Strongswan package from Entware on Asuswrt-Merlin?

[chiwalfrm]

After downloading and installing all the strongswan* packages from Entware, I run "ipsec start" and see the following errors:

# ipsec start
Starting strongSwan 5.0.4 IPsec [starter]...
insmod: 'af_key.ko': module not found
no netkey IPsec stack detected
insmod: 'ipsec.ko': module not found
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!

So I was asking myself, Is it possible to get these two module files 'af_key.ko' and 'ipsec.ko', put them in a directory, then do a "insmod af_key.ko; insmod ipsec.ko" to load them into the Kernel, then have it work?

At this link which is for tomato firmware:
http://tomato.groov.pl/download/K26RT-N/build5x-112-EN/
there is a file called 'extras-mips2.tar.gz' which is for K26 routers like the RT-N16 I am using. So I downloaded that and extracted its contents.
It has af_key.ko in the ipsec/ directory but not ipsec.ko.
But trying to load af_key.ko has an error anyway:

admin@RT-N16:/tmp/mnt/Entware/ipsec# insmod af_key
insmod: can't insert 'af_key.ko': unknown symbol in module, or unknown parameter

Doing a dmesg shows the unknown symbols:

af_key: Unknown symbol __xfrm_policy_destroy
af_key: Unknown symbol xfrm_count_enc_supported
af_key: Unknown symbol xfrm_state_alloc
af_key: Unknown symbol xfrm_find_acq
af_key: Unknown symbol xfrm_policy_byid
af_key: Unknown symbol xfrm_state_lookup
af_key: Unknown symbol xfrm_state_add
af_key: Unknown symbol xfrm_policy_alloc
af_key: Unknown symbol xfrm_calg_get_byid
af_key: Unknown symbol xfrm_policy_bysel_ctx
af_key: Unknown symbol xfrm_count_auth_supported
af_key: Unknown symbol __xfrm_state_destroy
af_key: Unknown symbol xfrm_ealg_get_byname
af_key: Unknown symbol xfrm_unregister_km
af_key: Unknown symbol xfrm_state_flush
af_key: Unknown symbol xfrm_alloc_spi
af_key: Unknown symbol xfrm_aalg_get_byname
af_key: Unknown symbol xfrm_register_km
af_key: Unknown symbol km_state_notify
af_key: Unknown symbol xfrm_aalg_get_byid
af_key: Unknown symbol km_waitq
af_key: Unknown symbol xfrm_ealg_get_byid
af_key: Unknown symbol xfrm_policy_flush
af_key: Unknown symbol xfrm_ealg_get_byidx
af_key: Unknown symbol xfrm_cfg_mutex
af_key: Unknown symbol xfrm_policy_walk
af_key: Unknown symbol km_policy_notify
af_key: Unknown symbol xfrm_state_update
af_key: Unknown symbol xfrm_policy_insert
af_key: Unknown symbol xfrm_init_state
af_key: Unknown symbol xfrm_calg_get_byname
af_key: Unknown symbol xfrm_find_acq_byseq
af_key: Unknown symbol xfrm_probe_algs
af_key: Unknown symbol xfrm_state_delete
af_key: Unknown symbol xfrm_state_walk
af_key: Unknown symbol xfrm_aalg_get_byidx

And the other file ipsec.ko doesn't exist in the tar.gz file either.

 

[ryzhov_al]

After downloading and installing all the strongswan* packages from Entware, I run "ipsec start" and see the following errors:

Because no appropriate modules is available.

I know some guys using strongswan with Tomato firmware (1, 2).

And the other file ipsec.ko doesn't exist in the tar.gz file either.

Eric?

 

[RMerlin]

Because no appropriate modules is available.

I know some guys using strongswan with Tomato firmware (1, 2).

Eric?

Don't really have the time to recompile a bunch of modules at this time, sorry. I checked, and they aren't compiled by default (which makes sense).

 

[chiwalfrm]

According to a few posts I found googling around, the Linux kernel needs to be compiled with CONFIG_XFRM=Y. (Ref: http://www.dd-wrt.com/phpBB2/viewtopic.php?t=83750) Would this be possible for an experimental build? If it is as simple as changing a flag (CONFIG_XFRM=y in the ./linux-2.6.23/.config file), I mean. I could be a volunteer to test it and report back to the group. Thanks!

Additional References:
http://dd-wrt/changeset/14734

 

[ryzhov_al]

I could be a volunteer to test it and report back to the group.

Ok then. Here is a patch for asuswrt-merlin kernel config and here is cooked modules.

 

[chiwalfrm]

To: ryzhov_al

Thanks! I was looking at the tomato config-base and comparing. Do you think we need to add these lines too?

CONFIG_IPV6=m
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_IPV6_MULTIPLE_TABLES=m

Right now, they are set to:
340:# CONFIG_IPV6 is not set
345:# CONFIG_INET6_AH is not set
346:# CONFIG_INET6_ESP is not set
347:# CONFIG_INET6_IPCOMP is not set
358:# CONFIG_IPV6_MULTIPLE_TABLES is not set

Thank you for the diff.

Below from http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules

Required Kernel Modules
Include the following modules:

Networking --->
Networking options --->
Transformation user configuration interface [CONFIG_XFRM_USER]
PF_KEY sockets [CONFIG_NET_KEY]
TCP/IP networking [CONFIG_INET]
IP: advanced router [CONFIG_IP_ADVANCED_ROUTER]
IP: policy routing [CONFIG_IP_MULTIPLE_TABLES]
IP: AH transformation [CONFIG_INET_AH]
IP: ESP transformation [CONFIG_INET_ESP]
IP: IPComp transformation [CONFIG_INET_IPCOMP]
IP: IPsec transport mode [CONFIG_INET_XFRM_MODE_TRANSPORT]
IP: IPsec tunnel mode [CONFIG_INET_XFRM_MODE_TUNNEL]
IP: IPsec BEET mode [CONFIG_INET_XFRM_MODE_BEET]
The IPv6 protocol ---> [CONFIG_IPV6]
IPv6: AH transformation [CONFIG_INET6_AH]
IPv6: ESP transformation [CONFIG_INET6_ESP]
IPv6: IPComp transformation [CONFIG_INET6_IPCOMP]
IPv6: IPsec transport mode [CONFIG_INET6_XFRM_MODE_TRANSPORT]
IPv6: IPsec tunnel mode [CONFIG_INET6_XFRM_MODE_TUNNEL]
IPv6: IPsec BEET mode [CONFIG_INET6_XFRM_MODE_BEET]
IPv6: Multiple Routing Tables [CONFIG_IPV6_MULTIPLE_TABLES]
Network packet filtering framework (Netfilter) ---> [CONFIG_NETFILTER]
Core Netfilter Configuration --->
Netfilter Xtables support [CONFIG_NETFILTER_XTABLES]
IPsec "policy" match support [CONFIG_NETFILTER_XT_MATCH_POLICY]

 

[ryzhov_al]

Nevermind. Modules is useless without kernel recompilation:

# insmod /opt/lib/modules/2.6.22.19/kernel/net/key/af_key.ko
insmod: can't insert '/opt/lib/modules/2.6.22.19/kernel/net/key/af_key.ko': unknown symbol in module, or unknown parameter

# grep af_key /opt/lib/modules/2.6.22.19/modules.dep
kernel/net/key/af_key.ko:

Please, recompile firmware first.

 

[RMerlin]

Nevermind. Modules is useless without kernel recompilation:

# insmod /opt/lib/modules/2.6.22.19/kernel/net/key/af_key.ko
insmod: can't insert '/opt/lib/modules/2.6.22.19/kernel/net/key/af_key.ko': unknown symbol in module, or unknown parameter

# grep af_key /opt/lib/modules/2.6.22.19/modules.dep
kernel/net/key/af_key.ko:

Please, recompile firmware first.

Could this be related to the order in which you load the modules? If all you changed in the Kernel config was to enable a few modules, then the kernel shouldn't require a recompile.

 

[ryzhov_al]

Could this be related to the order in which you load the modules?

Unfortunately no. af_key.ko has no dependencies, but can't be loaded.

 

[RMerlin]

Unfortunately no. af_key.ko has no dependencies, but can't be loaded.

The insmod output is half useless since it's quite vague. Can you check in dmesg if you have a more specific error message? If it specifies which symbol it cannot resolve, that might give us clues as to what additional module would be needed.

 

[ryzhov_al]

The insmod output is half useless since it's quite vague. Can you check in dmesg if you have a more specific error message? If it specifies which symbol it cannot resolve, that might give us clues as to what additional module would be needed.

