1 (edited by beus 2009-08-30 14:29:27)

Topic: StrongSwan 4.3 ikev2 (ipsec) - howto install

I'm planning on using strongSwan in combination with OpenWrt. I'm wondering if there are more enthusiasts who wish to participate.

This first post will be updated as a howto - as work progresses.

Here is what I've got until now.

== why strongSwan 4.3 with OpenWrt ==
* Openswan for 2.4 reported broken
* Openswan does not support IKEv2 and MOBIKE (bit outdated comparison though)
* strongSwan supporting 2.4 kernels (version 2.8) only support IKEv1, not IKEv2. Version 4.3 support IKEv1 and IKEv2.
* dd-wrt does do IPSec, as they favor OpenVPN
* IPSec allows for routing rules after it has passed the initial firewall. OpenVPN allows for (unristricted) access to the network behind the router.

== general info ==
* IKEv2 / strongswan 4.3 does not work with kernel 2.4
* Broadcom wifi currently not supported by stable kamikaze (8.09.1), however it is supported in trunk. You might need to configure it right; see here and here

== usefull links and guides ==
* this thread focusses on the installation of strongSwan in openwrt, check Building your own OpenWrt guide: http://nuwiki.openwrt.org/doc/howto/buildroot and/or http://kamikaze.openwrt.org/docs/openwrt.html for a general howto on compiling openwrt.
[s]* MIPSEL binaries available from debian package repository, dependencies are included http://packages.debian.org/sid/libstrongswan. Apparently opkg can handle these .deb files. However,  "There may be issues with some packages, concerning preinst and postinst scripts". Haven't checked it yet.[/s] Trying to install these packages gives the error: "Packages were found, but none compatible with the architerctures configured". I tried the mips and mipsel package. Guess we need to (cross)compile after all.
* x-wrt plugin? http://wiki.strongswan.org/wiki/1/IpsecXWRT


== systems ==
tested on Linksys WRT54GS 1.1

2 (edited by beus 2009-09-22 15:06:13)

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

Step 1 -- Installing the build environment

! Building your own firmware you need to have access to a Linux, BSD or MacOSX system. !

Follow the 'Building your own OpenWrt guide': http://nuwiki.openwrt.org/doc/howto/buildroot / https://dev.openwrt.org/wiki/GetSource
in short:

1.1 open a console and run

svn co svn://svn.openwrt.org/openwrt/trunk/

this will create a trunk directory in the dir you ran the command in.

1.2 go into the trunk dir

cd trunk

1.3 You need to have installed gcc, binutils, patch, bzip2, flex, bison, make, gettext, pkg-config, unzip, libz-dev and libc headers.
The build-system checks for the requirements and print what's missing on your system. Then install the packages.
To manually check the prerequisites run

make prereq

Step 2 -- download the strongSwan package

2.1 download it from https://dev.openwrt.org/ticket/2538
for the trunk version this can be done using the following command. Please check above url for a possible update to this.

cd package
wget --no-check-certificate https://dev.openwrt.org/raw-attachment/ticket/2538/strongswan-4.2.17.1.tar

2.2 untar the file, as you are allready in the package directory it will untar into the right place.

tar -xvvf strongswan-4.2.17.1.tar
cd ..

2.3 If you did not already untar the strongSwan package into the trunk/package directory, copy or link the untarred directory into your trunk/package dir. replace ~ with your installdir, in my case my home.

mv package_strongswan-4.2.17.1 ~/trunk/package

2.4 runnnig make menuconfig will now include the strongswan option under the network section providing that you have selected a 2.6 kernel build.

Step 3 -- do some scripts magic

/todo package options, see Norberts post below

scripts/feeds update
scripts/feeds install libgmp
scripts/feeds install strace
scripts/feeds install openssl

Notes:
* If you want Eliptic Curve Cryptography you need to remove the no-ec options in trunk/package/openssl/Makefile
You can edit the makefile using any editor.
* I edited the package-strongswan-4.2.17.1 Makefile and Config.in to allow selection of openssl.
Add in Config.in:

# --enable-openssl >> Requires libcrypto.so.0.9.8.
config STRONGSWAN_ENABLE_OPENSSL
        bool
        prompt "Enable the OpenSSL crypto plugin."
        default y
        select PACKAGE_libopenssl
        help
                Enables the OpenSSL crypto plugin (default Yes).
                StrongSwan: enable the OpenSSL crypto plugin [ no ]. Requires libcrypto.so.0.9.8.

Add in Makefile allong with the other similar lines:

  $(if $(CONFIG_STRONGSWAN_ENABLE_OPENSSL),--enable-openssl) \

I also changed the urandom config part in in the Makefile to the following:

$(if $(CONFIG_STRONGSWAN_WITH_URANDOM_DEVICE),--with-urandom-device=$(CONFIG_STRONGSWAN_DEVICE_URANDOM)) \

Step 4 -- configure your build

make menuconfig

select the right package (i.e. 2.6 kernel).

Step 5 -- compile
Run the command

make

Grab a cup of coffee, this will take a while... Especially the first time or after a 'make clean'. The complete build takes about 1 to 2 hours on a 2.8GHZz Celeron machine and about 20 minutes using one core2duo 6600 @2.4GHz (using a single core). Using both cores -- 'make -j 3' -- breakes on some packages, though several minutes can be gained by using 'make -j 3 || make'

Step 6 -- flash your WRT device.
The trunk/bin directory now contains several .bin files and a .trx file.

If you have not before installed an open source wrt on you device use the corresponding .bin file.
If you previously installed an open source wrt, you can use the trx file.
The bin file is basically the trx file with extra headers so that your device with oem software will run them.

You can also run the command from promt; first download the image using wget, then install using mtd.
wget img-url -O /tmp/firware.trx
mtd -r write /tmp/firmware.trx linux

Step 7 -- installing strongSwan
You now have compiled and installed openWRT, yet you still need to install the strongSwan package.

The /trunk/bin/packages now contains a directory (in my case 'brcm47xx_uClibc-0.9.30.1') containing compiled packages.
7.1 You can copy these to your device and run then --
/todo howto

7.1 You can also copy this directory to a webserver (this was easier in my case) and add a rule to /etc/opkg.conf pointing at your server/path/to/directory/with/packages e.g., www.someserver.eu/openwrt/mypackages
you can easily append a line to opkg.conf by opening a console to youre device

echo src/gz MyWRT http://www.someserver.eu/openwrt/mypackages >> /etc/opkg.conf
opkg update

7.2 now install the packages

opkg install libgmp
opkg install kmod-crypto-*
opkg install kmod-ipsec*
opkg install strongswan

Which in my case came down to:

opkg install libopenssl
opkg install libgmp
opkg install kmod-crypto-aes
opkg install kmod-crypto-arc4
opkg install kmod-crypto-authenc
opkg install kmod-crypto-core
opkg install kmod-crypto-des
opkg install kmod-crypto-hmac
opkg install kmod-crypto-md5
opkg install kmod-crypto-misc
opkg install kmod-crypto-sha1
opkg install kmod-ipsec
opkg install kmod-ipsec4
opkg install strongswan

where libgmp and kmod-crypto-misc can be ommited when not enabled.


