Strongswan package from Entware on Asuswrt-Merlin?

[chiwalfrm]

insmod commands:

insmod: can't insert 'tunnel4.ko': invalid module format
insmod: can't insert 'tunnel6.ko': invalid module format
insmod: can't insert 'zlib_deflate.ko': invalid module format
insmod: can't insert 'zlib_inflate.ko': invalid module format
insmod: can't insert 'xfrm6_tunnel.ko': invalid module format

errors in dmesg:

tunnel4: exports duplicate symbol xfrm4_tunnel_deregister (owned by kernel)
tunnel6: exports duplicate symbol xfrm6_tunnel_deregister (owned by kernel)
zlib_deflate: exports duplicate symbol zlib_deflateReset (owned by kernel)
zlib_inflate: exports duplicate symbol zlib_inflateIncomp (owned by kernel)
xfrm6_tunnel: exports duplicate symbol xfrm6_tunnel_free_spi (owned by kernel)

If a kernel module is using a duplicate symbol owned by the kernel, then that kernel module can never be loaded. I wonder if this is the problem?

The bottom line is if we can get the following kernel modules to load, then we are golden. But this remains the proverbial brick wall. These 5 kernel modules are the only ones we need for IPsec. They are: ah4.ko, esp4.ko, ipcomp.ko, xfrm4_tunnel.ko, and xfrm_user.ko. Nothing else really matters.

insmod: can't insert 'ah4.ko': Resource temporarily unavailable
ip ah init: can't add xfrm type

insmod: can't insert 'esp4.ko': Resource temporarily unavailable
ip esp init: can't add xfrm type

insmod: can't insert 'ipcomp.ko': Resource temporarily unavailable
ipcomp init: can't add xfrm type

insmod: can't insert 'xfrm4_tunnel.ko': Resource temporarily unavailable
ipip init: can't add xfrm type

insmod: can't insert 'xfrm_user.ko': Cannot allocate memory
Initializing XFRM netlink socket

 

[saintdev]

insmod commands:

insmod: can't insert 'tunnel4.ko': invalid module format
insmod: can't insert 'tunnel6.ko': invalid module format
insmod: can't insert 'zlib_deflate.ko': invalid module format
insmod: can't insert 'zlib_inflate.ko': invalid module format
insmod: can't insert 'xfrm6_tunnel.ko': invalid module format

errors in dmesg:

tunnel4: exports duplicate symbol xfrm4_tunnel_deregister (owned by kernel)
tunnel6: exports duplicate symbol xfrm6_tunnel_deregister (owned by kernel)
zlib_deflate: exports duplicate symbol zlib_deflateReset (owned by kernel)
zlib_inflate: exports duplicate symbol zlib_inflateIncomp (owned by kernel)
xfrm6_tunnel: exports duplicate symbol xfrm6_tunnel_free_spi (owned by kernel)

If a kernel module is using a duplicate symbol owned by the kernel, then that kernel module can never be loaded. I wonder if this is the problem?

This means the module(s) are already built into the kernel.

 

[chiwalfrm]

YAHOO! I got it working!!!

This was the one I was missing:
CONFIG_INET_XFRM_TUNNEL=m

In the end, use the diff I posted earlier for config_base, then add these other ones. They may not be needed but by the time I got to the last one above (I was adding these one by one), I am in no mood to take anything out now that it works.

CONFIG_IP_ROUTE_VERBOSE=m
CONFIG_INET_XFRM_TUNNEL=m <--- this one did it
CONFIG_INET_TUNNEL=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_CRYPTO_NULL=m
CONFIG_CRYPTO_SHA256=m
CONFIG_CRYPTO_SHA512=m

 

[chiwalfrm]

The order to load the modules are important:

in this order:
ah4
esp4
ipcomp
tunnel4
xfrm4_tunnel
xfrm_user

I will test Strongswan over the next couple of days.

 

[RMerlin]

YAHOO! I got it working!!!

