Strongswan package from Entware on Asuswrt-Merlin?

[chiwalfrm]

To: ryzhov_al

Is it possible for you for compile an older version of Strongswan for me? The one in the Entware repo is version 5.0.4-1. This version compared with version 4 is a major update, and has more complex requirements in terms of kernel modules than the older version.

The last version 4.x is 4.6.4 and the source code can be downloaded from:
http://download.strongswan.org/strongswan-4.6.4.tar.bz2

Thank you very much.

 

[MercuryV]

chiwalfrm, you can try 4.5.3
see strongswan4* packages here or here

 

[saintdev]

To: ryzhov_al

Is it possible for you for compile an older version of Strongswan for me? The one in the Entware repo is version 5.0.4-1. This version compared with version 4 is a major update, and has more complex requirements in terms of kernel modules than the older version.

I wouldn't say it really has that much more complex kernel requirements. 5.0 explicitly requires 4 extra modules (xfrm_user, xfrm4_mode_tunnel, xfrm4_mode_transport, xfrm4_mode_beet). These modules are probably required by 4.x anyway (at the very least xfrm_user most likely is).

Personally, I would like to see 5.1.0 added. The 2.6.22 kernel used by the MIPS routers (N66/AC66) only has support for SHA-1 HMAC. Support for SHA-2 and other hashes for HMAC weren't added until a later kernel (they're available for the 4708 based routers). strongSwan 5.1.0 adds a userspace tun/tap based libipsec that doesn't rely on the kernel implementation. This would allow use of the stronger algorithms on the MIPS routers, along with the more efficient authenc cipher modes like gcm/ccm.

 

[RMerlin]

I wouldn't say it really has that much more complex kernel requirements. 5.0 explicitly requires 4 extra modules (xfrm_user, xfrm4_mode_tunnel, xfrm4_mode_transport, xfrm4_mode_beet). These modules are probably required by 4.x anyway (at the very least xfrm_user most likely is).

Did you actually get a tunnel configured and working with the current Git snapshot BTW?

 

[saintdev]

Did you actually get a tunnel configured and working with the current Git snapshot BTW?

Yes. I've been using the Android client to test with, so my testing has been limited.

There are a couple issues I've encountered, though.

You can successfully establish a connection from the internal network using the external IP, but no data packets are received by the client (packets transmitted from the client seem to make it to the server). I suspect this is because strongSwan sees a connection come in on the external interface, it continues to use that interface for the connection. Then when it calls the automatic firewall script it only allows IPsec traffic on the external interface, not the bridge interface. It's also possible it's some routing strangeness. I was going to test connecting on the internal interface. I like how OpenVPN knows to reply on the internal interface when a connection attempt comes from there.

Sometimes when switching external networks (cellular->wifi for example), you will end up with a similar situation to above where no packets are received by the client. MOBIKE should take care of this, but appears to fail sometimes. Reconnecting fixes it sometimes.

I have not had time to debug either of these issues. As far as the strongSwan logs are concerned the server and client are successfully connected. So it is most likely routing or iptables that is the issue.

 

[Lukapple]

Strongswan entware merlin-wrt no packages sent/received

Hi guys.
I'm running strongswan(optware) on asus RT-AC66U, v3.0.0.4.374.34_2.
I can connect to server with my iPhone, but I can't access LAN (I can't ping LAN computers).
Did anyone get this to work on iOS device ?

 

[v1k0d3n]

YAHOO! I got it working!!!

This was the one I was missing:
CONFIG_INET_XFRM_TUNNEL=m

In the end, use the diff I posted earlier for config_base, then add these other ones. They may not be needed but by the time I got to the last one above (I was adding these one by one), I am in no mood to take anything out now that it works.

CONFIG_IP_ROUTE_VERBOSE=m
CONFIG_INET_XFRM_TUNNEL=m <--- this one did it
CONFIG_INET_TUNNEL=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_CRYPTO_NULL=m
CONFIG_CRYPTO_SHA256=m
CONFIG_CRYPTO_SHA512=m

I'm really sorry for bringing up this thread again (I know it's old and I hate to be "that guy"), but where did you end up making your edits? I think I need to make these important changes as well.

 

[v1k0d3n]

Crap, I didn't realize there were so many pages of posts. Man, I really wish this was working. Seems like a pretty important feature to have for some of us tech (yet not linux/rt kernel compliers) folks out there. I haven't really recompiled a kernel since FreeBSD 5.9 or something like that! I've been wanting to set up some sort of IPSEC tunnel to a Cisco (lab) router for a long time, but just started looking at it this week.

Oh well...I guess I'll have to think of something else until it's working. I have so many other projects that I have to complete before I'd really get the time to deep dive into this and contribute anything beyond what's already been done.

(answered my own earlier [dumb] question though).

 

[RMerlin]

Crap, I didn't realize there were so many pages of posts. Man, I really wish this was working. Seems like a pretty important feature to have for some of us tech (yet not linux/rt kernel compliers) folks out there. I haven't really recompiled a kernel since FreeBSD 5.9 or something like that! I've been wanting to set up some sort of IPSEC tunnel to a Cisco (lab) router for a long time, but just started looking at it this week.