To enable a gui on the router either install luci or webif²

opkg install luci-admin-full
opkg install luci-theme-openwrt

or

opkg install webif

3 (edited by aport 2009-08-18 18:26:22)

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

Does StrongSwan support manual keys, ie, not through IKE? I know manual keying is a security risk but for some reason people still want to do it.

If so I would be delighted to help out with this project.

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

aport wrote:

Does StrongSwan support manual keys, ie, not through IKE?

I'm not sure I follow. By manual keys, do you mean x.509 certificates, RSA keys or perhaps even username+password?

Googling showed that FreeS/WAN supports it, and strongSwan is based on the discontinued FreeS/WAN, so I would recon so...

Perhaps you should try it out first on a regular unix computer, distributions are available for debian, openSUSE, ubuntu en gentoo. Making installation a piece of cake compared to setting it up on a WRT device.

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

beus wrote:
aport wrote:

Does StrongSwan support manual keys, ie, not through IKE?

I'm not sure I follow. By manual keys, do you mean x.509 certificates, RSA keys or perhaps even username+password?

Googling showed that FreeS/WAN supports it, and strongSwan is based on the discontinued FreeS/WAN, so I would recon so...

Perhaps you should try it out first on a regular unix computer, distributions are available for debian, openSUSE, ubuntu en gentoo. Making installation a piece of cake compared to setting it up on a WRT device.

I'll try it out on my own machine. For IPsec there are two keying methods: Manual and IKE. IKE is what most people use, also known as automatic keying. IKE ensures that the keying is encrypted itself, though IKE tends to send lots of data through the tunnels at given intervals which on large networks can start to be quite "chatty." Manual keying doesn't use IKE... think static IP instead of DHCP. The keying isn't encrypted so potentially when the tunnels are being established someone could grab your encryption hashes and just decrypt all traffic through the tunnel. Pretty low chance though.

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

see https://dev.openwrt.org/ticket/2538

7 (edited by beus 2009-09-02 13:55:18)

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

Looks very promising!

compiling it now.

Took me some time to figure out, butt here is a mini how-to.
1. follow the link above, download the appropriate package tar.
2. checkout the version you wish to compile. (see https://dev.openwrt.org/wiki/GetSource)
3. untar the package under step 1 into the checkoutdir/package folder
4. run make menuconfig from the checkoutdir folder, select 2.6 kernel.
--skip-able
5. It now is available under section 'network.', where you can change several compile options.
--end skip-able ---
5. run make from the checkoutdir folder.

<< 6. Get it to compile without errors >>
<< 7. figure out how-to install to device >>

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

Cannot seem to get it to compile, apparently GMP is missing.

tried installing it using.
sudo apt-get install gmp-devel
sudo apt-get install zlib1g-dev libbz2-dev

using the kamikaze checkout, with no alternations than described above.

Insights are greatly appreciated.

