Difference between revisions of "Make Strongswan start on a b3"
Jump to navigation
Jump to search
(Ipsec on B3) |
m |
||
| (8 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
Login as root : | Login as root : | ||
<pre># su -</pre> | <pre># su -</pre> | ||
Install build utils : | Install build utils : | ||
<pre># aptitude install devscripts build-essential lsb-release libncurses-dev</pre> | <pre># aptitude install devscripts build-essential lsb-release libncurses-dev bzip2</pre> | ||
Lets try to install Strongswan | Lets try to install Strongswan | ||
<pre># aptitude install strongswan</pre> | <pre># aptitude install strongswan</pre> | ||
| Line 22: | Line 20: | ||
Okay, now lets get the kernel : | Okay, now lets get the kernel : | ||
<pre># uname -a | <pre># uname -a | ||
Linux b3 2.6. | Linux b3 2.6.38 #1 Tue Mar 22 16:27:55 CET 2011 armv5tel GNU/Linux | ||
# cd /usr/src | # cd /usr/src | ||
# wget http://download.excito.net/kernel/Excito_B3/ | # kernelversion=`uname -r` | ||
# bzip2 -d linux- | # wget http://download.excito.net/kernel/Excito_B3/$kernelversion/linux-$kernelversion.tar.bz2 | ||
# tar -xvf linux- | # bzip2 -d linux-$kernelversion.tar.bz2 | ||
# cd linux- | # tar -xvf linux-$kernelversion.tar | ||
# wget http://download.excito.net/kernel/Excito_B3/$kernelversion/excito-b3-patch-v$kernelversion.tar.gz | |||
# tar -xvzf excito-b3-patch-v$kernelversion.tar.gz | |||
# cd linux-$kernelversion | |||
# patch -p1 < ../0001-Settings-for-marvell-88e1116.patch | |||
# patch -p1 < ../0002-Marvell-reverse-led-fix.patch | |||
# patch -p1 < ../0003-Excito-B3-config.patch | |||
# patch -p1 < ../0004-Ath-user-regdb.patch | |||
</pre> | </pre> | ||
Make a .config : | Make a .config : | ||
| Line 46: | Line 49: | ||
Make the modules available for modprobe : | Make the modules available for modprobe : | ||
<pre># depmod -a</pre> | <pre># depmod -a</pre> | ||
<br> Lets try to restart ipsec : | <br> Lets try to restart ipsec : (Note: the version numbers below depends on which version of the kernal that this is applied to) | ||
<pre># /etc/init.d/ipsec restart | <pre># /etc/init.d/ipsec restart | ||
Restarting strongswan IPsec services: ipsecStopping strongSwan IPsec... | Restarting strongswan IPsec services: ipsecStopping strongSwan IPsec... | ||
| Line 59: | Line 62: | ||
</pre> | </pre> | ||
Nice, that seems to work now. | Nice, that seems to work now. | ||
<br> | |||
Make strongswan startup after reboot : | |||
<pre>update-rc.d ipsec defaults | |||
</pre> | |||
For some reasons strongswan don't load the configuration even though it startup fine. | |||
So i added a ipsec reload to /etc/rc.local that gets run after each runlevel : | |||
<pre>#!/bin/sh -e | |||
# | |||
# rc.local | |||
# | |||
# This script is executed at the end of each multiuser runlevel. | |||
# Make sure that the script will "exit 0" on success or any other | |||
# value on error. | |||
# | |||
# In order to enable or disable this script just change the execution | |||
# bits. | |||
# | |||
# By default this script does nothing. | |||
ipsec reload | |||
exit 0 | |||
</pre> | |||
here is an example /etc/ipsec.conf : | |||
<pre># ipsec.conf - strongSwan IPsec configuration file | |||
# basic configuration | |||
config setup | |||
charonstart=no | |||
plutostart=yes | |||
#plutodebug=control | |||
conn %default | |||
ikelifetime=60m | |||
keylife=60m | |||
rekeymargin=3m | |||
keyingtries=%forever | |||
authby=secret | |||
keyexchange=ikev1 | |||
mobike=no | |||
conn your_conn | |||
left=%defaultroute | |||
leftsubnet={your_lan}/24 | |||
leftid={your@email.adr} | |||
leftfirewall=yes | |||
leftsourceip={b3_lanip} | |||
lefthostaccess=yes | |||
right={remote_gateway} | |||
rightsubnet={remote_lan}/24 | |||
rightid={remoteid} | |||
auto=route | |||
type=tunnel | |||
ike=aes128-sha1-modp1024 | |||
esp=aes128-sha1-modp1024 | |||
include /var/lib/strongswan/ipsec.conf.inc | |||
</pre> | |||
and this is a /etc/ipsec.secrets : | |||
<pre>{your@email.adr} {remoteid} : PSK "4fgdfgj76sdf3F2" | |||
# this file is managed with debconf and will contain the automatically created private key | |||
include /var/lib/strongswan/ipsec.secrets.inc | |||
</pre> | |||
<br> | |||
Latest revision as of 14:47, 26 November 2011
Login as root :
# su -
Install build utils :
# aptitude install devscripts build-essential lsb-release libncurses-dev bzip2
Lets try to install Strongswan
# aptitude install strongswan
You will see that strongswan has problems detecting the IPsec stack :
no netkey IPsec stack detected no KLIPS IPsec stack detected no known IPsec stack detected, ignoring! Starting strongSwan 4.4.1 IPsec [starter]... charon is already running (/var/run/charon.pid exists) -- skipping charon start no netkey IPsec stack detected no KLIPS IPsec stack detected no known IPsec stack detected, ignoring! starter is already running (/var/run/starter.pid exists) -- no fork done
Okay, now lets get the kernel :
# uname -a Linux b3 2.6.38 #1 Tue Mar 22 16:27:55 CET 2011 armv5tel GNU/Linux # cd /usr/src # kernelversion=`uname -r` # wget http://download.excito.net/kernel/Excito_B3/$kernelversion/linux-$kernelversion.tar.bz2 # bzip2 -d linux-$kernelversion.tar.bz2 # tar -xvf linux-$kernelversion.tar # wget http://download.excito.net/kernel/Excito_B3/$kernelversion/excito-b3-patch-v$kernelversion.tar.gz # tar -xvzf excito-b3-patch-v$kernelversion.tar.gz # cd linux-$kernelversion # patch -p1 < ../0001-Settings-for-marvell-88e1116.patch # patch -p1 < ../0002-Marvell-reverse-led-fix.patch # patch -p1 < ../0003-Excito-B3-config.patch # patch -p1 < ../0004-Ath-user-regdb.patch
Make a .config :
# make bubba3_defconfig
Edit the config and enable the 2 modules missing :
# nano .config CONFIG_XFRM_USER=m CONFIG_NET_KEY=m
Save the .config file and make the modules :
# make modules modules_install
If the make script prompts you for anything, just press Enter to accept the default choice.
Make the modules available for modprobe :
# depmod -a
Lets try to restart ipsec : (Note: the version numbers below depends on which version of the kernal that this is applied to)
# /etc/init.d/ipsec restart Restarting strongswan IPsec services: ipsecStopping strongSwan IPsec... Starting strongSwan 4.4.1 IPsec [starter]... insmod /lib/modules/2.6.35.4/kernel/net/ipv4/ah4.ko insmod /lib/modules/2.6.35.4/kernel/net/ipv4/esp4.ko insmod /lib/modules/2.6.35.4/kernel/net/xfrm/xfrm_ipcomp.ko insmod /lib/modules/2.6.35.4/kernel/net/ipv4/ipcomp.ko insmod /lib/modules/2.6.35.4/kernel/net/ipv4/tunnel4.ko insmod /lib/modules/2.6.35.4/kernel/net/ipv4/xfrm4_tunnel.ko
Nice, that seems to work now.
Make strongswan startup after reboot :
update-rc.d ipsec defaults
For some reasons strongswan don't load the configuration even though it startup fine.
So i added a ipsec reload to /etc/rc.local that gets run after each runlevel :
#!/bin/sh -e # # rc.local # # This script is executed at the end of each multiuser runlevel. # Make sure that the script will "exit 0" on success or any other # value on error. # # In order to enable or disable this script just change the execution # bits. # # By default this script does nothing. ipsec reload exit 0
here is an example /etc/ipsec.conf :
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
charonstart=no
plutostart=yes
#plutodebug=control
conn %default
ikelifetime=60m
keylife=60m
rekeymargin=3m
keyingtries=%forever
authby=secret
keyexchange=ikev1
mobike=no
conn your_conn
left=%defaultroute
leftsubnet={your_lan}/24
leftid={your@email.adr}
leftfirewall=yes
leftsourceip={b3_lanip}
lefthostaccess=yes
right={remote_gateway}
rightsubnet={remote_lan}/24
rightid={remoteid}
auto=route
type=tunnel
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
include /var/lib/strongswan/ipsec.conf.inc
and this is a /etc/ipsec.secrets :
{your@email.adr} {remoteid} : PSK "4fgdfgj76sdf3F2"
# this file is managed with debconf and will contain the automatically created private key
include /var/lib/strongswan/ipsec.secrets.inc