# dmesg
…
af_key: Unknown symbol __xfrm_policy_destroy
af_key: Unknown symbol xfrm_count_enc_supported
af_key: Unknown symbol xfrm_state_alloc
af_key: Unknown symbol xfrm_find_acq
af_key: Unknown symbol xfrm_policy_byid
af_key: Unknown symbol xfrm_state_lookup
…

I suspect two things:

1. modules.dep is broken due to incorrect dependencies in kernel code.
2. Kernel needed to be recompiled for ipsec support. Tomato guide(s) starts with af_key.ko loading with no dependencies.

 

[RMerlin]

Check this out:

https://dev.openwrt.org/ticket/12552

 

[ryzhov_al]

Check this out:

https://dev.openwrt.org/ticket/12552

I've seen this before, thank you. It's for kernel 3.3.

 

[chiwalfrm]

I was looking at this file:

https://github.com/RMerl/asuswrt-merlin/blob/master/release/src-rt/linux/linux-2.6/config_base

These appear to be relevant lines:

1. ( from http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules )

***NOT FOUND: CONFIG_XFRM_USER***[1]
287:# CONFIG_NET_KEY is not set
288:CONFIG_INET=y
290:CONFIG_IP_ADVANCED_ROUTER=y
294:CONFIG_IP_MULTIPLE_TABLES=y
309:# CONFIG_INET_AH is not set
310:# CONFIG_INET_ESP is not set
311:# CONFIG_INET_IPCOMP is not set
314:# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
315:# CONFIG_INET_XFRM_MODE_TUNNEL is not set
316:# CONFIG_INET_XFRM_MODE_BEET is not set
340:# CONFIG_IPV6 is not set
345:# CONFIG_INET6_AH is not set
346:# CONFIG_INET6_ESP is not set
347:# CONFIG_INET6_IPCOMP is not set
351:# CONFIG_INET6_XFRM_MODE_TRANSPORT is not set
352:# CONFIG_INET6_XFRM_MODE_TUNNEL is not set
353:# CONFIG_INET6_XFRM_MODE_BEET is not set
358:# CONFIG_IPV6_MULTIPLE_TABLES is not set
365:CONFIG_NETFILTER=y
393:CONFIG_NETFILTER_XTABLES=y
***NOT FOUND: CONFIG_NETFILTER_XT_MATCH_POLICY***[1]

2. More lines to change from ryzhov_al's diff ( http://pastebin.com/1Hh6UJwe# )

312:# CONFIG_INET_XFRM_TUNNEL is not set
313:# CONFIG_INET_TUNNEL is not set
349:# CONFIG_INET6_XFRM_TUNNEL is not set
350:# CONFIG_INET6_TUNNEL is not set
1789:# CONFIG_CRYPTO_NULL is not set
1793:# CONFIG_CRYPTO_SHA256 is not set
1794:# CONFIG_CRYPTO_SHA512 is not set
***NOT FOUND: CONFIG_XFRM***[1]

[1] This line was not found in config_base

Is it just a simple matter of setting each of these lines to "=m", then doing a compile or make? I did notice that the top of the config-base file said "# Automatically generated make config: don't edit", so maybe this is not the right file to edit? ryzhov_al's tgz archive (modules-mipsel.tgz) of cooked modules does not contain ipsec.ko so that one is still missing.

Thank you for taking a look. IPsec is a very powerful feature, it would be pretty awesome if this works on the AsusWRT.

 

[RMerlin]

config_base is indeed the correct place to modify what you want compiled. Follow it with a:

make cleankernel
make rt-n66u   (or whichever model you are compiling for)

from inside the appropriate build directory (src-rt, src-rt-6.x, etc...)

Note that config options might vary between kernel versions. Asuswrt is based on either 2.6.22.19 (MIPS) or 2.6.36 (ARM).