make[3]: Entering directory `/home/beus/8.09/package/package_strongswan-4.2.14.2'
(cd /home/beus/8.09/build_dir/mipsel/strongswan-4.2.14/./; if [ -x ./configure ]; then /usr/bin/find /home/beus/8.09/build_dir/mipsel/strongswan-4.2.14/ -name config.guess | xargs -r chmod u+w; /usr/bin/find /home/beus/8.09/build_dir/mipsel/strongswan-4.2.14/ -name config.guess | xargs -r -n1 cp /home/beus/8.09/scripts/config.guess; /usr/bin/find /home/beus/8.09/build_dir/mipsel/strongswan-4.2.14/ -name config.sub | xargs -r chmod u+w; /usr/bin/find /home/beus/8.09/build_dir/mipsel/strongswan-4.2.14/ -name config.sub | xargs -r -n1 cp /home/beus/8.09/scripts/config.sub; AR=mipsel-linux-uclibc-ar AS="mipsel-linux-uclibc-gcc -c -Os -pipe -mips32 -mtune=mips32 -funit-at-a-time -fhonour-copts" LD=mipsel-linux-uclibc-ld NM=mipsel-linux-uclibc-nm CC="mipsel-linux-uclibc-gcc" GCC="mipsel-linux-uclibc-gcc" CXX="mipsel-linux-uclibc-g++" RANLIB=mipsel-linux-uclibc-ranlib STRIP=mipsel-linux-uclibc-strip OBJCOPY=mipsel-linux-uclibc-objcopy OBJDUMP=mipsel-linux-uclibc-objdump SIZE=mipsel-linux-uclibc-size CFLAGS="-Os -pipe -mips32 -mtune=mips32 -funit-at-a-time -fhonour-copts " CXXFLAGS="-Os -pipe -mips32 -mtune=mips32 -funit-at-a-time -fhonour-copts " CPPFLAGS="-I/home/beus/8.09/staging_dir/mipsel/usr/include -I/home/beus/8.09/staging_dir/mipsel/include " LDFLAGS="-L/home/beus/8.09/staging_dir/toolchain-mipsel_gcc4.1.2/lib -L/home/beus/8.09/staging_dir/mipsel/usr/lib -L/home/beus/8.09/staging_dir/mipsel/lib " PKG_CONFIG_PATH="/home/beus/8.09/staging_dir/mipsel/usr/lib/pkgconfig:/home/beus/8.09/staging_dir/host/usr/lib/pkgconfig" PKG_CONFIG_LIBDIR="/home/beus/8.09/staging_dir/mipsel/usr/lib/pkgconfig"  ./configure --target=mipsel-linux --host=mipsel-linux --build=i486-linux-gnu --program-prefix="" --program-suffix="" --prefix=/usr --exec-prefix=/usr --bindir=/usr/bin --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/share --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-nls  --with-random-device="/dev/random" --with-random-device="/dev/random"      --disable-des --disable-md5   --disable-fips-prf         --disable-pluto  --disable-tools --with-routing-table="220" --disable-static ; fi; )
configure: loading site script /home/beus/8.09/include/site/mipsel-linux-uclibc
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for mipsel-linux-strip... mipsel-linux-uclibc-strip
checking how to create a ustar tar archive... gnutar
checking for style of include used by make... GNU
checking for mipsel-linux-gcc... mipsel-linux-uclibc-gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... yes
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether mipsel-linux-uclibc-gcc accepts -g... yes
checking for mipsel-linux-uclibc-gcc option to accept ISO C89... none needed
checking dependency style of mipsel-linux-uclibc-gcc... gcc3
checking how to run the C preprocessor... mipsel-linux-uclibc-gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking whether byte ordering is bigendian... (cached) no
checking pkg-config is at least version 0.9.0... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking build system type... i486-pc-linux-gnu
checking host system type... mipsel-unknown-linux-gnu
checking for a sed that does not truncate output... /home/beus/8.09/staging_dir/host/bin/sed
checking for fgrep... /bin/grep -F
checking for ld used by mipsel-linux-uclibc-gcc... mipsel-linux-uclibc-ld
checking if the linker (mipsel-linux-uclibc-ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... mipsel-linux-uclibc-nm
checking the name lister (mipsel-linux-uclibc-nm) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 805306365
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking for mipsel-linux-uclibc-ld option to reload object files... -r
checking how to recognize dependent libraries... pass_all
checking for mipsel-linux-ar... mipsel-linux-uclibc-ar
checking for mipsel-linux-strip... (cached) mipsel-linux-uclibc-strip
checking for mipsel-linux-ranlib... mipsel-linux-uclibc-ranlib
checking command to parse mipsel-linux-uclibc-nm output from mipsel-linux-uclibc-gcc object... ok
checking for dlfcn.h... yes
checking for objdir... .libs
checking if mipsel-linux-uclibc-gcc supports -fno-rtti -fno-exceptions... no
checking for mipsel-linux-uclibc-gcc option to produce PIC... -fPIC -DPIC
checking if mipsel-linux-uclibc-gcc PIC flag -fPIC -DPIC works... yes
checking if mipsel-linux-uclibc-gcc static flag -static works... yes
checking if mipsel-linux-uclibc-gcc supports -c -o file.o... yes
checking if mipsel-linux-uclibc-gcc supports -c -o file.o... (cached) yes
checking whether the mipsel-linux-uclibc-gcc linker (mipsel-linux-uclibc-ld) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... none needed
checking whether yytext is a pointer... no
checking for bison... bison -y
checking for mipsel-linux-gcc... (cached) mipsel-linux-uclibc-gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether mipsel-linux-uclibc-gcc accepts -g... (cached) yes
checking for mipsel-linux-uclibc-gcc option to accept ISO C89... (cached) none needed
checking dependency style of mipsel-linux-uclibc-gcc... (cached) gcc3
checking for gperf... no
checking for perl... /usr/bin/perl
checking for main in -ldl... yes
checking for backtrace... no
checking for dladdr... yes
checking for gcc atomic operations... no
checking for register_printf_function... yes
checking for main in -lgmp... no
configure: error: GNU Multi Precision library gmp not found
make[3]: *** [/home/beus/8.09/build_dir/mipsel/strongswan-4.2.14/.configured] Error 1
make[3]: Leaving directory `/home/beus/8.09/package/package_strongswan-4.2.14.2'
make[2]: *** [package/package_strongswan-4.2.14.2/compile] Error 2
make[2]: Leaving directory `/home/beus/8.09'
make[1]: *** [/home/beus/8.09/staging_dir/mipsel/stamp/.package_compile] Error 2
make[1]: Leaving directory `/home/beus/8.09'
make: *** [world] Error 2
beus@althor:~/8.09$

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

Think easy - its OpenWRT and not your local system...

1) https://dev.openwrt.org/wiki/GetSource:
svn co svn://svn.openwrt.org/openwrt/branches/8.09
or use the trunk

2) i moved trunk to openwrt_trunk_brcm47xx

3) set up feeds.conf:
src-svn packages svn://svn.openwrt.org/openwrt/packages
src-svn luci http://svn.luci.subsignal.org/luci/branches/luci-0.9/contrib/package

4) my additionally packages - only libgmp and strace are important:
scripts/feeds update
scripts/feeds install nano
scripts/feeds install ntpclient
scripts/feeds install usbutils
scripts/feeds install pciutils
scripts/feeds install speedtouch-usb-firmware
scripts/feeds install fetchmail
scripts/feeds install ssmtp
scripts/feeds install atftp
scripts/feeds install ddns-scripts
scripts/feeds install maradns
scripts/feeds install openntpd
scripts/feeds install strace
scripts/feeds install libgmp
scripts/feeds install libmysqlclient
scripts/feeds install libpq
scripts/feeds install libsqlite2
scripts/feeds install bluez-libs
scripts/feeds install uclibcxx
scripts/feeds install libspeex
scripts/feeds install libcurl
scripts/feeds install libxml2
scripts/feeds install libnetsnmp
scripts/feeds install ethtool
scripts/feeds install vnstat

scripts/feeds install libpopt

scripts/feeds install luci-httpd
scripts/feeds install luci-http
scripts/feeds install luci-core
scripts/feeds install luci-i18n-english
scripts/feeds install luci-i18n-german
scripts/feeds install luci-theme-openwrt
scripts/feeds install luci-admin-full
scripts/feeds install luci-app-ddns
scripts/feeds install luci-app-firewall
scripts/feeds install luci-app-initmgr
scripts/feeds install luci-app-ntpc
scripts/feeds install luci-app-qos

5) copy or better link strongswan in the package folder

6) configure and build image with your settings

10 (edited by beus 2010-01-14 14:02:52)

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

Thanks! that really helped. Doing some compile runs now, it looks that the following commands do the trick for me

scripts/feeds update
scripts/feeds install libgmp
scripts/feeds install strace

Next up, figuring out how not to brick my wrt. I suppose that I cannot simply install the latest snapshot and install the strongSwan package I compiled  on that?

*edit
It turns out that you do not need libgmp if you select the option 'disable own gmp implementation'.
I have not determined whether this can also be done when the 'enable openssl plugin' is not selected. Of course scripts/feeds install openssl is required when using the openssl library.

*edit
Taken from http://gmplib.org/:

GMP is a free library for arbitrary precision arithmetic, operating on signed integers, rational numbers, and floating point numbers. There is no practical limit to the precision except the ones implied by the available memory in the machine GMP runs on. GMP has a rich set of functions, and the functions have a regular interface.

The main target applications for GMP are cryptography applications and research, Internet security applications, algebra systems, computational algebra research, etc.