The kernel is already compiled with these two modules.

merlin@mint-dev ~/asuswrt/release $ cat src-rt/linux/linux-2.6/.config | grep CONFIG_INET_XFRM_TUNNEL
CONFIG_INET_XFRM_TUNNEL=m

merlin@mint-dev ~/asuswrt/release $ cat ~/asuswrt.ac68/release/src-rt-6.x.4708/linux/linux-2.6/.config | grep CONFIG_INET_XFRM_TUNNEL
CONFIG_INET_XFRM_TUNNEL=m

 

[v1k0d3n]

The kernel is already compiled with these two modules.

merlin@mint-dev ~/asuswrt/release $ cat src-rt/linux/linux-2.6/.config | grep CONFIG_INET_XFRM_TUNNEL
CONFIG_INET_XFRM_TUNNEL=m

merlin@mint-dev ~/asuswrt/release $ cat ~/asuswrt.ac68/release/src-rt-6.x.4708/linux/linux-2.6/.config | grep CONFIG_INET_XFRM_TUNNEL
CONFIG_INET_XFRM_TUNNEL=m

oh, well this must be another issue then? what lead me to this thread was this output:

Starting strongSwan 5.1.3 IPsec [starter]...
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/ah4.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/esp4.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/ipcomp.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko': unknown symbol in module, or unknown parameter
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/xfrm/xfrm_user.ko': File exists

 

[v1k0d3n]

mainly...

insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko': unknown symbol in module, or unknown parameter

 

[RMerlin]

oh, well this must be another issue then? what lead me to this thread was this output:

Starting strongSwan 5.1.3 IPsec [starter]...
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/ah4.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/esp4.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/ipcomp.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko': unknown symbol in module, or unknown parameter
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/xfrm/xfrm_user.ko': File exists

You need to insmod tunnel4.ko before xfrm4_tunnel.ko.

 

[v1k0d3n]

You need to insmod tunnel4.ko before xfrm4_tunnel.ko.

I'm so sorry for being dumb here...ok, so i found the post #50 and that seemed to get rid of the xfrm4_tunnel.ko error, but i'm still getting these and the strongswan startup still craps out. do i need to go through recompiling etc? i'm going to be lost without some documentation on this.

admin@RT-AC66R:/tmp/mnt/entware/entware/etc/init.d# ipsec start
Starting strongSwan 5.1.3 IPsec [starter]...
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/ah4.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/esp4.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/ipcomp.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/xfrm/xfrm_user.ko': File exists
admin@RT-AC66R:/tmp/mnt/entware/entware/etc/init.d#

?

 

[RMerlin]

I'm so sorry for being dumb here...ok, so i found the post #50 and that seemed to get rid of the xfrm4_tunnel.ko error, but i'm still getting these and the strongswan startup still craps out. do i need to go through recompiling etc? i'm going to be lost without some documentation on this.

admin@RT-AC66R:/tmp/mnt/entware/entware/etc/init.d# ipsec start
Starting strongSwan 5.1.3 IPsec [starter]...
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/ah4.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/esp4.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/ipcomp.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/xfrm/xfrm_user.ko': File exists
admin@RT-AC66R:/tmp/mnt/entware/entware/etc/init.d#

?

Those are not error message, those are simply telling you that the modules are already loaded. You should be able to see them if you use lsmod.

 

[v1k0d3n]

Those are not error message, those are simply telling you that the modules are already loaded. You should be able to see them if you use lsmod.

Hmmm...yeah, I understand that, but the service isn't loading still. Thought that this may be part of the reason why the service never actually starts.

 

[v1k0d3n]

This just doesn't seem to be very easy to do for the common man (and by common, i mean anyone outside of being a linux or asus-rt/tomato/dd-wrt expert). Hats off for anyone who can figure this out on their own!

Starter appeared to work fine when the "ipsec start" command was issued after the modules were unloaded manually (just as a test). I figured "let's see if this even works". Well, here's what happened:

admin@RT-AC66R:/tmp/home/root# rmmod ah4
admin@RT-AC66R:/tmp/home/root# rmmod esp4
admin@RT-AC66R:/tmp/home/root# rmmod ipcomp
admin@RT-AC66R:/tmp/home/root# rmmod xfrm4_tunnel
admin@RT-AC66R:/tmp/home/root# rmmod xfrm_user
admin@RT-AC66R:/tmp/home/root# 
admin@RT-AC66R:/tmp/home/root# ipsec restart
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.1.3 IPsec [starter]...
admin@RT-AC66R:/tmp/home/root#

So here, I'm thinking "great!"

admin@RT-AC66R:/tmp/home/root# ipsec status
admin@RT-AC66R:/tmp/home/root# ipsec statusall
admin@RT-AC66R:/tmp/home/root#

Ok, so that's strange...