This was the one I was missing:
CONFIG_INET_XFRM_TUNNEL=m

In the end, use the diff I posted earlier for config_base, then add these other ones. They may not be needed but by the time I got to the last one above (I was adding these one by one), I am in no mood to take anything out now that it works.

CONFIG_IP_ROUTE_VERBOSE=m
CONFIG_INET_XFRM_TUNNEL=m <--- this one did it
CONFIG_INET_TUNNEL=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_CRYPTO_NULL=m
CONFIG_CRYPTO_SHA256=m
CONFIG_CRYPTO_SHA512=m

Nice

Did you have to set anything to "y", or is everything compilable as modules? If it's the latter, I can put the modules up for download on my site.

 

[chiwalfrm]

Two settings must be =y, the rest can be =m

< CONFIG_XFRM=y
< CONFIG_IPV6=y

< CONFIG_XFRM_USER=m
< CONFIG_NETFILTER_XT_MATCH_POLICY=m
< CONFIG_NET_KEY=m
< CONFIG_IP_ROUTE_VERBOSE=m
< CONFIG_INET_AH=m
< CONFIG_INET_ESP=m
< CONFIG_INET_IPCOMP=m
< CONFIG_INET_XFRM_TUNNEL=m
< CONFIG_INET_TUNNEL=m
< CONFIG_INET_XFRM_MODE_TRANSPORT=m
< CONFIG_INET_XFRM_MODE_TUNNEL=m
< CONFIG_INET_XFRM_MODE_BEET=m
< CONFIG_INET6_AH=m
< CONFIG_INET6_ESP=m
< CONFIG_INET6_IPCOMP=m
< CONFIG_INET6_XFRM_TUNNEL=m
< CONFIG_INET6_TUNNEL=m
< CONFIG_INET6_XFRM_MODE_TRANSPORT=m
< CONFIG_INET6_XFRM_MODE_TUNNEL=m
< CONFIG_INET6_XFRM_MODE_BEET=m
< CONFIG_IPV6_MULTIPLE_TABLES=m
< CONFIG_CRYPTO_NULL=m
< CONFIG_CRYPTO_SHA256=m
< CONFIG_CRYPTO_SHA512=m

If you prefer a diff:

