kernel with ipsec support

[kurt2000]

Hey

It would be nice if the kernel was compiled with ipsec support, so that we could use strongswan for vpn.

Wkr.

[RandomUsername]

+1. There are already a few posts about this. I don't think I've ever seen a reason from Excito as to why this wouldn't be possible.

[kurt2000]

Well yeah, it's kind off stupid.

I bricked 1 b3 in the process, it should have been enabled from the beggining, especially when you consider that the chip has a good hardware crypto engine, that they already enabled in the running kernel.

I tried the guruplug server plus with strongswan, and it was quite good at doing ipsec.

the b3 have far better network performance as a router compare to a device like the ZyXEL usg20W.

wkr.

[kurt2000]

Hi excito & Co

I've compiled a new kernel with ipsec enabled. Some off the settings should be compiled as a module, so that strongswan would start.

I made a iperf test that showed that the device was capable of delivering 30 mbit/s aes128 encryption, and probably more. It maxed out our 1000$ zyxel usg300.

I think it could go a little higher if i had a decent vpn other than the usg300.

I can make a writeup, if anyone wish.

Wkr.

[Moloko]

I can make a writeup, if anyone wish.

Yes please! Me wish!

[RandomUsername]

If it works that well we should really petition Excito to include it in a future update. I'd be interested to see how someone gets on with a B2 using this.

[kurt2000]

Hi

I switched to another vpn gateway than the usg300. The other gateway is a ubuntu virtual machine running on a fast esx, and i know it is capable of delivering 80mbit ipsec throughput.

With the new gateway i was able to pull 40 mbit on iperf with tcp windows size at 16kb. So i guess that it's the limit of this arm cpu, which is very nice indeed.

The kernel config should be changed by excito, so i don't have to make a new kernel next time excito make a update.

I can deliver the necessary patch to .config

Wkr.

[Ubi]

did you email them about this?

[kurt2000]

nope, they dont read the feature request forum ?

[Ubi]

not always

[kurt2000]

Lol, that makes sense.

Request a feature, we dont read them

I've requested a login for the wiki, so i can make a writeup.

Wkr.

[tor]

Hi kurt2000 and others,

Surely we read the forum, unfortunately not as frequently as we would like though.

Kurt, since you requested a wiki-account i assume you are going to write a Howto. Thats super.

And there is, probably nothing stopping us for including this in a future kernel upgrade.

/Tor

[RandomUsername]

And there is, probably nothing stopping us for including this in a future kernel upgrade.
/Tor

Yes please!

[kurt2000]

Hi kurt2000 and others,

Surely we read the forum, unfortunately not as frequently as we would like though.

Kurt, since you requested a wiki-account i assume you are going to write a Howto. Thats super.

And there is, probably nothing stopping us for including this in a future kernel upgrade.

/Tor

Nice ! A little noise is all it takes

I've made a real quick writeup off the steps for those who can't wait for the official update.
http://wiki.excito.org/wiki/index.php/U ... _H%C3%B8st

The only reason for doing it on my user page is, that i'm a wiki NooB that dont know how to create a new page that i can link to.

Tor, as you can se the changes to the .config is not overhelming. Please don't make a new kernel without theese 2 modules, so everyone that want's to use ipsec on your pretty little thing, have to do it all over again when you create a new kernel with modules.

Wkr & happy coding holidays !

[RandomUsername]

I thought I'd have a go at this on my Bubba 2 but am stumbling at this hurdle:

Make a .config :

# make bubba3_defconfig

I'm not much of an expert at compiling kernels and so on so can someone tell me what I should be putting here on a B2?

Thanks.

[EDIT] I have downloaded and unpacked the B2 kernel and not the B3 one, just to clarify.