Posted: Mon Dec 06, 2010 16:43 Post subject: IPSec client (ipsec-tools) - build
Hello everyone,
As we all know, DDWRT supports Openvpn and PPTP vpn. Unfortunately, due to licensing issues, it does not (and will not ever) support IPSec. IPSec is becoming more and more popular especially within high security environments. So why not to add the support ourselves? I believe IPsec Tools (http://ipsec-tools.sourceforge.net/) is the way to go, especially that it should fit perfectly into the resources we have. Moreover, IPsec Tools are highly configurable and can be used to connect to many different IPSec implementations.
In this thread, I hope to keep a log of my efforts and I hope some smart people around here (I know that ones exists in here!) can help out!
My testing platform: Asus RT-N16
Build platform: x64 (Debian 5.0) - please note, the current toolkit has been compiled for x64
UPDATE 1:
- please note, the current toolkit has been compiled for AMD64 architecture (x64); if you are on x32, you will not be able to use the current toolchain (you can try to compile your own one, however I wouldn't advise it)
- in my first attempt I tried to get Shrew VPN instead of IPSec-Tools, however Shrew VPN apparently features only keying deamon (missing client application currently), therefore there was the decision to move to IPSec-Tools
Once all the above things are downloaded:
Code:
cd linux-2.6.23
PATH=$PATH:~/toolchains/toolchain-mipsel_4.1.1_BRCM24/bin
cp .config_std .config
make menuconfig
Please note, that the path to toolchains might be different in your case (platform dependent).
If it complains about madwifi either get the madwifi drivers into place or take it out of the Kconfig script file on the line that is complaining (unless you really need the madwifi drivers in your modules).
Once that is done you can do:
Code:
make menuconfig
Here we will have to select some additional functionality as modules and compile them (Networking->Networking Options):
- PF_KEY sockets (m) (af_key.ko)
- Transformation user configuration interface (xfrm_user.ko)
- IP: AH (m) (ah4.ko)
- IP: ESP (m) (esp4.ko)
- IP: IPComp (m) (ipcomp.ko)
- IP: IPSec transport (m) (xfrm4_mode_transport.ko)
- IP: IPSec tunnel (m) (xfrm4_tunnel.ko) (xfrm4_mode_tunnel.ko)
- IP: IPSec BEET (m) (xfrm4_mode_beet.ko)
under Cryptographic API:
- Null algorithms (m) (crypto_null.ko)
- SHA256 (m) (sha256.ko)
- SHA384... (m) (sha512.ko)
Depending on your requirement, you do not have to select all, equally - you might want to install some other ones.
Exit with saving and execute:
Code:
make modules
If everything went ok, you might want to copy all the new .ko modules to your platform (router) and try loading them. If it fails, you might need to change toolchains path, or add some additional modules. Note, that the order of loading (insmod) modules does matter.
Part2:
Download and unpack ipsec-tools. To configure/compile it, you should probably (TBC) issue:
However, most probably we will need openssl. You can retrieve if from the official openssl webpage.
How to compile openssl (I used ver 0.9.8q):
http://www.crosscompile.org/static/pages/OpenSSL.html
using install dir: /openssl-compiled
You might also want to have flex compiled - how to compile flex:
Ok, it looks like it will not work with the current kernel. The current kernel is not compiled with $(CONFIG_XFRM) .. this means $(CONFIG_XFRM) is missing and it cannot be compiled as a module (to my knowledge). Who can we chase to get this option compiled in?
Could someone possibly verify this?