--- config_base.6
+++ config_base.orig
@@ -281,13 +281,10 @@
 #
 # Networking options
 #
-CONFIG_XFRM=y
-CONFIG_XFRM_USER=m
-CONFIG_NETFILTER_XT_MATCH_POLICY=m
 CONFIG_PACKET=y
 # CONFIG_PACKET_MMAP is not set
 CONFIG_UNIX=y
-CONFIG_NET_KEY=m
+# CONFIG_NET_KEY is not set
 CONFIG_INET=y
 CONFIG_IP_MULTICAST=y
 CONFIG_IP_ADVANCED_ROUTER=y
@@ -297,7 +294,7 @@
 CONFIG_IP_MULTIPLE_TABLES=y
 CONFIG_IP_ROUTE_MULTIPATH=y
 # CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set
-CONFIG_IP_ROUTE_VERBOSE=m
+# CONFIG_IP_ROUTE_VERBOSE is not set
 # CONFIG_IP_PNP is not set
 # CONFIG_NET_IPIP is not set
 # CONFIG_NET_IPGRE_DEMUX is not set
@@ -309,14 +306,14 @@
 # CONFIG_IP_PIMSM_V2 is not set
 # CONFIG_ARPD is not set
 CONFIG_SYN_COOKIES=y
-CONFIG_INET_AH=m
-CONFIG_INET_ESP=m
-CONFIG_INET_IPCOMP=m
-CONFIG_INET_XFRM_TUNNEL=m
-CONFIG_INET_TUNNEL=m
-CONFIG_INET_XFRM_MODE_TRANSPORT=m
-CONFIG_INET_XFRM_MODE_TUNNEL=m
-CONFIG_INET_XFRM_MODE_BEET=m
+# CONFIG_INET_AH is not set
+# CONFIG_INET_ESP is not set
+# CONFIG_INET_IPCOMP is not set
+# CONFIG_INET_XFRM_TUNNEL is not set
+# CONFIG_INET_TUNNEL is not set
+# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET_XFRM_MODE_BEET is not set
 # CONFIG_INET_DIAG is not set
 CONFIG_TCP_CONG_ADVANCED=y
 # CONFIG_TCP_CONG_BIC is not set
@@ -340,25 +337,25 @@
 CONFIG_DEFAULT_TCP_CONG="reno"
 # CONFIG_TCP_MD5SIG is not set
 # CONFIG_IP_VS is not set
-CONFIG_IPV6=y
+# CONFIG_IPV6 is not set
 # CONFIG_IPV6_PRIVACY is not set
 # CONFIG_IPV6_ROUTER_PREF is not set
 # CONFIG_IPV6_ROUTE_INFO is not set
 # CONFIG_IPV6_OPTIMISTIC_DAD is not set
-CONFIG_INET6_AH=m
-CONFIG_INET6_ESP=m
-CONFIG_INET6_IPCOMP=m
+# CONFIG_INET6_AH is not set
+# CONFIG_INET6_ESP is not set
+# CONFIG_INET6_IPCOMP is not set
 # CONFIG_IPV6_MIP6 is not set
-CONFIG_INET6_XFRM_TUNNEL=m
-CONFIG_INET6_TUNNEL=m
-CONFIG_INET6_XFRM_MODE_TRANSPORT=m
-CONFIG_INET6_XFRM_MODE_TUNNEL=m
-CONFIG_INET6_XFRM_MODE_BEET=m
+# CONFIG_INET6_XFRM_TUNNEL is not set
+# CONFIG_INET6_TUNNEL is not set
+# CONFIG_INET6_XFRM_MODE_TRANSPORT is not set
+# CONFIG_INET6_XFRM_MODE_TUNNEL is not set
+# CONFIG_INET6_XFRM_MODE_BEET is not set
 # CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
 CONFIG_IPV6_SIT=m
 CONFIG_IPV6_SIT_6RD=y
 # CONFIG_IPV6_TUNNEL is not set
-CONFIG_IPV6_MULTIPLE_TABLES=m
+# CONFIG_IPV6_MULTIPLE_TABLES is not set
 # CONFIG_IPV6_SUBTREES is not set
 # CONFIG_IPV6_MROUTE is not set
 # CONFIG_IPV6_PIMSM_V2 is not set
@@ -1789,12 +1786,12 @@
 CONFIG_CRYPTO_MANAGER=y
 CONFIG_CRYPTO_HMAC=y
 # CONFIG_CRYPTO_XCBC is not set
-CONFIG_CRYPTO_NULL=m
+# CONFIG_CRYPTO_NULL is not set
 # CONFIG_CRYPTO_MD4 is not set
 CONFIG_CRYPTO_MD5=m
 CONFIG_CRYPTO_SHA1=y
-CONFIG_CRYPTO_SHA256=m
-CONFIG_CRYPTO_SHA512=m
+# CONFIG_CRYPTO_SHA256 is not set
+# CONFIG_CRYPTO_SHA512 is not set
 # CONFIG_CRYPTO_WP512 is not set
 # CONFIG_CRYPTO_TGR192 is not set
 # CONFIG_CRYPTO_GF128MUL is not set

 

[RMerlin]

Two settings must be =y, the rest can be =m

< CONFIG_XFRM=y
< CONFIG_IPV6=y

IPV6 is already enabled if the router profile has RTCONFIG_IPV6 enabled.

I will have to look at the potential impact of enabling the other one in the base FW.

 

[chiwalfrm]

EDIT: (IGNORE THIS POST - PROBLEM FIXED see post #50)

I need to insmod tunnel4.ko before starting strongswan.
My S90strongswan looks like this. Note the use of PRECMD to run the insmod before starting the program.

#!/bin/sh

ENABLED=yes
PROCS=ipsec
ARGS=""
PREARGS=""
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PRECMD=/sbin/insmod /tmp/mnt/Entware/modules/linux/linux-2.6/net/ipv4/tunnel4.ko

. /opt/etc/init.d/rc.func

When I start it with "./S90strongswan start", I get a permission denied error.

