -al /lib/modules/2.6.22.19/kernel/net/ipv4
drwxrwxr-x    3 admin    root            43 Sep 25 01:08 .
drwxrwxr-x    7 admin    root            79 Sep 25 01:09 ..
drwxrwxr-x    2 admin    root           598 Sep 25 01:08 netfilter
-rw-rw-r--    1 admin    root          6380 Sep 25 01:08 tcp_vegas.ko

Is it because the kernel modules are "inside" the kernel and not as ko files any more?

What is the command to build "ko" versions of these modules so I can try loading them with insmod? I have been using ryzhov_al's "tgz" archive of these modules but perhaps they are not compatible. Would be nice if I can create official "ko" modules out of the same source that I built the kernel from.

Thank you.

EDIT: OK I figured it out. If I set the CONFIG key in config_base to =m, then it will create "ko" kernel modules which I can then copy over to the router. For example, set CONFIG_INET_AH=m, and you will find ./linux/linux-2.6/net/ipv4/ah4.ko when the make is finished.

 

[chiwalfrm]

Wanted to do a post about where things stand right now.

1. Modified ./linux/linux-2.6/config_base to include required modules. Here is the diff.

$ diff -u config_base config_base.orig
--- config_base           2013-09-25 00:21:43.879465212 -0500
+++ config_base.orig    2013-09-25 00:31:30.283473800 -0500
@@ -281,13 +281,10 @@
 #
 # Networking options
 #
-CONFIG_XFRM=y
-CONFIG_XFRM_USER=y
-CONFIG_NETFILTER_XT_MATCH_POLICY=y
 CONFIG_PACKET=y
 # CONFIG_PACKET_MMAP is not set
 CONFIG_UNIX=y
-CONFIG_NET_KEY=y
+# CONFIG_NET_KEY is not set
 CONFIG_INET=y
 CONFIG_IP_MULTICAST=y
 CONFIG_IP_ADVANCED_ROUTER=y
@@ -309,14 +306,14 @@
 # CONFIG_IP_PIMSM_V2 is not set
 # CONFIG_ARPD is not set
 CONFIG_SYN_COOKIES=y
-CONFIG_INET_AH=y
-CONFIG_INET_ESP=y
-CONFIG_INET_IPCOMP=y
+# CONFIG_INET_AH is not set
+# CONFIG_INET_ESP is not set
+# CONFIG_INET_IPCOMP is not set
 # CONFIG_INET_XFRM_TUNNEL is not set
 # CONFIG_INET_TUNNEL is not set
-CONFIG_INET_XFRM_MODE_TRANSPORT=y
-CONFIG_INET_XFRM_MODE_TUNNEL=y
-CONFIG_INET_XFRM_MODE_BEET=y
+# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET_XFRM_MODE_BEET is not set
 # CONFIG_INET_DIAG is not set
 CONFIG_TCP_CONG_ADVANCED=y
 # CONFIG_TCP_CONG_BIC is not set
@@ -340,25 +337,25 @@
 CONFIG_DEFAULT_TCP_CONG="reno"
 # CONFIG_TCP_MD5SIG is not set
 # CONFIG_IP_VS is not set
-CONFIG_IPV6=y
+# CONFIG_IPV6 is not set
 # CONFIG_IPV6_PRIVACY is not set
 # CONFIG_IPV6_ROUTER_PREF is not set
 # CONFIG_IPV6_ROUTE_INFO is not set
 # CONFIG_IPV6_OPTIMISTIC_DAD is not set
-CONFIG_INET6_AH=y
-CONFIG_INET6_ESP=y
-CONFIG_INET6_IPCOMP=y
+# CONFIG_INET6_AH is not set
+# CONFIG_INET6_ESP is not set
+# CONFIG_INET6_IPCOMP is not set
 # CONFIG_IPV6_MIP6 is not set
 # CONFIG_INET6_XFRM_TUNNEL is not set
 # CONFIG_INET6_TUNNEL is not set
-CONFIG_INET6_XFRM_MODE_TRANSPORT=y
-CONFIG_INET6_XFRM_MODE_TUNNEL=y
-CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET6_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET6_XFRM_MODE_BEET is not set
 # CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
 CONFIG_IPV6_SIT=m
 CONFIG_IPV6_SIT_6RD=y
 # CONFIG_IPV6_TUNNEL is not set
-CONFIG_IPV6_MULTIPLE_TABLES=y
+# CONFIG_IPV6_MULTIPLE_TABLES is not set
 # CONFIG_IPV6_SUBTREES is not set
 # CONFIG_IPV6_MROUTE is not set
 # CONFIG_IPV6_PIMSM_V2 is not set

