Make Strongswan start on a b3

From BubbaWiki
Jump to: navigation, search

Login as root :

# su -

Install build utils :

# aptitude install devscripts build-essential lsb-release libncurses-dev bzip2

Lets try to install Strongswan

# aptitude install strongswan

You will see that strongswan has problems detecting the IPsec stack :

no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
Starting strongSwan 4.4.1 IPsec [starter]...
charon is already running (/var/run/charon.pid exists) -- skipping charon start
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
starter is already running (/var/run/starter.pid exists) -- no fork done


Okay, now lets get the kernel :

# uname -a
Linux b3 2.6.38 #1 Tue Mar 22 16:27:55 CET 2011 armv5tel GNU/Linux
# cd /usr/src
# kernelversion=`uname -r`
# wget http://download.excito.net/kernel/Excito_B3/$kernelversion/linux-$kernelversion.tar.bz2
# bzip2 -d linux-$kernelversion.tar.bz2
# tar -xvf linux-$kernelversion.tar
# wget http://download.excito.net/kernel/Excito_B3/$kernelversion/excito-b3-patch-v$kernelversion.tar.gz
# tar -xvzf excito-b3-patch-v$kernelversion.tar.gz                   
# cd linux-$kernelversion
# patch -p1 < ../0001-Settings-for-marvell-88e1116.patch
# patch -p1 < ../0002-Marvell-reverse-led-fix.patch
# patch -p1 < ../0003-Excito-B3-config.patch
# patch -p1 < ../0004-Ath-user-regdb.patch

Make a .config :

# make bubba3_defconfig

Edit the config and enable the 2 modules missing :

# nano .config
CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m

Save the .config file and make the modules :

# make modules modules_install

If the make script prompts you for anything, just press Enter to accept the default choice.


Make the modules available for modprobe :

# depmod -a


Lets try to restart ipsec : (Note: the version numbers below depends on which version of the kernal that this is applied to)

# /etc/init.d/ipsec restart
Restarting strongswan IPsec services: ipsecStopping strongSwan IPsec...
Starting strongSwan 4.4.1 IPsec [starter]...
insmod /lib/modules/2.6.35.4/kernel/net/ipv4/ah4.ko
insmod /lib/modules/2.6.35.4/kernel/net/ipv4/esp4.ko
insmod /lib/modules/2.6.35.4/kernel/net/xfrm/xfrm_ipcomp.ko
insmod /lib/modules/2.6.35.4/kernel/net/ipv4/ipcomp.ko
insmod /lib/modules/2.6.35.4/kernel/net/ipv4/tunnel4.ko
insmod /lib/modules/2.6.35.4/kernel/net/ipv4/xfrm4_tunnel.ko


Nice, that seems to work now.


Make strongswan startup after reboot :

update-rc.d ipsec defaults

For some reasons strongswan don't load the configuration even though it startup fine.

So i added a ipsec reload to /etc/rc.local that gets run after each runlevel :

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

ipsec reload

exit 0

here is an example /etc/ipsec.conf :

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        charonstart=no
        plutostart=yes
        #plutodebug=control

conn %default
        ikelifetime=60m
        keylife=60m
        rekeymargin=3m
        keyingtries=%forever
        authby=secret
        keyexchange=ikev1
        mobike=no

conn your_conn
        left=%defaultroute
        leftsubnet={your_lan}/24
        leftid={your@email.adr}
        leftfirewall=yes
        leftsourceip={b3_lanip}
        lefthostaccess=yes
        right={remote_gateway}
        rightsubnet={remote_lan}/24
        rightid={remoteid}
        auto=route
        type=tunnel
        ike=aes128-sha1-modp1024
        esp=aes128-sha1-modp1024

include /var/lib/strongswan/ipsec.conf.inc

and this is a /etc/ipsec.secrets :

{your@email.adr} {remoteid} : PSK "4fgdfgj76sdf3F2"

# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc