Modify

Opened 10 years ago

Closed 7 years ago

Last modified 6 years ago

#2538 closed enhancement (fixed)

strongSwan 4 support for Linux 2.6 systems

Reported by: lucaf3rr@… Owned by: nico
Priority: normal Milestone: Backfire 10.03.1
Component: packages Version: Trunk
Keywords: strongSwan ipsec Cc: kcody@…

Description

This initiative has been taken since there is currently no OpenSwan/strongSwan support for Linux 2.6 in OpenWrt.

The basic package structure attached to this ticket contains three patches that
enables compilation.

What Works?

The package provided builds for OpenWrt linux-2.6-brcm47xx. With some manual lifting on top and manual configuration of iptables rules it can be verified as working. Both roadwarrior and site-to-site links are tested and verified as working. But this is with some heavy patchwork on top of tasks that are expected to be automated.

In summary, this package builds but not much more. It lacks integration with iptables. Startup and shutdown scripts need to be readapted. Dependencies need to be narrowed or resolved.

Dependencies

The tar file included has rudimentary support for strongSwan 4. It uses Kevin Cody's files structure although they will have to be rewritten for strongSwan 4 support. IPTables rules are completely different in strongSwan 4, ipsec0/1/n devices are gone. Instead, strongSwan wants to use an iptables 'policy' module.

Some dependencies have been discovered:

  • strongSwan 4 uses command 'ip' extensively for routing setup
  • libipt_policy.so iptables module, which is currently not available in OpenWrt
  • setkey seems to be used under the hood, at least on one occasion when flushing SPD/SAD upon exit -- this imples a dependency on ipsec-tools
  • kmod-crypto, kmod-ipsec and kmod-ipsec4 and kmod-iptunnel4 are all used for IPv4 support

Conclusions

strongSwan's use of GNU autotools makes compilation and adaptation a lot easier. Many changes required by OpenWrt are likely to be accepted upstream, provided the correct checks are in place.

strongSwan are not planning to develop their 2.x branch for features any longer. IKEv2 will not be ported as it currently stands. Hence, it is important for OpenWrt to improve its support for IPsec on Linux 2.6.

It is my hope someone more knowledgeable than myself can move this forward. Hopefully, this package can be integrated into the trunk build system for packages so that more developers can be exposed to it.

Attachments (22)

strongswan4.tar (30.0 KB) - added by lucaf3rr@… 10 years ago.
strongSwan 4, OpenWrt package
strongswan-4.1.9.tar (20.0 KB) - added by norbert 10 years ago.
version 4.1.9 and nat traversal enabled
strongswan-4.1.10.tar (30.0 KB) - added by norbert 10 years ago.
version 4.1.10 and build modification
strongswan-merged.tar (80.0 KB) - added by norbert 9 years ago.
merge of 2.8.x and 4.1.x makefile
strongswan-4.1.11.tar (80.0 KB) - added by norbert 9 years ago.
version bump
strongswan-4.1.11-5.tar (80.0 KB) - added by norbert 9 years ago.
package release 5: updated dependencies to kernel modules
openwrt_package_strongswan-4.2.4.4.tar (20.0 KB) - added by norbert 9 years ago.
first package from stronSwan branch 4.2.4 (2008-06-06)
patch_CoreCryptoAPImodules.patch (1.0 KB) - added by norbert 9 years ago.
for the 4.2.x package you need th kernel patch for Core CryptoAPI modules also.
openwrt_package_strongswan-4.2.4.7.tar (30.0 KB) - added by norbert 9 years ago.
after some weeks of testing final strongswan-4.2.4 package
openwrt_package_strongswan-4.2.5.1.tar (20.0 KB) - added by norbert 9 years ago.
first strongswan 4.2.5 package for testing
patch_kernel-network-mk.patch (647 bytes) - added by norbert 9 years ago.
NET_KEY and XFRM options for ipsec
patch_kernel-network-mk_v2.patch (655 bytes) - added by norbert 9 years ago.
last file was a mistake
strongswan-4.2.5-splitted.tar (20.0 KB) - added by martin 9 years ago.
strongswan-full and strongswan-ikev2 packages
openwrt_package_strongswan-4.2.8.1.tar (20.0 KB) - added by norbert 9 years ago.
strongswan-4.2.10.1.tar (30.0 KB) - added by norbert 9 years ago.
version update
strongswan-4.2.14.2.tar (30.0 KB) - added by norbert 8 years ago.
update, works perfect at 8.09.1
strongswan-4.2.17.1.tar (30.0 KB) - added by norbert 8 years ago.
status: test with trunk
strongswan-4.2.17.2.tar (30.0 KB) - added by beus@… 8 years ago.
small modification to 4.2.17.1, now selects openssl instead of libgmp. This enables the use of elliptic curve cryptography such as EC-DH and ECDSA.
201-no-modprobe.patch (1.0 KB) - added by beus@… 8 years ago.
changed patch file for strongswan 4.3.*
strongswan-4.3.5.1.tar (40.0 KB) - added by norbert 8 years ago.
version update
202.clone.patch (700 bytes) - added by beus@… 7 years ago.
patch changing the name of one method to avoid compiling error.
package_strongswan4.4.1dr3_not-working_.tar.gz (5.1 KB) - added by beus@… 7 years ago.
Attempt to make a makefile based on Nico's 4.3.6. version for 4.4.* with more options and clearer distiction between enable and disable options