GMP is carefully designed to be as fast as possible, both for small operands and for huge operands. The speed is achieved by using fullwords as the basic arithmetic type, by using fast algorithms, with highly optimised assembly code for the most common inner loops for a lot of CPUs, and by a general emphasis on speed.

GMP is faster than any other bignum library. The advantage for GMP increases with the operand sizes for many operations, since GMP uses asymptotically faster algorithms.

It relates to strongswan as strongswan uses the libgmp plugin for cryptographic computations. As openssl does not link to libgmp (due to licensing issues) it stands to reason to either user openssl or libgmp. So if you don't use openssl, do not disable libgmp!

According to the autoconf options for strongswan 4.3.* only EAP AKA 3GPP2 requires libgmp, which is disabled by default. So you can disable the libgmp pluging when you use openssl and do not use 3GPP2.

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

Better use <trunk>/bin/openwrt-wrt54gs-squashfs.bin

You should have a serial console to what happen on the router. If the image is working, copy the packages libgmp, kmod-crypt*, kmod-ipsec* and strongswan to the router and install all. opkg -test install strongswan-??.ipk shows the needed packages.

12 (edited by beus 2009-08-31 09:13:14)

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

seems to install properly...

you did not by chance include a GUI for setting up IPsec did you? (that would really make my day, which btw you already did wink)
perhaps some inspiration: http://wiki.strongswan.org/wiki/1/IpsecXWRT

I'm gonna figure out how IPsec is configured first thing tomorrow. Perhaps even try to make a x-wrt install out of all of the above.

Regards,

Beus

/edit typos

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

trying to get the hang of IPsec/strongSwan, found http://wiki.strongswan.org/wiki/strongswan/UserDocumentation to be useful.

However, was wondering if the following is how it should be:

root@OpenWrt:/# ipsec start
Starting strongSwan 4.2.17 IPsec [starter]...
insmod: cannot insert 'ah4': File exists
insmod: cannot insert 'esp4': File exists
insmod: cannot insert 'ipcomp': unknown symbol in module, or unknown parameter
insmod: cannot insert 'xfrm4_tunnel': File exists
insmod: cannot insert 'xfrm_user': File exists

Extra info:

root@OpenWrt:/# ipsec statusall
Performance:
  uptime: 5 seconds, since Aug 30 14:44:31 2009
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0
  loaded plugins: aes sha1 sha2 random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown
Listening IP addresses:
  192.168.1.19
  192.168.2.1
Connections:
Security Associations:
  none

Well this looks good big_smile, it has aes, sha2, x509, pubkey and hmac..

more info:

root@OpenWrt:/# ipsec listalgs

List of registered IKEv2 Algorithms:

  encryption: AES_CBC
  integrity:  AES_XCBC_96 HMAC_SHA1_96 AUTH_HMAC_SHA1_128 AUTH_HMAC_SHA2_256_128 HMAC_MD5_96 (1026) AUTH_HMAC_SHA2_384_192 AUTH_HMAC_SHA2_512_256
  hasher:     HASH_SHA1 HASH_SHA256 HASH_SHA384 HASH_SHA512
  prf:        PRF_KEYED_SHA1 PRF_AES128_CBC PRF_HMAC_SHA2_256 PRF_HMAC_SHA1 PRF_HMAC_MD5 PRF_HMAC_SHA2_384 PRF_HMAC_SHA2_512
  dh-group:   MODP_2048_BIT MODP_1536_BIT MODP_3072_BIT MODP_4096_BIT MODP_6144_BIT MODP_8192_BIT MODP_1024_BIT MODP_768_BIT

I want to use ECDH (elliptic curve Diffie-Hellman), but lets take things one step at a time.

14 (edited by beus 2009-09-24 13:08:41)

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

Trying to get it to compile with the --enable-openssl option for ECC, however I seem to run into a problem.

checking for main in -lcrypto... no
configure: error: OpenSSL crypto library not found
make[3]: *** [/home/beus/openwrt/trunk-4.2.17.3/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/.configured_] Error 1

I traced it to come Config.in file that contains:

if test x$openssl = xtrue; then

      AC_HAVE_LIBRARY([crypto],[LIBS="$LIBS"],[AC_MSG_ERROR([OpenSSL crypto library not found])])

      AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])

fi

I have yet to figure out which scripts/feeds install package I need, or which option I need to turn on in make menuconfig.

Did manage to figure out that the default openssl package had ECC disabled.
Enable them by removing the 'no-ec' options in package/openssl/Makefile.

Also if you enable the 'enable the openssl crypto plugin' option in strongSwan (using make menuconfig, I altered the Config.in an Makefile files) you can enable the 'disable own GNU MP (libgmp) based crypto implementation plugin'.

15 (edited by beus 2009-09-10 12:40:11)

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

Compiling the strongswan package as described above with the added option of '--enable-uci' crashes.