 

[chiwalfrm]

I made the changes to config_base (basically the variables mentioned in my last post).

rubble@barney ~/asuswrt-merlin/release/src-rt $ diff ./linux/linux-2.6/config_base ./linux/linux-2.6/config_base.orig
287c287
< CONFIG_NET_KEY=m
---
> # CONFIG_NET_KEY is not set
309,316c309,316
< CONFIG_INET_AH=m
< CONFIG_INET_ESP=m
< CONFIG_INET_IPCOMP=m
< CONFIG_INET_XFRM_TUNNEL=m
< CONFIG_INET_TUNNEL=m
< CONFIG_INET_XFRM_MODE_TRANSPORT=m
< CONFIG_INET_XFRM_MODE_TUNNEL=m
< CONFIG_INET_XFRM_MODE_BEET=m
---
> # CONFIG_INET_AH is not set
> # CONFIG_INET_ESP is not set
> # CONFIG_INET_IPCOMP is not set
> # CONFIG_INET_XFRM_TUNNEL is not set
> # CONFIG_INET_TUNNEL is not set
> # CONFIG_INET_XFRM_MODE_TRANSPORT is not set
> # CONFIG_INET_XFRM_MODE_TUNNEL is not set
> # CONFIG_INET_XFRM_MODE_BEET is not set
340c340
< CONFIG_IPV6=m
---
> # CONFIG_IPV6 is not set
345,347c345,347
< CONFIG_INET6_AH=m
< CONFIG_INET6_ESP=m
< CONFIG_INET6_IPCOMP=m
---
> # CONFIG_INET6_AH is not set
> # CONFIG_INET6_ESP is not set
> # CONFIG_INET6_IPCOMP is not set
349,353c349,353
< CONFIG_INET6_XFRM_TUNNEL=m
< CONFIG_INET6_TUNNEL=m
< CONFIG_INET6_XFRM_MODE_TRANSPORT=m
< CONFIG_INET6_XFRM_MODE_TUNNEL=m
< CONFIG_INET6_XFRM_MODE_BEET=m
---
> # CONFIG_INET6_XFRM_TUNNEL is not set
> # CONFIG_INET6_TUNNEL is not set
> # CONFIG_INET6_XFRM_MODE_TRANSPORT is not set
> # CONFIG_INET6_XFRM_MODE_TUNNEL is not set
> # CONFIG_INET6_XFRM_MODE_BEET is not set
358c358
< CONFIG_IPV6_MULTIPLE_TABLES=m
---
> # CONFIG_IPV6_MULTIPLE_TABLES is not set
368,369d367
< CONFIG_XFRM=m
< CONFIG_XFRM_USER=m
442d439
< CCONFIG_NETFILTER_XT_MATCH_POLICY=m
1792c1789
< CONFIG_CRYPTO_NULL=m
---
> # CONFIG_CRYPTO_NULL is not set
1796,1797c1793,1794
< CONFIG_CRYPTO_SHA256=m
< CONFIG_CRYPTO_SHA512=m
---
> # CONFIG_CRYPTO_SHA256 is not set
> # CONFIG_CRYPTO_SHA512 is not set

Then I ran the make command.