Download all attachments as: .zip

Change History (46)

Changed 10 years ago by lucaf3rr@…

strongSwan 4, OpenWrt package

comment:1 Changed 10 years ago by florian

Why not use ipsec-tools which has a smaller memory footprint than any *S/WAN implementations ?

comment:2 Changed 10 years ago by lucaf3rr@…

Mainly because ipsec-tools does not support dynamic DNS. Nodes need to be declared by ip-address. That totally brakes many setups. I have successfully used OpenSwan and strongSwan where all nodes have been dynamic DNS.

Secondly because strongSwan supports IKEv2.

ipsec-tools looks promising though and they are sure to address these issues at some point.

Changed 10 years ago by norbert

version 4.1.9 and nat traversal enabled

comment:3 Changed 10 years ago by norbert

The device /dev/random on ASUS WL-500g Premium blocks every read due low entropy.

For a solution see http://kerneltrap.org/node/7439 and https://linuxlink.timesys.com/docs/about_entropy

I have changed the request_irq function call in package/b43/src/main.c to

err = request_irq(dev->dev->irq, b43_interrupt_handler, IRQF_SHARED | IRQF_SAMPLE_RANDOM, KBUILD_MODNAME, dev);

Changed 10 years ago by norbert

version 4.1.10 and build modification

comment:4 Changed 10 years ago by norbert

Be careful with version 4.1.10! I have modify the device in build options from /dev/random to /dev/urandom. This may be a security risk!

StrongSwan 4.1.10 on ASUS WL-500g Premium is slow. Connections should configured with parameters like:

ike=aes128-sha-modp1536
esp=aes128-sha1

With more than aes128 I get a connection timeout.

Additionally the host key shouls generated on your main system.

Changed 9 years ago by norbert

merge of 2.8.x and 4.1.x makefile

Changed 9 years ago by norbert

version bump

Changed 9 years ago by norbert

package release 5: updated dependencies to kernel modules

comment:5 Changed 9 years ago by martin

I'm a dev of the strongSwan team and want to provide some input:

I would prefer different build options for strongSwan. 2.8 series is deprecated, but you'll get the same if you disable IKEv2 (charon) in 4.x. The IKEv1 daemon pluto is inherited from the FreeSWAN project and is monolithic and somewhat bloated. The new IKEv2 daemon is written from scratch and is higly modular, so you can trim it down to 250KB footprint or less without problems.

Enabling IKEv1 requires:

  • ip from iproute2
  • setkey is actually not needed, it is used as a fallback if ip is missing
  • libgmp
  • the kernel modules mentioned
  • libipt_policy is required if you want to do firewalling
  • IKEv1 requires ipsec starter, pluto and /etc/ipsec.conf style configuration

A minimal IKEv2 build requires:

  • Using strongSwans own crypto modules:
    • libgmp
    • a subset of our crypto algorithms (e.g. AES and SHA1)
  • OR using OpenSSL:
    • libcrypto from OpenSSL
    • strongSwans OpenSSL crypto wrapper

I would prefer our own crypto modules, as OpenSSL is really huge. If you want to go for OpenSSL, we have to enable Elliptic Curves in OpenWRTs OpenSSL build.

We are currently working on a UCI configuration backend for IKEv2, so we won't need starter and the traditional ipsec.conf/ipsec.d configuration. This will also remove the iproute2 dependency, but will not work with IKEv1.

The daemons do not read from /dev/random, only RSA key generation reads from /dev/urandom.

I've released 4.2.4rc6 which includes some changes to simplify the build on OpenWRT. I'll come up with a minimal IKEv2 Makefile including UCI/Webif if it is ready...

Changed 9 years ago by norbert

first package from stronSwan branch 4.2.4 (2008-06-06)

Changed 9 years ago by norbert

for the 4.2.x package you need th kernel patch for Core CryptoAPI modules also.