make[3]: Entering directory `/local/wsjanwillem/package_strongswan-4.2.17.5'
(cd /local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/stron
gswan-4.2.17/./; if [ -x ./configure ]; then /usr/bin/find /local/wsjanwillem/tr
unk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/ -name confi
g.guess | xargs -r chmod u+w; /usr/bin/find /local/wsjanwillem/trunk.4.2.x/build
_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/ -name config.guess | xargs
 -r -n1 cp /local/wsjanwillem/trunk.4.2.x/scripts/config.guess; /usr/bin/find /l
ocal/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-
4.2.17/ -name config.sub | xargs -r chmod u+w; /usr/bin/find /local/wsjanwillem/
trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/ -name con
fig.sub | xargs -r -n1 cp /local/wsjanwillem/trunk.4.2.x/scripts/config.sub; AR=
mipsel-openwrt-linux-uclibc-ar AS="mipsel-openwrt-linux-uclibc-gcc -c -Os -pipe
-mips32 -mtune=mips32 -funit-at-a-time -fhonour-copts -msoft-float" LD=mipsel-op
enwrt-linux-uclibc-ld NM=mipsel-openwrt-linux-uclibc-nm CC="mipsel-openwrt-linux
-uclibc-gcc" GCC="mipsel-openwrt-linux-uclibc-gcc" CXX="mipsel-openwrt-linux-ucl
ibc-g++" RANLIB=mipsel-openwrt-linux-uclibc-ranlib STRIP=mipsel-openwrt-linux-uc
libc-strip OBJCOPY=mipsel-openwrt-linux-uclibc-objcopy OBJDUMP=mipsel-openwrt-li
nux-uclibc-objdump SIZE=mipsel-openwrt-linux-uclibc-size CFLAGS="-Os -pipe -mips
32 -mtune=mips32 -funit-at-a-time -fhonour-copts -msoft-float " CXXFLAGS="-Os -p
ipe -mips32 -mtune=mips32 -funit-at-a-time -fhonour-copts -msoft-float " CPPFLAG
S="-I/local/wsjanwillem/trunk.4.2.x/staging_dir/target-mipsel_uClibc-0.9.30.1/us
r/include -I/local/wsjanwillem/trunk.4.2.x/staging_dir/target-mipsel_uClibc-0.9.
30.1/include " LDFLAGS="-L/local/wsjanwillem/trunk.4.2.x/staging_dir/toolchain-m
ipsel_gcc-4.1.2_uClibc-0.9.30.1/usr/lib -L/local/wsjanwillem/trunk.4.2.x/staging
_dir/toolchain-mipsel_gcc-4.1.2_uClibc-0.9.30.1/lib -L/local/wsjanwillem/trunk.4
.2.x/staging_dir/target-mipsel_uClibc-0.9.30.1/usr/lib -L/local/wsjanwillem/trun
k.4.2.x/staging_dir/target-mipsel_uClibc-0.9.30.1/lib "   ./configure --target=m
ipsel-openwrt-linux --host=mipsel-openwrt-linux --build=i486-linux-gnu --program
-prefix="" --program-suffix="" --prefix=/usr --exec-prefix=/usr --bindir=/usr/bi
n --sbindir=/usr/sbin --libexecdir=/usr/lib --sysconfdir=/etc --datadir=/usr/sha
re --localstatedir=/var --mandir=/usr/man --infodir=/usr/info --disable-nls  --d
isable-ipv6   --with-urandom-device=   --disable-des --disable-fips-prf   --disa
ble-md5 --disable-pluto       --disable-tools
     --enable-uci  --with-routing-table="220" --disable-static ; fi; )
configure: WARNING: unrecognized options: --disable-nls, --disable-ipv6
configure: loading site script /local/wsjanwillem/trunk.4.2.x/include/site/mipsel-openwrt-linux-uclibc
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking for mipsel-openwrt-linux-strip... mipsel-openwrt-linux-uclibc-strip
checking how to create a ustar tar archive... gnutar
checking for style of include used by make... GNU
checking for mipsel-openwrt-linux-gcc... mipsel-openwrt-linux-uclibc-gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... yes
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether mipsel-openwrt-linux-uclibc-gcc accepts -g... yes
checking for mipsel-openwrt-linux-uclibc-gcc option to accept ISO C89... none needed
checking dependency style of mipsel-openwrt-linux-uclibc-gcc... gcc3
checking how to run the C preprocessor... mipsel-openwrt-linux-uclibc-gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking whether byte ordering is bigendian... (cached) no
checking pkg-config is at least version 0.9.0... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking build system type... i486-pc-linux-gnu
checking host system type... mipsel-openwrt-linux-gnu
checking for a sed that does not truncate output... /local/wsjanwillem/trunk.4.2.x/staging_dir/host/bin/sed
checking for fgrep... /bin/grep -F
checking for ld used by mipsel-openwrt-linux-uclibc-gcc... mipsel-openwrt-linux-uclibc-ld
checking if the linker (mipsel-openwrt-linux-uclibc-ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... mipsel-openwrt-linux-uclibc-nm
checking the name lister (mipsel-openwrt-linux-uclibc-nm) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 98304
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking for mipsel-openwrt-linux-uclibc-ld option to reload object files... -r
checking for mipsel-openwrt-linux-objdump... mipsel-openwrt-linux-uclibc-objdump
checking how to recognize dependent libraries... pass_all
checking for mipsel-openwrt-linux-ar... mipsel-openwrt-linux-uclibc-ar
checking for mipsel-openwrt-linux-strip... (cached) mipsel-openwrt-linux-uclibc-strip
checking for mipsel-openwrt-linux-ranlib... mipsel-openwrt-linux-uclibc-ranlib
checking command to parse mipsel-openwrt-linux-uclibc-nm output from mipsel-openwrt-linux-uclibc-gcc object... ok
checking for dlfcn.h... yes
checking for objdir... .libs
checking if mipsel-openwrt-linux-uclibc-gcc supports -fno-rtti -fno-exceptions... no
checking for mipsel-openwrt-linux-uclibc-gcc option to produce PIC... -fPIC -DPIC
checking if mipsel-openwrt-linux-uclibc-gcc PIC flag -fPIC -DPIC works... yes
checking if mipsel-openwrt-linux-uclibc-gcc static flag -static works... yes
checking if mipsel-openwrt-linux-uclibc-gcc supports -c -o file.o... yes
checking if mipsel-openwrt-linux-uclibc-gcc supports -c -o file.o... (cached) yes
checking whether the mipsel-openwrt-linux-uclibc-gcc linker (mipsel-openwrt-linux-uclibc-ld) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... no
checking for flex... flex
checking lex output file root... lex.yy
checking lex library... none needed
checking whether yytext is a pointer... no
checking for bison... bison -y
checking for mipsel-openwrt-linux-gcc... (cached) mipsel-openwrt-linux-uclibc-gcc
checking whether we are using the GNU C compiler... (cached) yes
checking whether mipsel-openwrt-linux-uclibc-gcc accepts -g... (cached) yes
checking for mipsel-openwrt-linux-uclibc-gcc option to accept ISO C89... (cached) none needed
checking dependency style of mipsel-openwrt-linux-uclibc-gcc... (cached) gcc3
checking for gperf... no
checking for perl... /usr/bin/perl
checking for main in -ldl... yes
checking for backtrace... no
checking for dladdr... yes
checking for gcc atomic operations... no
checking for register_printf_function... yes
checking for main in -lgmp... yes
checking gmp.h version >= 4.1.4... yes
checking for main in -luci... no
configure: error: UCI library libuci not found
make[3]: *** [/local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.                                             30.1/strongswan-4.2.17/.configured_] Error 1
make[3]: Leaving directory `/local/wsjanwillem/package_strongswan-4.2.17.5'
make[2]: *** [package/package_strongswan-4.2.17.5/compile] Error 2
make[2]: Leaving directory `/local/wsjanwillem/trunk.4.2.x'
make[1]: *** [/local/wsjanwillem/trunk.4.2.x/staging_dir/target-mipsel_uClibc-0.                                             9.30.1/stamp/.package_compile] Error 2
make[1]: Leaving directory `/local/wsjanwillem/trunk.4.2.x'
make: *** [world] Error 2

Traced this to the Config.in file stating:

AC_ARG_ENABLE(
      [uci],
      AS_HELP_STRING([--enable-uci],[enable OpenWRT UCI configuration plugin (default is NO).]),
      [if test x$enableval = xyes; then
             uci=true
      fi]
) 
...
if test x$uci = xtrue; then

      AC_HAVE_LIBRARY([uci],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])])

      AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])

fi 
...
AM_CONDITIONAL(USE_UCI, test x$uci = xtrue)
...
src/charon/plugins/uci/Makefile

At the time of writing I have no clue which kernel option or package is missing to make this compile work. PACKAGE_libuci is enabled...