# ./S90strongswan start
./S90strongswan: line 9: /tmp/mnt/Entware/modules/linux/linux-2.6/net/ipv4/tunnel4.ko: Permission denied
 Starting ipsec...              failed.

But the file looks fine and I can insmod from shell.

# ls -al /tmp/mnt/Entware/modules/linux/linux-2.6/net/ipv4/tunnel4.ko
-rw-rw-r--    1 admin    root        119966 Sep 26 11:13 /tmp/mnt/Entware/modules/linux/linux-2.6/net/ipv4/tunnel4.ko
# insmod /tmp/mnt/Entware/modules/linux/linux-2.6/net/ipv4/tunnel4.ko
(no error)

Why ?

 

[RMerlin]

# ./S90strongswan start
./S90strongswan: line 9: /tmp/mnt/Entware/modules/linux/linux-2.6/net/ipv4/tunnel4.ko: Permission denied
 Starting ipsec...              failed.

Did you actually put insmod on that line? From the looks of it, you just entered the path to the module without the insmod command.

 

[chiwalfrm]

The /tmp/mnt/Entware/entware/etc/init.d/S90strongswan script installed by Entware needs to be modified:

The ipsec program does not know that xfrm4_tunnel.ko depends on tunnel4.ko and you'll get an error
"insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko': unknown symbol in module, or unknown parameter" if tunnel4.ko is not loaded first.

Change it to this and it works:

My changes are in bold.

#!/bin/sh

PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

start() {
    ipsec start
}

stop() {
    ipsec stop
}

restart() {
    ipsec restart
}

reload() {
    ipsec update
}

[B]case $1 in
    start)
        lsmod | grep '^tunnel4 ' || insmod tunnel4
        start
        ;;
    stop)
        lsmod | grep '^tunnel4 ' || insmod tunnel4
        stop
        ;;
    restart)
        lsmod | grep '^tunnel4 ' || insmod tunnel4
        restart
        ;;
    reload)
        lsmod | grep '^tunnel4 ' || insmod tunnel4
        reload
        ;;
    *)
        echo -e "$ansi_white Usage: $0 (start|stop|restart|reload)$ansi_std"
        exit 1
        ;;
esac[/B]

For those who prefer a diff:

--- S90strongswan
+++ S90strongswan.orig
@@ -17,26 +17,3 @@
 reload() {
        ipsec update
 }
-
-case $1 in
-       start)
-               lsmod | grep '^tunnel4 ' || insmod tunnel4
-               start
-               ;;
-       stop)
-               lsmod | grep '^tunnel4 ' || insmod tunnel4
-               stop
-               ;;
-       restart)
-               lsmod | grep '^tunnel4 ' || insmod tunnel4
-               restart
-               ;;
-       reload)
-               lsmod | grep '^tunnel4 ' || insmod tunnel4
-               reload
-               ;;
-       *)
-               echo -e "$ansi_white Usage: $0 (start|stop|restart|reload)$ansi_std"
-               exit 1
-               ;;
-esac

 

[chiwalfrm]

And there you have it. ASUSWRT-Merlin joins Shibby-Tomato and OpenWRT in having IPsec support. Hurray!

 

[chiwalfrm]

Too soon to celebrate... Although can connect to IPsec VPN, can't seem to browse any internal websites or connect to the Internet.

In the syslog are errors like this:
Sep 26 19:32:39 RT-N16 syslog: 11[KNL] unable to add SAD entry with SPI c68e42df: Function not implemented (89)
Sep 26 19:32:39 RT-N16 syslog: 11[KNL] unable to add SAD entry with SPI 0b85c034: Function not implemented (89)
Sep 26 19:32:39 RT-N16 syslog: 11[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Sep 26 19:32:39 RT-N16 syslog: 11[KNL] unable to delete SAD entry with SPI 0b85c034: No such process (3)
Sep 26 19:32:39 RT-N16 syslog: 11[IKE] sending DELETE for ESP CHILD_SA with SPI 0b85c034


Still it is progress.