Changed 9 years ago by norbert

after some weeks of testing final strongswan-4.2.4 package

Changed 9 years ago by norbert

first strongswan 4.2.5 package for testing

Changed 9 years ago by norbert

NET_KEY and XFRM options for ipsec

Changed 9 years ago by norbert

last file was a mistake

comment:6 Changed 9 years ago by martin

I've attached a tarball containing two packages for strongSwan. They do not provide any configuration options, but sane defaults for an average user.

The first package is what I use for a full build with IKEv1/IKEv2 support, ipsec starter and ipsec.conf/ipsec.secrets configuration. It is not that complete as the one from Norbert, but it might have some hints to improve yours (modules).

The second one is probably more interesting. It only supports IKEv2, but includes a configuration backend for UCI (see shipped examples) and uses a simple fifo (/var/run/charon.fifo) to control the daemon. We already have a X-Wrt Webif to configure and control the daemon; we'll post that there soon. This package has a small footprint and few dependencies.

Maybe it's better to merge these package in a single one, but I don't know the build system good enough to do that.

I hope to find some time to extend the UCI backend to support public keys/certificates...

Changed 9 years ago by martin

strongswan-full and strongswan-ikev2 packages

comment:7 Changed 9 years ago by lucaf3rr@…

I just tried the strongswan-4.2.5-splitted.tar package above.

/usr/lib/ipsec/starter depends on modprobe, which is not available to OpenWrt by default. It can be made available by compiling it into the busybox executable but it may not be practical.

The way I dealt with it initially was to change modprobe for insmod, verbatim. Have a look at the patch: 201-no-modprobe.patch in the original attachment.

Maybe the best way to go about it would be to check for modprobe or insmod in the upstream strongSwan starter script?

comment:8 Changed 9 years ago by lucaf3rr@…

Doing 'ipsec update' results in the following error:

Updating strongSwan IPsec configuration...
sh: bad signal name 's'

Changed 9 years ago by norbert

Changed 9 years ago by norbert

version update

comment:9 Changed 9 years ago by pittipatti@…

Has anybody tried getting this into the packages feed?
It would be easier to use and to maintain.
I just don't want to take your work and post it to the dev-mailinglist in my name.

Changed 8 years ago by norbert

update, works perfect at 8.09.1

Changed 8 years ago by norbert

status: test with trunk

comment:10 follow-up: Changed 8 years ago by beus

I think I found a typo in Makefile (4.2.17.1.tar)
line 54 reads;
$(if $(CONFIG_STRONGSWAN_DEVICE_URANDOM),--with-random-device=$(CONFIG_STRONGSWAN_DEVICE_RANDOM)) \

I think it should read:
$(if $(CONFIG_STRONGSWAN_DEVICE_URANDOM),--with-random-device=$(CONFIG_STRONGSWAN_DEVICE_URANDOM)) \

Also I'm wondering if there is a special reason why so few of the autoconfigure options are included? See 4.2 autoconf options 4.3 autoconf options

comment:11 in reply to: ↑ 10 Changed 8 years ago by beus@…

Replying to beus:

I think I found a typo in Makefile (4.2.17.1.tar)
line 54 reads;
$(if $(CONFIG_STRONGSWAN_DEVICE_URANDOM),--with-random-device=$(CONFIG_STRONGSWAN_DEVICE_RANDOM)) \

I think it should read:
$(if $(CONFIG_STRONGSWAN_DEVICE_URANDOM),--with-random-device=$(CONFIG_STRONGSWAN_DEVICE_URANDOM)) \

Also I'm wondering if there is a special reason why so few of the autoconfigure options are included? See 4.2 autoconf options 4.3 autoconf options

Correcting myself, I missed another typo in the same line. It should read:
$(if $(CONFIG_STRONGSWAN_DEVICE_URANDOM),--with-urandom-device=$(CONFIG_STRONGSWAN_DEVICE_URANDOM)) \

comment:12 Changed 8 years ago by nico

  • Owner changed from developers to nico
  • Status changed from new to assigned

Changed 8 years ago by beus@…

small modification to 4.2.17.1, now selects openssl instead of libgmp. This enables the use of elliptic curve cryptography such as EC-DH and ECDSA.

comment:13 Changed 8 years ago by beus@…

Nice to see that this ticket is assigned. I've been trying to get 4.2.3.* to compile but I've given up on that due to time restrictions.

During my attempts I've noticed that the patch on netkey.c no longer works due to a small change in the source code of netkey.c. See below for my new 201-no-modprobe.patch.