*edit
compiling it again after installing package luci-uci results in the following different error:

...
make[8]: Entering directory `/local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/src/charon/plugins/updown'
make[8]: Nothing to be done for `install-exec-am'.
test -z "/usr/lib/ipsec/plugins" || /bin/mkdir -p "/local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/ipkg-install/usr/lib/ipsec/plugins" /bin/bash ../../../../libtool   --mode=install /usr/bin/install -c  'libstrongswan-updown.la' '/local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/ipkg-install/usr/lib/ipsec/plugins/libstrongswan-updown.la'
libtool: install: /usr/bin/install -c .libs/libstrongswan-updown.so.0.0.0 /local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/ipkg-install/usr/lib/ipsec/plugins/libstrongswan-updown.so.0.0.0
libtool: install: (cd /local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/ipkg-install/usr/lib/ipsec/plugins && { ln -s -f libstrongswan-updown.so.0.0.0 libstrongswan-updown.so.0 || { rm -f libstrongswan-updown.so.0 && ln -s libstrongswan-updown.so.0.0.0 libstrongswan-updown.so.0; }; })
libtool: install: (cd /local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/ipkg-install/usr/lib/ipsec/plugins && { ln -s -f libstrongswan-updown.so.0.0.0 libstrongswan-updown.so || { rm -f libstrongswan-updown.so && ln -s libstrongswan-updown.so.0.0.0 libstrongswan-updown.so; }; })
libtool: install: /usr/bin/install -c .libs/libstrongswan-updown.lai /local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/ipkg-install/usr/lib/ipsec/plugins/libstrongswan-updown.la
libtool: install: warning: remember to run `libtool --finish /usr/lib/ipsec/plugins'
make[8]: Leaving directory `/local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/src/charon/plugins/updown'
make[7]: Leaving directory `/local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/src/charon/plugins/updown'
Making install in plugins/uci
make[7]: Entering directory `/local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/src/charon/plugins/uci'
/bin/bash ../../../../libtool --tag=CC   --mode=compile mipsel-openwrt-linux-uclibc-gcc -DPACKAGE_NAME=\"strongSwan\" -DPACKAGE_TARNAME=\"strongswan\" -DPACKAGE_VERSION=\"4.2.17\" -DPACKAGE_STRING=\"strongSwan\ 4.2.17\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"strongswan\" -DVERSION=\"4.2.17\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DPKCS11_DEFAULT_LIB=\"/usr/lib/opensc-pkcs11.so\" -DDEV_RANDOM=\"/dev/random\" -DDEV_URANDOM=\"\" -DIPSEC_ROUTING_TABLE=220 -DIPSEC_ROUTING_TABLE_PRIO=220 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -DHAVE_LIBDL=1 -DHAVE_DLADDR=1 -DHAVE_PRINTF_HOOKS=1 -I. -I../../../../src/libstrongswan -I../../../../src/charon  -I/local/wsjanwillem/trunk.4.2.x/staging_dir/target-mipsel_uClibc-0.9.30.1/usr/include -I/local/wsjanwillem/trunk.4.2.x/staging_dir/target-mipsel_uClibc-0.9.30.1/include  -rdynamic -Os -pipe -mips32 -mtune=mips32 -funit-at-a-time -fhonour-copts -msoft-float  -MT uci_plugin.lo -MD -MP -MF .deps/uci_plugin.Tpo -c -o uci_plugin.lo uci_plugin.c
libtool: compile:  mipsel-openwrt-linux-uclibc-gcc -DPACKAGE_NAME=\"strongSwan\" -DPACKAGE_TARNAME=\"strongswan\" -DPACKAGE_VERSION=\"4.2.17\" "-DPACKAGE_STRING=\"strongSwan 4.2.17\"" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"strongswan\" -DVERSION=\"4.2.17\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DPKCS11_DEFAULT_LIB=\"/usr/lib/opensc-pkcs11.so\" -DDEV_RANDOM=\"/dev/random\" -DDEV_URANDOM=\"\" -DIPSEC_ROUTING_TABLE=220 -DIPSEC_ROUTING_TABLE_PRIO=220 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -DHAVE_LIBDL=1 -DHAVE_DLADDR=1 -DHAVE_PRINTF_HOOKS=1 -I. -I../../../../src/libstrongswan -I../../../../src/charon -I/local/wsjanwillem/trunk.4.2.x/staging_dir/target-mipsel_uClibc-0.9.30.1/usr/include -I/local/wsjanwillem/trunk.4.2.x/staging_dir/target-mipsel_uClibc-0.9.30.1/include -rdynamic -Os -pipe -mips32 -mtune=mips32 -funit-at-a-time -fhonour-copts -msoft-float -MT uci_plugin.lo -MD -MP -MF .deps/uci_plugin.Tpo -c uci_plugin.c  -fPIC -DPIC -o .libs/uci_plugin.o
mv -f .deps/uci_plugin.Tpo .deps/uci_plugin.Plo
/bin/bash ../../../../libtool --tag=CC   --mode=compile mipsel-openwrt-linux-uclibc-gcc -DPACKAGE_NAME=\"strongSwan\" -DPACKAGE_TARNAME=\"strongswan\" -DPACKAGE_VERSION=\"4.2.17\" -DPACKAGE_STRING=\"strongSwan\ 4.2.17\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"strongswan\" -DVERSION=\"4.2.17\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DPKCS11_DEFAULT_LIB=\"/usr/lib/opensc-pkcs11.so\" -DDEV_RANDOM=\"/dev/random\" -DDEV_URANDOM=\"\" -DIPSEC_ROUTING_TABLE=220 -DIPSEC_ROUTING_TABLE_PRIO=220 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -DHAVE_LIBDL=1 -DHAVE_DLADDR=1 -DHAVE_PRINTF_HOOKS=1 -I. -I../../../../src/libstrongswan -I../../../../src/charon  -I/local/wsjanwillem/trunk.4.2.x/staging_dir/target-mipsel_uClibc-0.9.30.1/usr/include -I/local/wsjanwillem/trunk.4.2.x/staging_dir/target-mipsel_uClibc-0.9.30.1/include  -rdynamic -Os -pipe -mips32 -mtune=mips32 -funit-at-a-time -fhonour-copts -msoft-float  -MT uci_parser.lo -MD -MP -MF .deps/uci_parser.Tpo -c -o uci_parser.lo uci_parser.c
libtool: compile:  mipsel-openwrt-linux-uclibc-gcc -DPACKAGE_NAME=\"strongSwan\" -DPACKAGE_TARNAME=\"strongswan\" -DPACKAGE_VERSION=\"4.2.17\" "-DPACKAGE_STRING=\"strongSwan 4.2.17\"" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"strongswan\" -DVERSION=\"4.2.17\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DPKCS11_DEFAULT_LIB=\"/usr/lib/opensc-pkcs11.so\" -DDEV_RANDOM=\"/dev/random\" -DDEV_URANDOM=\"\" -DIPSEC_ROUTING_TABLE=220 -DIPSEC_ROUTING_TABLE_PRIO=220 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -DHAVE_LIBDL=1 -DHAVE_DLADDR=1 -DHAVE_PRINTF_HOOKS=1 -I. -I../../../../src/libstrongswan -I../../../../src/charon -I/local/wsjanwillem/trunk.4.2.x/staging_dir/target-mipsel_uClibc-0.9.30.1/usr/include -I/local/wsjanwillem/trunk.4.2.x/staging_dir/target-mipsel_uClibc-0.9.30.1/include -rdynamic -Os -pipe -mips32 -mtune=mips32 -funit-at-a-time -fhonour-copts -msoft-float -MT uci_parser.lo -MD -MP -MF .deps/uci_parser.Tpo -c uci_parser.c  -fPIC -DPIC -o .libs/uci_parser.o
uci_parser.c: In function 'section_enumerator_enumerate':
uci_parser.c:85: error: 'struct uci_option' has no member named 'value'
uci_parser.c:100: error: 'struct uci_option' has no member named 'value'
make[7]: *** [uci_parser.lo] Error 1
make[7]: Leaving directory `/local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/src/charon/plugins/uci'
make[6]: *** [install-recursive] Error 1
make[6]: Leaving directory `/local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/src/charon'
make[5]: *** [install-recursive] Error 1
make[5]: Leaving directory `/local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/src'
make[4]: *** [install-recursive] Error 1
make[4]: Leaving directory `/local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17'
make[3]: *** [/local/wsjanwillem/trunk.4.2.x/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/.built] Error 2
make[3]: Leaving directory `/local/wsjanwillem/package_strongswan-4.2.17.5'
make[2]: *** [package/package_strongswan-4.2.17.5/compile] Error 2
make[2]: Leaving directory `/local/wsjanwillem/trunk.4.2.x'
make[1]: *** [/local/wsjanwillem/trunk.4.2.x/staging_dir/target-mipsel_uClibc-0.9.30.1/stamp/.package_compile] Error 2
make[1]: Leaving directory `/local/wsjanwillem/trunk.4.2.x'
make: *** [world] Error 2