2. Installed all strongswan* packages from Entware.

This went fine.

3. "ipsec start" fails with the following but that is not the real problem:

admin@RT-N16:/tmp/mnt/Entware/share# ipsec start
Starting strongSwan 5.0.4 IPsec [starter]...
insmod: can't insert 'ah4.ko': Resource temporarily unavailable
insmod: can't insert 'esp4.ko': Resource temporarily unavailable
insmod: can't insert 'ipcomp.ko': Resource temporarily unavailable
insmod: can't insert 'xfrm4_tunnel.ko': Resource temporarily unavailable
insmod: can't insert 'xfrm_user.ko': Cannot allocate memory

4. The real problem are the following kernel modules which will not insmod.

admin@RT-N16:/tmp/mnt/Entware/share# insmod ah4
insmod: can't insert 'ah4.ko': Resource temporarily unavailable
admin@RT-N16:/tmp/mnt/Entware/share# insmod esp4
insmod: can't insert 'esp4.ko': Resource temporarily unavailable
admin@RT-N16:/tmp/mnt/Entware/share# insmod ipcomp.ko
insmod: can't insert 'ipcomp.ko': Resource temporarily unavailable
admin@RT-N16:/tmp/mnt/Entware/share# insmod xfrm4_tunnel.ko
insmod: can't insert 'xfrm4_tunnel.ko': Resource temporarily unavailable
admin@RT-N16:/tmp/mnt/Entware/share# insmod xfrm_user.ko
insmod: can't insert 'xfrm_user.ko': Cannot allocate memory

"Resource temporarily unavailable" is kind of cryptic, but we do know one thing. If the kernel module is already loaded, the error should be: "insmod: can't insert '<MODULE>': File exists". So at least we know the module isn't already loaded.

5. The dmesg output from the insmod commands above.

Each line corresponds to each sequential insmod command above.

ip ah init: can't add xfrm type
ip esp init: can't add xfrm type
ipcomp init: can't add xfrm type
ipip init: can't add xfrm type
Initializing XFRM netlink socket

6. Tested the insmod command

Just to make sure it is not a broken insmod, I tested it with tcp_vegas.ko and it works fine.

# lsmod | grep -i tcp_vegas
# insmod /lib/modules/2.6.22.19/kernel/net/ipv4/tcp_vegas.ko
# lsmod | grep -i tcp_vegas
tcp_vegas               3776  0
# rmmod tcp_vegas
# lsmod | grep -i tcp_vegas

7. dmesg errors came from the following source code files:

$ cd ./linux/linux-2.6/net/ipv4
$ ls -al ah4.c esp4.c ipcomp.c xfrm4_tunnel.c
-rw-rw-r-- 1 vmware vmware  7844 Sep 25 09:41 ah4.c
-rw-rw-r-- 1 vmware vmware 12162 Sep 25 09:41 esp4.c
-rw-rw-r-- 1 vmware vmware 10600 Sep 25 09:41 ipcomp.c
-rw-rw-r-- 1 vmware vmware  2675 Sep 25 09:41 xfrm4_tunnel.c
$ cd ../xfrm
$ ls -al xfrm_user.c
-rw-rw-r-- 1 vmware vmware 59347 Sep 25 00:31 xfrm_user.c

 

[chiwalfrm]

Kernel modules (.ko files) go in the directory /lib/modules/2.6.22.19/kernel/, for example:
net/ipv6/sit.ko

Since this directory is read-only, is there a command that can "mount" an alternative location over it?