Code:
xfrm_user: Unknown symbol xfrm_spd_getinfo
xfrm_user: Unknown symbol __xfrm_policy_destroy
xfrm_user: Unknown symbol xfrm_state_alloc
xfrm_user: Unknown symbol xfrm_find_acq
xfrm_user: Unknown symbol xfrm_policy_byid
xfrm_user: Unknown symbol xfrm_state_lookup
xfrm_user: Unknown symbol xfrm_state_add
xfrm_user: Unknown symbol xfrm_policy_alloc
xfrm_user: Unknown symbol xfrm_policy_bysel_ctx
xfrm_user: Unknown symbol sysctl_xfrm_aevent_etime
xfrm_user: Unknown symbol __xfrm_state_destroy
xfrm_user: Unknown symbol xfrm_get_acqseq
xfrm_user: Unknown symbol xfrm_ealg_get_byname
xfrm_user: Unknown symbol xfrm_nl
xfrm_user: Unknown symbol xfrm_unregister_km
xfrm_user: Unknown symbol xfrm_state_flush
xfrm_user: Unknown symbol km_policy_expired
xfrm_user: Unknown symbol xfrm_alloc_spi
xfrm_user: Unknown symbol xfrm_aalg_get_byname
xfrm_user: Unknown symbol km_query
xfrm_user: Unknown symbol xfrm_register_km
xfrm_user: Unknown symbol km_state_notify
xfrm_user: Unknown symbol __xfrm_state_delete
xfrm_user: Unknown symbol xfrm_sad_getinfo
xfrm_user: Unknown symbol xfrm_policy_flush
xfrm_user: Unknown symbol xfrm_policy_delete
xfrm_user: Unknown symbol xfrm_cfg_mutex
xfrm_user: Unknown symbol km_state_expired
xfrm_user: Unknown symbol xfrm_policy_walk
xfrm_user: Unknown symbol xfrm_state_lookup_byaddr
xfrm_user: Unknown symbol km_policy_notify
xfrm_user: Unknown symbol sysctl_xfrm_aevent_rseqth
xfrm_user: Unknown symbol xfrm_state_update
xfrm_user: Unknown symbol xfrm_policy_insert
xfrm_user: Unknown symbol xfrm_init_state
xfrm_user: Unknown symbol xfrm_calg_get_byname
xfrm_user: Unknown symbol xfrm_find_acq_byseq
xfrm_user: Unknown symbol xfrm_state_delete
xfrm_user: Unknown symbol xfrm_state_walk
Posted: Sat Dec 11, 2010 11:51 Post subject: how to compile the kernel
Could someone point me out the right direction on how to re-compile a kernel for broadcom?
Is it enough if I get the sources from:
svn.dd-wrt.com/DD-WRT/src/linux/brcm/linux-2.6.23
and compile it on .config_std using toolchains 3.4.6?
Having compiled it, I should be able to extract my current firmware (firmware_mod_kit), replace the kernel file and create back a firmware image which in turn I can be loaded onto my router?
gregd72002,
I seemed to recall IPSec requires quite bigger binaries/libraries, then OpenVPN, but never seen any actual numbers.
Could you estimate, how much minimum flash size would it need, once compiled?
P.S. I would like to subscribe to this thread to see future progress.
Apokrif, I'd strongly advise to have Optware. As long as you have optware running the flash size does not matter. I am not interested in creating a flash image with IPSec built-in. However, this is feasible and someone else can do it.
Concerning numbers, from my estimates (currently) you need:
- CONFIG_XFRM (50 kbytes)
- Some modules (50-100 kbytes)
- executables (1.5 mbytes)
Again, definitely it is possible to trim down the numbers (especially executables) by not compiling the full versions of everything. My guess would be that you could manage to get everything down to roughly 800kb (cumulatively). Though, if you have optware installed the numbers do not matter.
Apokrif, I'd strongly advise to have Optware. As long as you have optware running the flash size does not matter. I am not interested in creating a flash image with IPSec built-in. However, this is feasible and someone else can do it.
I got it.
gregd72002 wrote:
Concerning numbers, from my estimates (currently) you need:
- CONFIG_XFRM (50 kbytes)
- Some modules (50-100 kbytes)
- executables (1.5 mbytes)
Again, definitely it is possible to trim down the numbers (especially executables) by not compiling the full versions of everything. My guess would be that you could manage to get everything down to roughly 800kb (cumulatively). Though, if you have optware installed the numbers do not matter.
Wow - not bad at all - even non-stripped version will fit just fine into 8MB flash (with or without OpenVPN ;-)
gregd72002 wrote:
Anyway.. I'm still waiting for CONFIG_XFRM ... without it I am not able to continue
I’m with you.
Question to chris, eco and BS:
Guys, you do compile quite many versions for different routers for every build.
Is it possible make available for download few compiled kernels as well with different settings/combinations, like $(CONFIG_XFRM) mentioned, so guys like gregd72002 can experiment?
I’m not a kernel guy - I hope my question does make sense
Bump for an update on this. _________________ WRT610N v1 DD-WRT v24-sp2 (10/10/09) mega (build 13064). Both radios active.
WRT54GS v2.0 DD-WRT v24-sp2 in bridged mode.