*edit
http://wiki.strongswan.org/wiki/1/IpsecUci states "Use the configure option --enable-uci. You also need the libuci library and the uci tool."
the libuci library is no problem, the uci tool is what has me looking everywhere... Anyone any idea?
*edit
I might have traced the source of the problem, make reports:

 make[1] world
 make[2] target/compile
 make[3] -C target/linux compile
 make[2] package/cleanup
 make[2] package/compile
 make[3] -C package/base-files compile
...
 make[3] -C package/opkg compile
 make[3] -C /home/beus/openwrt/package_strongswan-4.2.17.1 compile
 make[3] -C package/linux-atm compile
 make[3] -C package/libpcap compile
 make[3] -C package/ppp compile
 make[3] -C package/switch compile
 make[3] -C package/uci compile
 make[3] -C package/udevtrigger compile
 make[2] package/install
 make[3] -C package/base-files install
 make[3] -C package/broadcom-diag install
...

ergo package/uci is compiled after strongswan, so it would be logical for strongSwan not to find the neccessary files.

*edit the solution to this is adding the following line to strongswan's Makefile.

PKG_BUILD_DEPENDS:=libuci

The next error to tackle is:

/bin/bash ../../../../libtool --tag=CC   --mode=compile mipsel-openwrt-linux-uclibc-gcc -DPACKAGE_NAME=\"strongSwan\" -DPACKAGE_TARNAME=\"strongswan\" -DPACKAGE_VERSION=\"4.2.17\" -DPACKAGE_STRING=\"strongSwan\ 4.2.17\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"strongswan\" -DVERSION=\"4.2.17\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DPKCS11_DEFAULT_LIB=\"/usr/lib/opensc-pkcs11.so\" -DDEV_RANDOM=\"/dev/random\" -DDEV_URANDOM=\"\" -DIPSEC_ROUTING_TABLE=220 -DIPSEC_ROUTING_TABLE_PRIO=220 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -DHAVE_LIBDL=1 -DHAVE_DLADDR=1 -DHAVE_PRINTF_HOOKS=1 -I. -I../../../../src/libstrongswan -I../../../../src/charon  -I/home/beus/openwrt/trunk-4.2.17.3-2/staging_dir/target-mipsel_uClibc-0.9.30.1/usr/include -I/home/beus/openwrt/trunk-4.2.17.3-2/staging_dir/target-mipsel_uClibc-0.9.30.1/include  -rdynamic -Os -pipe -mips32 -mtune=mips32 -funit-at-a-time -fhonour-copts -msoft-float  -MT uci_parser.lo -MD -MP -MF .deps/uci_parser.Tpo -c -o uci_parser.lo uci_parser.c
libtool: compile:  mipsel-openwrt-linux-uclibc-gcc -DPACKAGE_NAME=\"strongSwan\" -DPACKAGE_TARNAME=\"strongswan\" -DPACKAGE_VERSION=\"4.2.17\" "-DPACKAGE_STRING=\"strongSwan 4.2.17\"" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"strongswan\" -DVERSION=\"4.2.17\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DPKCS11_DEFAULT_LIB=\"/usr/lib/opensc-pkcs11.so\" -DDEV_RANDOM=\"/dev/random\" -DDEV_URANDOM=\"\" -DIPSEC_ROUTING_TABLE=220 -DIPSEC_ROUTING_TABLE_PRIO=220 -DHAVE_DLFCN_H=1 -DLT_OBJDIR=\".libs/\" -DHAVE_LIBDL=1 -DHAVE_DLADDR=1 -DHAVE_PRINTF_HOOKS=1 -I. -I../../../../src/libstrongswan -I../../../../src/charon -I/home/beus/openwrt/trunk-4.2.17.3-2/staging_dir/target-mipsel_uClibc-0.9.30.1/usr/include -I/home/beus/openwrt/trunk-4.2.17.3-2/staging_dir/target-mipsel_uClibc-0.9.30.1/include -rdynamic -Os -pipe -mips32 -mtune=mips32 -funit-at-a-time -fhonour-copts -msoft-float -MT uci_parser.lo -MD -MP -MF .deps/uci_parser.Tpo -c uci_parser.c  -fPIC -DPIC -o .libs/uci_parser.o
uci_parser.c: In function 'section_enumerator_enumerate':
uci_parser.c:85: error: 'struct uci_option' has no member named 'value'
uci_parser.c:100: error: 'struct uci_option' has no member named 'value'
make[7]: *** [uci_parser.lo] Error 1
make[7]: Leaving directory `/home/beus/openwrt/trunk-4.2.17.3-2/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/src/charon/plugins/uci'
make[6]: *** [install-recursive] Error 1
make[6]: Leaving directory `/home/beus/openwrt/trunk-4.2.17.3-2/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/src/charon'
make[5]: *** [install-recursive] Error 1
make[5]: Leaving directory `/home/beus/openwrt/trunk-4.2.17.3-2/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/src'
make[4]: *** [install-recursive] Error 1
make[4]: Leaving directory `/home/beus/openwrt/trunk-4.2.17.3-2/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17'
make[3]: *** [/home/beus/openwrt/trunk-4.2.17.3-2/build_dir/target-mipsel_uClibc-0.9.30.1/strongswan-4.2.17/.built] Error 2
make[3]: Leaving directory `/home/beus/openwrt/package_strongswan-4.2.17.7'
make[2]: *** [package/package_strongswan-4.2.17.7/compile] Error 2
make[2]: Leaving directory `/home/beus/openwrt/trunk-4.2.17.3-2'
make[1]: *** [/home/beus/openwrt/trunk-4.2.17.3-2/staging_dir/target-mipsel_uClibc-0.9.30.1/stamp/.package_compile] Error 2
make[1]: Leaving directory `/home/beus/openwrt/trunk-4.2.17.3-2'
make: *** [world] Error 2