For example, I want to copy all the kernel module files in /lib/modules/2.6.22.19/kernel/ to /tmp/mnt/Entware/kernel/ (USB drive) , make some changes there (add additional modules), and then:

mount: "mount /tmp/mnt/Entware/kernel /lib/modules/2.6.22.19/kernel" or
soft-link: "ln -s /tmp/mnt/Entware/kernel /lib/modules/2.6.22.19/kernel",
but of course both commands fail because the / filesystem is read-only.

Thanks for all the help. I am still working on getting a kernel compiled and functioning with IPsec.

 

[saintdev]

Kernel modules (.ko files) go in the directory /lib/modules/2.6.22.19/kernel/, for example:
net/ipv6/sit.ko

They're not required to. You can use insmod to manually load a module from any path/filename.

insmod /path/to/my/module.ko

Unlike modprobe, insmod does not handle module dependencies. So you have to make sure you are loading the modules in the correct order if you use it.

 

[chiwalfrm]

After building this new kernel with the required CONFIG_* settings, I am now investigating the kernel modules that are created. I found out that several of these modules have a problem. When trying to load them, I get the error "invalid module format".

I set the CONFIG_* settings to =m, this forces the make process to create "ko" kernel modules. Somewhat a surprise to me is that the kernel modules DO NOT get placed in /lib/modules/2.6.22.19/kernel/ of the firmware image, but I guess this is not a big deal.

These are the ko files created:

./crypto/deflate.ko
./crypto/des.ko
./crypto/md5.ko
./lib/zlib_deflate/zlib_deflate.ko
./lib/zlib_inflate/zlib_inflate.ko
./net/ipv4/ah4.ko
./net/ipv4/esp4.ko
./net/ipv4/ipcomp.ko
./net/ipv4/tunnel4.ko
./net/ipv4/xfrm4_mode_beet.ko
./net/ipv4/xfrm4_mode_transport.ko
./net/ipv4/xfrm4_mode_tunnel.ko
./net/ipv4/xfrm4_tunnel.ko
./net/ipv6/ah6.ko
./net/ipv6/esp6.ko
./net/ipv6/ipcomp6.ko
./net/ipv6/tunnel6.ko
./net/ipv6/xfrm6_mode_beet.ko
./net/ipv6/xfrm6_mode_transport.ko
./net/ipv6/xfrm6_mode_tunnel.ko
./net/ipv6/xfrm6_tunnel.ko
./net/xfrm/xfrm_user.ko

I tried to load these (via insmod) on the router, and since they were built for the router, they should not say "invalid module format".

The following is a list of the ones with this problem:

insmod: can't insert 'tunnel4.ko': invalid module format
insmod: can't insert 'tunnel6.ko': invalid module format
insmod: can't insert 'zlib_deflate.ko': invalid module format
insmod: can't insert 'zlib_inflate.ko': invalid module format
insmod: can't insert 'xfrm6_tunnel.ko': invalid module format

Next, the old "Resource temporarily unavailable" error. We have seen these before. Now, I wonder if they are also corrupted?

insmod: can't insert 'ah4.ko': Resource temporarily unavailable
insmod: can't insert 'esp4.ko': Resource temporarily unavailable
insmod: can't insert 'ipcomp.ko': Resource temporarily unavailable
insmod: can't insert 'xfrm4_tunnel.ko': Resource temporarily unavailable
insmod: can't insert 'xfrm_user.ko': Cannot allocate memory

Finally, although I didn't need these as they are for IPV6, I checked them anyway with insmod and found the same error as for the INET ones.

insmod: can't insert 'ah6.ko': Resource temporarily unavailable
insmod: can't insert 'esp6.ko': Resource temporarily unavailable
insmod: can't insert 'ipcomp6.ko': Resource temporarily unavailable

So my latest theory is these "ko" files are not compiled correctly. Perhaps wrong flags to the compiler or something else, but maybe corrupted.