If I recall correctly it will not compile as it tries to copy some files that no longer exist. Some *.so.* files I think, the *.so file does exist. Unfortunately I have no clue as to how to fix this problem. So I'm using 4.2.17 instead.

Changed 8 years ago by beus@…

changed patch file for strongswan 4.3.*

Changed 8 years ago by norbert

version update

comment:14 Changed 8 years ago by norbert

hints and changes for 4.3.5:
1) new and only for 3.4.5, fixed in 3.4.6: 100_configure_pthread_condattr_setclock.patch
2) updated: 201-no-modprobe.patch
3) plugin copy changed from *.so.* to *.so
4) 4.2.17.2 changes ignored, should be a option in Config.in
5) 4.2.17.1 typo in line 54 ignored; these options are only intresting with hwrandom

comment:15 Changed 8 years ago by anonymous

I just wanted to say thanks for the work norbert!

comment:16 Changed 8 years ago by beus@…

any chance you will be putting a new version for 4.3.6 online soon Norbert?
simply adjusting it to 4.3.6 doesn't compile due to 100_configure_pthread_condattr_setclock.patch
I've tried to diff them myself but the diff file would be about 1/2-2/3rd of the code...
thanks in advance

Beus

comment:17 Changed 8 years ago by norbert

@Beus: please read my last comment :-)

Remove the 100_configure_pthread_condattr_setclock.patch from the files directory and try it again. It was extracted from the svn tree.

Changed 7 years ago by beus@…

patch changing the name of one method to avoid compiling error.

comment:18 Changed 7 years ago by beus@…

4.3.6 conflicted during compile concerning the method 'clone'. Thats probably why the name of the function clone in src/libstrongswan/utils/identification.c in version 4.3.5 had a slightly altered name. I assume that during rewriting of the code this was missed and this error is not previously encountered due to the specific settings I use (uClibc, OpenWRT).

I've made a patch so that now it compiles. It starts up ok, however I have not tested it thoroughly yet. So fingers crossed and on own risk I provide the patch (202.clone.patch)

the error in short:

utils/identification.c:801: error: conflicting types for 'clone'
trunk/staging_dir/toolchain-mipsel_gcc-4.3.3+cs_uClibc-0.9.30.1/usr/mipsel-openwrt-linux-uclibc/sys-include/bits/sched.h:74:
error: previous declaration of 'clone' was here

long version of error:

libtool: compile:  mipsel-openwrt-linux-uclibc-gcc -DPACKAGE_NAME=\"strongSwan\" -DPACKAGE_TARNAME=\"strongswan\" -DPACKAGE_VERSION=\"4.3.6\" "-DPACKAGE_STRING=\"strongSwan 4.3.6\"" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE_URL=\"\" -DPACKAGE=\"strongswan\" -DVERSION=\"4.3.6\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -DHAVE__BOOL=1 -DHAVE_STDBOOL_H=1 -DHAVE_ALLOCA_H=1 -DHAVE_ALLOCA=1 -DHAVE_CLOCK_GETTIME=1 -DHAVE_DLADDR=1 -DHAVE_PTHREAD_CONDATTR_INIT=1 -DHAVE_PTHREAD_CANCEL=1 -DHAVE_PTHREAD_RWLOCK_INIT=1 -DHAVE_PRCTL=1 -DHAVE_LINUX_UDP_H=1 -DHAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY=1 -DHAVE_IN6ADDR_ANY=1 -DHAVE_IN6_PKTINFO=1 -DHAVE_IPSEC_MODE_BEET=1 -DHAVE_IPSEC_DIR_FWD=1 -DHAVE_PRINTF_FUNCTION=1 -I. -I../../src/libstrongswan -I/local/wsjanwillem/trunk3/staging_dir/target-mipsel_uClibc-0.9.30.1/usr/include -I/local/wsjanwillem/trunk3/staging_dir/target-mipsel_uClibc-0.9.30.1/include -I/local/wsjanwillem/trunk3/staging_dir/toolchain-mipsel_gcc-4.3.3+cs_uClibc-0.9.30.1/usr/include -I/local/wsjanwillem/trunk3/staging_dir/toolchain-mipsel_gcc-4.3.3+cs_uClibc-0.9.30.1/include -DIPSEC_DIR=\"/usr/lib/ipsec\" -DPLUGINDIR=\"/usr/lib/ipsec/plugins\" -DSTRONGSWAN_CONF=\"/etc/strongswan.conf\" -Os -pipe -mips32 -mtune=mips32 -funit-at-a-time -fhonour-copts -msoft-float -MT identification.lo -MD -MP -MF .deps/identification.Tpo -c utils/identification.c  -fPIC -DPIC -o .libs/identification.o
utils/identification.c:801: error: conflicting types for 'clone'
/local/wsjanwillem/trunk3/staging_dir/toolchain-mipsel_gcc-4.3.3+cs_uClibc-0.9.30.1/usr/lib/gcc/mipsel-openwrt-linux-uclibc/4.3.3/../../../../mipsel-openwrt-linux-uclibc/sys-include/bits/sched.h:74: error: previous declaration of 'clone' was here
make[8]: *** [identification.lo] Error 1

