Bugs in IPSec HowTO (on wiki) and some questions

[eramoli]

Hi,

I have now installed IPSec according to the description in the http://wiki.excito.org/wiki/index.php/M ... rt_on_a_b3 wiki page. There are however a bug in the description that should be changed. The first ”wget” when fetching the kernal is actually exactly the same wget as when fetching the patches. So what I did was that I adapted the path on http://wiki.excito.org/wiki/index.php/U ... _H%C3%B8st to refer to Linux kernel 2.6.38 and then fetched it using the wget command.

I did also not have the bzip2 command installed so I needed to install that one first as well. This should also be added to the wiki.

The ”make modules modules_install” command resulted in a number of warnings when compiling the core. Is this expected or is there something wrong with my procedure?

When looking at my /etc/network/interfaces file after this procedure I noticed that the interfaces were corrupted. I have setup an IPv6 interface according to http://forum.excito.net/viewtopic.php?f=9&t=2776 and the iface stanza for inet6 was gone and the content was merged with the stanza for inet. Is this an alternative formatting or is this a bug in the process above.

NOTE: Since I did not review the interfaces file just before doing the IPSec modifications I can not be 100% sure that it was the IPSec stuff that modified the interfaces file (I do not understand what else it could be but one never knows).

Excito: It would be really nice if one did not have to download and recompile the kernal to enable IPSec. Could you modify the next release to include the IPSec stuff from start?

My next step is to try to configure a tunnel. I am still waiting for the remote configuration data but let see if it can be done before the week is over.

Best Regards,
Morgan

[Gordon]

Warnings are quite normal when compiling the kernel. Most often you'll see things like something something defined but never used.

I agree with that it is a shame that you need to compile the kernel, but there should actually not be a need for recompiling all the modules that are already there. You could probably speed up the whole process considerably by removing every line in the config that has '=m'. Then, after adding the two lines for XFRM and NETKEY do a

Code: Select all

make menuconfig

This fixes all the lines you removed before (without enabling them as a module) and will also check dependencies.

You made a mistake in the wiki; the first download should read

Code: Select all

http://download.excito.net/kernel/Excito_B3/2.6.38/linux-2.6.38.tar.bz2

Rather than having to change the wiki with every new release I propose to make it generic

Code: Select all

# uname -a
Linux b3 2.6.38 #1 Tue Mar 22 16:27:55 CET 2011 armv5tel GNU/Linux
# kernelversion=`uname -a | cut -d " " -f 3`
# echo $kernelversion
2.6.38
# cd /usr/src
# wget http://download.excito.net/kernel/Excito_B3/$kernelversion/linux-$kernelversion.tar.bz2
# bzip2 -d linux-$kernelversion.tar.bz2
# tar -xvf linux-$kernelversion.tar
# wget http://download.excito.net/kernel/Excito_B3/$kernelversion/excito-b3-patch-v$kernelversion.tar.gz
# tar -xvzf excito-b3-patch-v$kernelversion.tar.gz                   
# cd linux-$kernelversion
# ls -1 ../*.patch | while read patchfilename; do patch -p1 -i $patchfilename; done

Might also want to take a look here: http://forum.excito.net/viewtopic.php?f=9&t=3278
Because XFRM and NETKEY are not used in this case, you don't have to compile the kernel. You should however fix the build and source symlinks in /lib/modules/linux-2.6.38

[johannes]

Hi guys, you are most welcome to edit the wiki yourselves. Or just let me know if you prefer not to and I'll do it.

[Gordon]

Hi Johannes,

I was actually misreading Morgan's post in thinking that he was already at it. Problem is that I already changed so much on my B3, that in most cases I could no longer be sure that anything I'd put on the wiki would be complete (and no, I'm not about to reset it to factory and retrace what I did). So honestly I'd rather not and prefer to limit my input to the forum.

An additional note:

Code: Select all

# bzip2 -d linux-$kernelversion.tar.bz2
# tar -xvf linux-$kernelversion.tar

can be replaced by

Code: Select all

# tar -xjvf linux-$kernelversion.tar.bz2

[johannes]

I fully understand that, it's just that I am not 100% comfortable with changing it either since I didn't write it and am not as deeply involved as you guys. On the other hand issues found should get in there.

@eramoli, any change I can ask you (kindly) to update the wiki?

[eramoli]

Hi,

The wiki is now updated.

/Morgan

[Gordon]

I'll start a draft of what I (think I) did on the Howtos forum.

Should probably be a different wiki item anyway, since I'm now using OpenSwan instead of StrongSwan (FeatureComparison)

[kurt2000]

Hi,

The wiki is now updated.

/Morgan

Thank you.

I'm the author of the original wiki. I do not own a b3 my self, i just did the work for a colleague that got a b3 and wanted a super fast ipsec vpn. the arm chip is quite good at doing aes.

I admit that i didn't update the wiki, when i saw that excito had updated the kernel without enabling the 2 modules referred, - i was a little disappointed I guess you saw http://forum.excito.net/viewtopic.php?f=10&t=3390

As for my colleague, the strongswan/b3 solution has been working flawless.

Wkr.
Svend

[kurt2000]

Here we go again

My colleagues b3 got hacked, so we had to make a clean install.

I installed strongswan and it build the tunnel ok. Unfortunately there were some problems with with routing.

Code: Select all

cat /var/log/auth.log 
Sep 19 23:42:30 b3 pluto[5565]: "pallas": route-client output: RTNETLINK answers: Operation not supported
Sep 19 23:42:30 b3 pluto[5565]: "pallas": route-client output: Dump terminated
Sep 19 23:42:30 b3 pluto[5565]: "pallas": route-client output: RTNETLINK answers: Operation not supported

So googling a bit hinted to compiling some modules. Looking at the wiki it says use uname and look for the kernel source on excitos web

Code: Select all

Linux b3 2.6.39.4-11 #1 Tue Apr 3 21:45:12 FET 2012 armv5tel GNU/Linux

but http://download.excito.net/kernel/Excito_B3/ dosen't contain any 2.6.39 kernel !?

[eramoli]

Hi,

My understanding is that you now can do a "apt-get source ..." to get the kernal source.

Use the command "change_distribution -sunc elvin" (Only for B3) and "apt-get update" if you do not have the source files in your apt-get configuration.

/Morgan

[kurt2000]

Thanks.

What about the excito patches, are they included in the kernel source when retrieving from debian.org ?

[Edit] the patches are included !

wkr.