admin@RT-AC66R:/tmp/home/root# ipsec reload
Reloading strongSwan IPsec configuration...
admin@RT-AC66R:/tmp/home/root#

I'm baffled. Then I tried to start again...

admin@RT-AC66R:/tmp/home/root# ipsec start
Starting strongSwan 5.1.3 IPsec [starter]...
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/ah4.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/esp4.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/ipcomp.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/ipv4/xfrm4_tunnel.ko': File exists
insmod: can't insert '/lib/modules/2.6.22.19/kernel/net/xfrm/xfrm_user.ko': File exists
starter is already running (/var/run/starter.charon.pid exists) -- no fork done
admin@RT-AC66R:/tmp/home/root# ipsec stop
Stopping strongSwan IPsec failed: starter is not running

Great...now I'm just plain baffled.

Can anyone explain how they got this working, if at all? This is really confusing the crap out of me. What ipsec/strongswan script is trying to "reload" these modules each time? It doesn't appear to be anything that I am configuring manually (secrets.config/swan.config/ipsec.config). Can I just remove these modules statements?

 

[Xerxist]

Why not try to get this to work with the chrooted environment? And follow this guide.

http://danielpocock.com/strongswan-debian-rhel-fedora-with-android-client

Sent from my SM-G900F using Tapatalk

 

[v1k0d3n]

Not sure if that applies? I'm using the same working configuration files on CentOS and they're working fine. The VPN tunnel I'm trying to establish is a IKEv1 tunneled VPN to a Cisco IOS device (annoying because IOS NOW means Apple to anyone not in network or network security), and my tunnel seems fine in that experiment. I did change some logging options, and this is what I get. It may be wise to start a new thread with this information?

Jun  5 01:49:22 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, Linux 2.6.22.19, mips)
Jun  5 01:49:22 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN
Jun  5 01:49:22 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1
Jun  5 01:49:22 00[LIB] failed to load 2 critical plugin features
Jun  5 01:49:22 00[LIB] unloading plugin 'charon' without loaded features
Jun  5 01:49:22 00[DMN] initialization failed - aborting charon
admin@RT-AC66R:/tmp/mnt/entware/entware/var/log#

Here's a sample of my working configuration...(edits to come in a second)...

[root@nameless_host ~]# strongswan status
Security Associations (1 up, 0 connecting):
       cisco[20]: ESTABLISHED 17 seconds ago, [LOCAL_NAT][[LOCAL_IP]]...[REMOTE_IP][[REMOTE_IP]]
[root@nameless_host ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.1.3, Linux 2.6.32-431.17.1.el6.i686, i686):
  uptime: 18 minutes, since Jun 05 08:57:46 2014
  malloc: sbrk 270336, mmap 0, used 223448, free 46888
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 42
  loaded plugins: charon curl aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam dhcp
Listening IP addresses:
  [LOCAL_NAT]
Connections:
       cisco:  [LOCAL_NAT]...[REMOTE_IP]  IKEv1
       cisco:   local:  [[LOCAL_IP]] uses pre-shared key authentication
       cisco:   remote: [[REMOTE_IP]] uses pre-shared key authentication
       cisco:   child:  [LOCAL_NET]/16 === [REMOTE_NET]/8 TUNNEL
Security Associations (1 up, 0 connecting):
       cisco[20]: ESTABLISHED 21 seconds ago, [LOCAL_NAT][[LOCAL_IP]]...[REMOTE_IP][[REMOTE_IP]]
       cisco[20]: IKEv1 SPIs: blah_blah_blah_blah_blah_blah_bitty_blah, pre-shared key reauthentication in 23 hours
       cisco[20]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[root@nameless_host ~]#

This was the page where I found the instructions. Cisco is usually pretty good with their documentation:
http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

 

[Xerxist]

I'm on a AC68U so I would have to use a chrooted environment as optware or entware doesn't have strongswan for that. But what i mean is load the kernel modules and use the Debian chroot for ac66 or in my case the one i created for the ac68 and try running it from there.

Not sure if Merlin has those kernel modules for the AC68 otherwise I'll give it a try.

Sent from my SM-G900F using Tapatalk

 

[v1k0d3n]

I'm on a AC68U so I would have to use a chrooted environment as optware or entware doesn't have strongswan for that. But what i mean is load the kernel modules and use the Debian chroot for ac66 or in my case the one i created for the ac68 and try running it from there.

Not sure if Merlin has those kernel modules for the AC68 otherwise I'll give it a try.

Sent from my SM-G900F using Tapatalk

ok, one step forward and two steps back again...i'm confused. optware has older strongswan packages. something 4.x something. entware appears to have 5.1.3 and it seems to install fine. so do things need to be rebuilt? i think everyone is getting exhausted on this topic (and i feel bad for beating a dead horse, but it doesn't quite seem solved to me; or at least as far as a simple solution). i just want to create a GRE tunnel over IPSEC to talk with a Cisco device so that way I have a constant up tunnel as opposed to using an IPSEC client all the time. it would make my life massively easier for lab development work.