 

[chiwalfrm]

The person who put the Strongswan package on Entware repository is ryzhov_al. Is it possible to ask him to compile Strongswan with the following flags?

--enable-eap-mschapv2 --enable-md4

These are needed for Windows 7 clients to connect to Strongswan and are not enabled by default. It is done through the "configure" command when you compile Strongswan.

I'm not sure how you compile for Broadcom router on a x86-64bit PC, but if I was doing it on the PC for the PC, the commands are straight-forward:

(these commands are only for compiling on PC to run on the PC)
$ ./configure --prefix=/usr --sysconfdir=/etc --enable-eap-mschapv2 --enable-md4
$ make
$ sudo make install

But in this case, you are compiling for router hardware on PC, so I have no clue how to do it. In any case, the Strongswan needs to be built with:
--enable-eap-mschapv2 --enable-md4 in the configure.

Thank you.

 

[chiwalfrm]

I need help with a firewall command. According to this post:
https://forum.openwrt.org/viewtopic.php?pid=186003#p186003

I am supposed to run the following firewall command:
iptables -I INPUT -m policy --strict --dir in --pol ipsec --proto esp -j ACCEPT

The problem is the post above is for OpenWRT rather than ASUSWRT. The iptables command doesn't work on my router:

# iptables -I INPUT -m policy --strict --dir in --pol ipsec --proto esp -j ACCEPT
iptables v1.3.8: Couldn't load match `policy':File not found

Try `iptables -h' or 'iptables --help' for more information.

Can someone help me "translate" this to a form more suitable for ASUSWRT? Thank you.

 

[RMerlin]

I need help with a firewall command. According to this post:
https://forum.openwrt.org/viewtopic.php?pid=186003#p186003

I am supposed to run the following firewall command:
iptables -I INPUT -m policy --strict --dir in --pol ipsec --proto esp -j ACCEPT

The problem is the post above is for OpenWRT rather than ASUSWRT. The iptables command doesn't work on my router:



Can someone help me "translate" this to a form more suitable for ASUSWRT? Thank you.

This is trying to use the "policy" netfilter module which you probably don't have.

 

[chiwalfrm]

There are no other lines with 'policy' in config_base.

(below command on PC compiling kernel)
$ grep -i policy config_base
CONFIG_NETFILTER_XT_MATCH_POLICY=m

I also confirmed that I can load "xt_policy" module.

(below command on router)
# find /lib -print | grep policy
/lib/modules/2.6.22.19/kernel/net/netfilter/xt_policy.ko
# lsmod | grep xt_policy
# insmod xt_policy
# lsmod | grep xt_policy
xt_policy 3968 0

But the iptables command still does not work:

# iptables -I INPUT -m policy --strict --dir in --pol ipsec --proto esp -j ACCEPT
iptables v1.3.8: Couldn't load match `policy':File not found

Try `iptables -h' or 'iptables --help' for more information.

What other things can I try? Thanks so much.

 

[krabs]

But the iptables command still does not work:

# iptables -I INPUT -m policy --strict --dir in --pol ipsec --proto esp -j ACCEPT
iptables v1.3.8: Couldn't load match `policy':File not found

Try `iptables -h' or 'iptables --help' for more information.

Add policy in https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/iptables/extensions/Makefile but be sure to include also the nessary header files in include & recompile.

Had to do the same for owner module on my rt ac66u once.

 

[chiwalfrm]

To: krabs

I am a noob, so can you guide me through the process? I definitely do not know how to "include also the nessary header files in include".

Is adding 'policy' just adding a line:
PF_EXT_SLIB+=policy
for example just below line 20 of the Makefile?

Or is there more to it?

Thank you so much.

ADDED: According to this post:
https://forum.openwrt.org/viewtopic.php?pid=146956#p146956

kiddyfurby: the package iptables-mod-ipsec is required or you will get the following errors
iptables v1.4.6: Couldn't load match `policy':File not found

The above post is for OpenWRT. It sounds like this 'policy' can also be added with an ipkg/opkg package. But I didn't see any iptables packages in opkg list.