comment:19 Changed 7 years ago by nico

  • Milestone changed from Kamikaze to Backfire 10.03.1
  • Resolution set to fixed
  • Status changed from accepted to closed
  • Version set to Trunk

A modular version based on your work has been added in [20965], thanks !

comment:20 Changed 7 years ago by beus@…

Great to see that strongswan is finally supported as package :) also nice makefile!

some remarks:

1) --with-urandom-device="$(call qstrip,$(CONFIG_STRONGSWAN4_DEVICE_RANDOM))" \
so the urandom uses the random instead of the urandom file. Norbert did this on purpose although I do not recall the exact reason.

2) You commented openssl out. I take it you have troubles compiling it? perhaps because of my next point.

3) In my dependencies I have +kmod-crypto-authenc, you do seem to have it.

4) strongswan uses enable and disable options, when using make menuconfig it is unclean whether some setting ENable or DISable the option. I assume you used tick as enable and untick as disable however lots of default options are then overwritten, see http://wiki.strongswan.org/projects/strongswan/wiki/Autoconf

5) I would really like to see a strongswan4-openssl (like minimal and full).
It should set:

  • --enable-openssl
  • --disable-aes
  • --disable-des
  • --disable-fips-prf
  • --disable-gmp
  • --disable-md5
  • --disable-sha1
  • --disable-sha2

obviously would (also) need the following enabled:

  • app-charon
  • pubkey
  • hmac
  • x509
  • xcbc
  • pubkey
  • stroke
  • updown
  • random??? Not sure what this option does... you have it at sw4-minimal.

6) The main reason to use openssl in stead of GMP is the possibility to use elliptic curve cryptograhpy, unfortunately the openwrt-package of openssl has the no-ec option in its makefile to minimize its footprint. An option with a patch that removes this no-ec option at line 77: OPENSSL_OPTIONS in package/openssl/Makefile would therefore be a welcome feature.

comment:21 Changed 7 years ago by beus@…

oh and you have a typo :)

define BuildPlugin
  define Package/strongswan4-mod-$(1)
    $$(call Package/strongswan4/Default)
    TITLE:= StronSwan $(2) plugin
    DEPENDS:= strongswan4 $(3)
  endef

in line TITLE:=

StonSwan --> StrongSwan

comment:22 Changed 7 years ago by nico

Points 1 & 3 and the typo are fixed in [21099], i also added a stronswan4-default package that should match upstream autoconf defaults.

Points 2, 5 & 6 can't be solve until we change openssl configuration, i'll look at it later...

comment:23 Changed 7 years ago by beus@…

Hey Nico,

I've been looking at your makefile again and tried to make it work with openssl and strongswan 4.4.*
To that end patches/202 needs to be removed (the patch was merged into strongswans master) and 203 needs to point to another file (change charon in labcharon like such: +++ b/src/libcharon/plugins/uci/uci_parser.c )

I found that your makefile creates a huge set of enable en disable options passed to strongswan. Although strongswans ./configure does not produce a not recognized error I still wonder as to wether it gets parsed ok.

Having said that my main objection is the lack of clarity in mod-settings that are enabled by default (i.e. are not set/configured) and those that are disabled by default and can be enabled.

I'll post a Makefile with my efforts. Maybe you can use this. Unfortunately it contains an error or multiple. Currently I am not able to determine where I went wrong so I'm letting this go for the moment.

4.3 autoconf options http://wiki.strongswan.org/projects/strongswan/wiki/Autoconf
4.4 autoconf options http://wiki.strongswan.org/projects/strongswan/wiki/Autoconf44

Kind regards,

Changed 7 years ago by beus@…

Attempt to make a makefile based on Nico's 4.3.6. version for 4.4.* with more options and clearer distiction between enable and disable options

comment:24 Changed 6 years ago by Beer Molleman

Please update the package to 4.6.1

Reason:
"The android plugin can now be used without the Android frontend patch and
provides DNS server registration and logging to logcat." - changelog 4.6.0

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.