New user's registration have been closed due to high spamming and low trafic on this forum. Please contact forum admins directly if you need an account. Thanks !

IPsec HowTo

A collection of tips on howto tweak your Bubba.
Post Reply
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

IPsec HowTo

Post by Gordon »

Yes, I know there is a Wiki on this, but this is something else and I should probably therefore call it (Yet) Another IPsec HowTo. I won't, and I will also not write my own Wiki on this because frankly I cannot be certain if what I'm writing here will be fully complete. If someone can verify that this is in fact the right way to do it, you're welcome to add it to the Wiki yourself.

Why this other HowTo?
Simple: the Wiki didn't work for me. I did all the stuff in there and I did in fact manage to get a connection up with a different machine, but when I tried to get anything across it died. Worst thing is that the XFRM and NETKEY modules got stuck in memory and I had to reboot, which I did quite a lot while trying to stabilize it to no result.

Why not simply change the existing Wiki?
The existing Wiki is about StrongSwan and this can only operate with XFRM and NETKEY modules, which I traced back to be the source of all my troubles. The older box I was using on the other end was running something called OpenSwan and this implements its own net module called KLIPS.

What's the difference between StrongSwan and OpenSwan?
Well, apparently OpenSwan leans somewhat more to the older version 1 IKE protocol and implements just the basic elements of version 2 IKE - StrongSwan implements everything from version 2 IKE, but not everything from version 1 IKE. The OpenSwan wiki has a Feature Comparison, but this is for the experimental version 3.0 and this HowTo will be about the stable version 2.6.

Let's get our hands dirty in the next message of this thread...
Gordon
Posts: 1461
Joined: 10 Aug 2011, 03:18

Installing OpenSwan with KLIPS

Post by Gordon »

Let's start with some cut-and-paste from the 'Make Strongswan start on a B3' Wiki page. Note: I'm switching display definition for easy copying of the commands. If you see a Number Sign ('#') mentioned in a code box then what follows is a comment and will also be treated as such if you copy it on the command line. I will also be using quote boxes for demonstrative purposes and these will show what's on the screen.

Get a console connection to the B3 (I recommend PuTTy for Windows users) and become root:

Code: Select all

su -
Install build utils:

Code: Select all

aptitude install devscripts build-essential lsb-release libncurses-dev
# apparently bzip2 is also not in the default B3 image
# (thanks for pointing that out, Morgan)
aptitude install bzip2
We'll also need the kernel source, so we need to find out what version the B3 is using first
uname -a
Linux b3 2.6.38 #1 Tue Mar 22 16:27:55 CET 2011 armv5tel GNU/Linux
# uname -a | cut -d " " -f 3
2.6.38
# # Edit: I'm stupid because you can do the same with
# uname -r
2.6.38
So now let's store that last value in a variable and because the code boxes are rather limited in width I'll also assign a variable for Excito's download page.

Code: Select all

kernelversion=`uname -r`
downloadpage=http://download.excito.net/kernel/Excito_B3/

cd /usr/src
wget ${downloadpage}${kernelversion}/linux-${kernelversion}.tar.bz2
tar -xjvf linux-${kernelversion}.tar.bz2
It's not really required for this purpose, because we will not be recompiling the kernel or modules that are already available, but let's be safe and complete this by applying Excito's kernel patches. Note that to avoid conflicts with any future kernel I'm placing the patchfiles in the kernel source folder:

Code: Select all

wget ${downloadpage}${kernelversion}/excito-b3-patch-v${kernelversion}.tar.gz
cd linux-${kernelversion}
tar -xzvf ../excito-b3-patch-v${kernelversion}.tar.gz
ls -1 *.patch | while read patchfilename; do
   patch -p1 -i ${patchfilename}
done
make bubba3_defconfig
Next we need to fix the references towards the source in /lib/modules

Code: Select all

cd /lib/modules/${kernelversion}
rm build source
ln -s /usr/src/linux-${kernelversion} build
ln -s /usr/src/linux-${kernelversion} source
We're now ready to start with OpenSwan:

Code: Select all

aptitude install openswan
I need to verify the exact message you'll be seeing, but it will be something similar as shown in the 'Make Strongswan start on a B3' Wiki page.
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
Starting Openswan IPsec 2.6.28...
Hmmm, the KLIPS module is not included and we have to build it ourselves. Ain't it lucky that we already prepared our system for this? :wink:
I'm going to skip a few steps here because the source package for version 2.6.28 doesn't compile (something wrong with a missing header.h file) and the same problem appears to exist with the original source found at the OpenSwan site. Let's go straight to the one that does compile:

Code: Select all

# remember we're still in /lib/modules/2.6.38!
cd   # change to root home folder
wget http://www.openswan.org/download/openswan-2.6.35.tar.gz
tar -xzvf openswan-2.6.35.tar.gz
cd openswan-2.6.35
make KERNELSRC=/lib/modules/`uname -r`/build module
make KERNELSRC=/lib/modules/`uname -r`/build minstall
Now let's restart ipsec and see what happens:
# /etc/init.d/ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.28/K2.6.35...
(does that state that it inserts module ipsec.ko?)

Let's check interfaces also:
# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:22:02:??:??:?? brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:22:02:??:??:?? brd ff:ff:ff:ff:ff:ff
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000
link/ether 00:0b:6b:??:??:?? brd ff:ff:ff:ff:ff:ff
5: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether 00:0b:6b:??:??:?? brd ff:ff:ff:ff:ff:ff
6: mon.wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000
link/ieee802.11/radiotap 00:0b:6b:??:??:?? brd ff:ff:ff:ff:ff:ff
10: ipsec0: <NOARP,UP,LOWER_UP> mtu 16260 qdisc pfifo_fast state UNKNOWN qlen 10
link/ether 00:22:02:??:??:?? brd ff:ff:ff:ff:ff:ff
11: ipsec1: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/void
12: mast0: <NOARP> mtu 0 qdisc noop state DOWN qlen 10
link/none
Cool, huh?
Post Reply