# opkg list | grep iptables | cut -c 1-80
fwknop - 2.0-1 - Fwknop implements an authorization scheme known as Single Packe
fwknopd - 2.0-1 - Fwknop implements an authorization scheme known as Single Pack
libfko - 2.0-1 - Fwknop implements an authorization scheme known as Single Packe

Would sure be nice if this can be added by adding a opkg package.

 

[chiwalfrm]

I added "PF_EXT_SLIB+=policy" and "PF6_EXT_SLIB+=policy" to the Makefile but this didn't fix the problem. I guess it is more complicated than that.

$ diff -u router/iptables/extensions/Makefile router/iptables/extensions/Makefile.orig
--- router/iptables/extensions/Makefile 2013-09-27 15:22:50.465736995 -0500
+++ router/iptables/extensions/Makefile.orig    2013-09-27 13:29:18.654490177 -0500
@@ -22,12 +22,10 @@
 PF_EXT_SLIB+=hashlimit NFQUEUE
 endif
 PF_EXT_SLIB+=account
-PF_EXT_SLIB+=policy

 ifeq ($(DO_IPV6), 1)
 PF6_EXT_SLIB:=connmark icmp6 length limit mac mark multiport standard state rt hl
 PF6_EXT_SLIB+=tcp udp CONNMARK LOG MARK REJECT IMQ TCPMSS
-PF6_EXT_SLIB+=policy
 ifeq ($(CONFIG_LINUX26),y)
 PF6_EXT_SLIB+=connlimit hashlimit recent NFQUEUE ROUTE HL connbytes
 endif

 

[krabs]

I added "PF_EXT_SLIB+=policy" and "PF6_EXT_SLIB+=policy" to the Makefile but this didn't fix the problem. I guess it is more complicated than that.

$ diff -u router/iptables/extensions/Makefile router/iptables/extensions/Makefile.orig
--- router/iptables/extensions/Makefile 2013-09-27 15:22:50.465736995 -0500
+++ router/iptables/extensions/Makefile.orig    2013-09-27 13:29:18.654490177 -0500
@@ -22,12 +22,10 @@
 PF_EXT_SLIB+=hashlimit NFQUEUE
 endif
 PF_EXT_SLIB+=account
-PF_EXT_SLIB+=policy

 ifeq ($(DO_IPV6), 1)
 PF6_EXT_SLIB:=connmark icmp6 length limit mac mark multiport standard state rt hl
 PF6_EXT_SLIB+=tcp udp CONNMARK LOG MARK REJECT IMQ TCPMSS
-PF6_EXT_SLIB+=policy
 ifeq ($(CONFIG_LINUX26),y)
 PF6_EXT_SLIB+=connlimit hashlimit recent NFQUEUE ROUTE HL connbytes
 endif

Try this

delete libipt_policy.c, libipt_policy.man, libip6t_policy.c, libip6t_policy.man
from https://github.com/RMerl/asuswrt-merlin/tree/master/release/src/router/iptables/extensions

add PF_EXT_SLIB+=policy under conntrack in Makefile

copy libxt_policy.c, libxt_policy.man from https://github.com/RMerl/asuswrt-merlin/tree/master/release/src/router/iptables-1.4.x/extensions to https://github.com/RMerl/asuswrt-merlin/tree/master/release/src/router/iptables/extensions

copy xt_policy.h from https://github.com/RMerl/asuswrt-merlin/tree/master/release/src/router/iptables-1.4.x/include/linux/netfilter to https://github.com/RMerl/asuswrt-merlin/tree/master/release/src/router/iptables/include/linux/netfilter

copy x_tables.h from https://github.com/RMerl/asuswrt-merlin/blob/master/release/src/router/iptables-1.4.x/include/linux/netfilter/x_tables.h to https://github.com/RMerl/asuswrt-merlin/tree/master/release/src/router/iptables/include

recompile be sure to run make clean first.