Page 1 of 2
kernel with ipsec support
Posted: 01 Dec 2010, 02:19
by kurt2000
Hey
It would be nice if the kernel was compiled with ipsec support, so that we could use strongswan for vpn.
Wkr.
Re: kernel with ipsec support
Posted: 02 Dec 2010, 13:53
by RandomUsername
+1. There are already a few posts about this. I don't think I've ever seen a reason from Excito as to why this wouldn't be possible.
Re: kernel with ipsec support
Posted: 02 Dec 2010, 14:14
by kurt2000
Well yeah, it's kind off stupid.
I bricked 1 b3 in the process, it should have been enabled from the beggining, especially when you consider that the chip has a good hardware crypto engine, that they already enabled in the running kernel.
I tried the guruplug server plus with strongswan, and it was quite good at doing ipsec.
the b3 have far better network performance as a router compare to a device like the ZyXEL usg20W.
wkr.
Re: kernel with ipsec support
Posted: 08 Dec 2010, 14:34
by kurt2000
Hi excito & Co
I've compiled a new kernel with ipsec enabled. Some off the settings should be compiled as a module, so that strongswan would start.
I made a iperf test that showed that the device was capable of delivering 30 mbit/s aes128 encryption, and probably more. It maxed out our 1000$ zyxel usg300.
I think it could go a little higher if i had a decent vpn other than the usg300.
I can make a writeup, if anyone wish.
Wkr.
Re: kernel with ipsec support
Posted: 08 Dec 2010, 15:50
by Moloko
I can make a writeup, if anyone wish.
Yes please! Me wish!
Re: kernel with ipsec support
Posted: 08 Dec 2010, 15:56
by RandomUsername
If it works that well we should really petition Excito to include it in a future update. I'd be interested to see how someone gets on with a B2 using this.
Re: kernel with ipsec support
Posted: 09 Dec 2010, 01:25
by kurt2000
Hi
I switched to another vpn gateway than the usg300. The other gateway is a ubuntu virtual machine running on a fast esx, and i know it is capable of delivering 80mbit ipsec throughput.
With the new gateway i was able to pull 40 mbit on iperf with tcp windows size at 16kb. So i guess that it's the limit of this arm cpu, which is very nice indeed.
The kernel config should be changed by excito, so i don't have to make a new kernel next time excito make a update.
I can deliver the necessary patch to .config
Wkr.
Re: kernel with ipsec support
Posted: 09 Dec 2010, 03:26
by Ubi
did you email them about this?
Re: kernel with ipsec support
Posted: 09 Dec 2010, 05:29
by kurt2000
nope, they dont read the feature request forum ?
Re: kernel with ipsec support
Posted: 09 Dec 2010, 06:45
by Ubi
not always
Re: kernel with ipsec support
Posted: 09 Dec 2010, 07:52
by kurt2000
Lol, that makes sense.
Request a feature, we dont read them
I've requested a login for the wiki, so i can make a writeup.
Wkr.
Re: kernel with ipsec support
Posted: 09 Dec 2010, 09:15
by tor
Hi kurt2000 and others,
Surely we read the forum, unfortunately not as frequently as we would like though.
Kurt, since you requested a wiki-account i assume you are going to write a Howto. Thats super.
And there is, probably nothing stopping us for including this in a future kernel upgrade.
/Tor
Re: kernel with ipsec support
Posted: 09 Dec 2010, 16:54
by RandomUsername
tor wrote:
And there is, probably nothing stopping us for including this in a future kernel upgrade.
/Tor
Yes please!
Re: kernel with ipsec support
Posted: 09 Dec 2010, 17:40
by kurt2000
tor wrote:Hi kurt2000 and others,
Surely we read the forum, unfortunately not as frequently as we would like though.
Kurt, since you requested a wiki-account i assume you are going to write a Howto. Thats super.
And there is, probably nothing stopping us for including this in a future kernel upgrade.
/Tor
Nice ! A little noise is all it takes
I've made a real quick writeup off the steps for those who can't wait for the official update.
http://wiki.excito.org/wiki/index.php/U ... _H%C3%B8st
The only reason for doing it on my user page is, that i'm a wiki NooB that dont know how to create a new page that i can link to.
Tor, as you can se the changes to the .config is not overhelming. Please don't make a new kernel without theese 2 modules, so everyone that want's to use ipsec on your pretty little thing, have to do it all over again when you create a new kernel with modules.
Wkr & happy coding holidays !
Re: kernel with ipsec support
Posted: 10 Dec 2010, 11:26
by RandomUsername
I thought I'd have a go at this on my Bubba 2 but am stumbling at this hurdle:
Make a .config :
# make bubba3_defconfig
I'm not much of an expert at compiling kernels and so on so can someone tell me what I should be putting here on a B2?
Thanks.
[EDIT] I have downloaded and unpacked the B2 kernel and not the B3 one, just to clarify.