rubble@barney ~/asuswrt-merlin/release/src-rt $ make rt-n16 <--- I typed this in
CONFIGURED MODEL: RT-N16
SPECIFIED MODEL: RT-N16
----------------------------------------------------------------------------
Clean old model configuration
Update model configuration
...
*
Packet socket (PACKET) [Y/n/m/?] y
Packet socket: mmapped IO (PACKET_MMAP) [N/y/?] n
Unix domain sockets (UNIX) [Y/n/m/?] y
Transformation user configuration interface (XFRM_USER) [M/n/y/?] m
Transformation sub policy support (EXPERIMENTAL) (XFRM_SUB_POLICY) [N/y/?] (NEW) <--- I press Enter
Transformation migrate database (EXPERIMENTAL) (XFRM_MIGRATE) [N/y/?] (NEW) <--- I press Enter
PF_KEY sockets (NET_KEY) [M/n/y/?] m
PF_KEY MIGRATE (EXPERIMENTAL) (NET_KEY_MIGRATE) [N/y/?] (NEW) <--- I press Enter
TCP/IP networking (INET) [Y/n/?] y
IP: multicasting (IP_MULTICAST) [Y/n/?] y
IP: advanced router (IP_ADVANCED_ROUTER) [Y/n/?] y
Choose IP: FIB lookup algorithm (choose FIB_HASH if unsure)
> 1. FIB_HASH (ASK_IP_FIB_HASH)
...
"iprange" address range match support (NETFILTER_XT_MATCH_IPRANGE) [Y/n/m/?] y
"length" match support (NETFILTER_XT_MATCH_LENGTH) [M/n/y/?] m
"limit" match support (NETFILTER_XT_MATCH_LIMIT) [Y/n/m/?] y
"mac" address match support (NETFILTER_XT_MATCH_MAC) [Y/n/m/?] y
"mark" match support (NETFILTER_XT_MATCH_MARK) [Y/n/m/?] y
IPsec "policy" match support (NETFILTER_XT_MATCH_POLICY) [N/m/y/?] (NEW) m <--- I enter 'm' here
Multiple port match support (NETFILTER_XT_MATCH_MULTIPORT) [Y/n/m/?] y
"pkttype" packet type match support (NETFILTER_XT_MATCH_PKTTYPE) [N/m/y/?] n
"quota" match support (NETFILTER_XT_MATCH_QUOTA) [M/n/y/?] m
"realm" match support (NETFILTER_XT_MATCH_REALM) [N/m/y/?] n
"recent" match support (NETFILTER_XT_MATCH_RECENT) [Y/n/m/?] y
...
CC [M] crypto/sha256.o
CC [M] crypto/sha512.o
LD [M] drivers/net/wl/wl.o
Building modules, stage 2.
MODPOST 214 modules
ERROR: "ip_conntrack_ipct_add" [net/ipv6/netfilter/nf_conntrack_ipv6.ko] undefined!
make[5]: *** [__modpost] Error 1
make[4]: *** [modules] Error 2
make[4]: Leaving directory `/home/rubble/asuswrt-merlin/release/src-rt/linux/linux-2.6'
make[3]: *** [kernel] Error 2
make[3]: Leaving directory `/home/rubble/asuswrt-merlin/release/src/router'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/home/rubble/asuswrt-merlin/release/src-rt'
make[1]: *** [bin] Error 2
make[1]: Leaving directory `/home/rubble/asuswrt-merlin/release/src-rt'
make: *** [rt-n16] Error 2
rubble@barney ~/asuswrt-merlin/release/src-rt $

 

[chiwalfrm]

Using '=m' is the problem. I changed them to '=y' and it compiled. I will report back later.

 

[chiwalfrm]

Merlin, there are four src* directories, can you tell me what the differences are between them? I am working in src-rt and my router is RT-N16. Thank you

src/
src-rt/
src-rt-6.x/
src-rt-6.x.4708/

 

[RMerlin]

Merlin, there are four src* directories, can you tell me what the differences are between them? I am working in src-rt and my router is RT-N16. Thank you

src/
src-rt/
src-rt-6.x/
src-rt-6.x.4708/

src is the common directory - you should not build from it.
src-rt is SDK5, used by the RT-N16, and previously the RT-N66U
src-rt-6.x is SDK6, used by new RT-N66U and RT-AC66U
src-rt-6.x.4708 is for BCM4708-based devices, such as RT-AC56U and RT-AC68U.

 

[chiwalfrm]

With the compiled firmware based on the git master (RT-N16_3.0.0.4_374.33_beta3.trx) plus my changes above...

# ipsec start
Starting strongSwan 5.0.4 IPsec [starter]...
insmod: 'ah4.ko': module not found
insmod: 'esp4.ko': module not found
insmod: 'ipcomp.ko': module not found
insmod: 'xfrm4_tunnel.ko': module not found
insmod: 'xfrm_user.ko': module not found

I have these modules from the tgz provided by ryzhov_al, so I extracted them into a directory then typed:

# insmod ah4.ko
insmod: can't insert 'ah4.ko': Resource temporarily unavailable
# insmod esp4.ko
insmod: can't insert 'esp4.ko': Resource temporarily unavailable
# insmod ipcomp.ko
insmod: can't insert 'ipcomp.ko': Resource temporarily unavailable
# insmod xfrm4_tunnel.ko
insmod: can't insert 'xfrm4_tunnel.ko': Resource temporarily unavailable
# insmod xfrm_user.ko
insmod: can't insert 'xfrm_user.ko': Cannot allocate memory

in dmesg:

ip ah init: can't add xfrm type
ip esp init: can't add xfrm type
ipcomp init: can't add xfrm type
ipip init: can't add xfrm type
Initializing XFRM netlink socket

I do not believe I have a memory issue, lots of free memory left.

# free
total used free shared buffers
Mem: 126308 58468 67840 0 7136
-/+ buffers: 51332 74976
Swap: 131064 0 131064