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

interesing build options obtained here that includes the netmanager. It is interesting because the build options include openssl, and disable several ciphers.

get strongswan SVN
svn co http://www.strongswan.org/ikev2/trunk strongswan
cd strongswan

build charon with OpenSSL/NM Plugin
./autogen.sh
./configure --disable-aes --disable-des --disable-md5 --disable-sha1 --disable-sha2 \
--disable-fips-prf --disable-gmp --disable-stroke --disable-pluto --disable-tools \
--disable-updown --enable-openssl --enable-nm --enable-eap-gtc \
--sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
make
make install

build NetworkManager's strongsSwan plugin
cd src/charon/plugins/nm/gnome
./autogen.sh --sysconfdir=/etc --prefix=/usr --libexecdir=/usr/lib
make
make install

17 (edited by aport 2009-11-24 23:46:46)

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

Just wanted to post a little update for me in this thread. I'm using the latest tarball posted by norbert in the ticket above, and it's working GREAT! I really appreciate all the hard work... I prefer strongswan to openswan, and definitely over ipsec-tools & racoon.


My only issue now is that the OpenWRT firewall is very restrictive, which is a good thing. I need to punch some little holes to allow the esp traffic to flow, but I'm not sure which chains to add the rules to. Any help would be greatly appreciated!



Here's what I have so far:

iptables -A input_rule -p esp -s $REMOTE_WAN -j ACCEPT
iptables -t nat -A postrouting_rule -d $REMOTE_SUBNET -j ACCEPT



This seems to work pretty well, but once the traffic is decrypted the firewall likes to drop all the packets originating from the remote subnet, so I added:
iptables -A input_rule -p tcp -s $REMOTE_SUBNET -j ACCEPT


Not sure if that last rule poses any security threats.

18 (edited by beus 2010-03-04 16:43:37)

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

Part of my struggles came from wanting the use the curl library. During compilation of strongswan -- or actually during the check before compilation -- an error occurred:

checking for main in -lcurl... no

A solution I found by adding a TARGET_LDFLAGS command in the Makefile.

...
PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install

include $(INCLUDE_DIR)/package.mk

TARGET_LDFLAGS+=-Wl,-rpath-link=$(STAGING_DIR)/usr/lib

define Package/strongswan
  SECTION:=net
  CATEGORY:=Network
...

.
thus TARGET_LDFLAGS+=-Wl,-rpath-link=$(STAGING_DIR)/usr/lib did the trick.

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

I encountered an error when I tried to minimize the footprint. As I do not need ikev1 I tried to disable all that has to do with pluto.

During which I found that
- one can disable pluto without problems
- one can disable tools without problems
- disabling pluto and stroke but not tools gives an error due to some file not found (some tools build upon ikev1).
- disabling pluto, stroke and tools gives an error due to the Makefile. As the install part of the make script refers to ipsec which appears no longer available.

changing the Makefile line

$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin

into

$(if $(!CONFIG_STRONGSWAN_STROKE),$(CP) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin)

did the trick, now it compiles fine. HOWEVER the ipsec command has not been build so you cannot start strongswan using 'ipsec start'. I'm not sure if the uci backend will work...

20 (edited by aport 2010-04-02 19:27:54)

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

I've made an init script and UCI config for setting up some basic site-to-site tunnels with StrongSwan:

#!/bin/sh /etc/rc.common
# Copyright (C) 2009 NexAira Inc.
# Copyright (C) 2010 Adam Porter <porter.adam@gmail.com>

START=70
STOP=40

check_keyexchange() {
    local cfg="$1"
    config_get keyexchange "$cfg" keyexchange

    [ "$keyexchange" = "ikev1" ] && ikev1=yes 
    [ "$keyexchange" = "ikev2" ] && ikev2=yes
}

setup_secrets() {
    local key
    config_get key "$cfg" key

    [ "$wanip" = "%defaultroute" ] && wanip="%any"

cat >> /etc/ipsec.secrets <<EOF
$wanip $remote_wan : PSK "$key"
EOF
}

setup_ipsecconf() {
    local cfg="$1"

    config_get_bool enabled "$cfg" enabled 0

    [ "$enabled" = "0" ] && return

    local leftsubnet rightsubnet local_lan remote_lan waniface auto
    local tunnel_name local_lan_network remote_wan remote_wan_network key keyexchange
    local wanip wandev waniface integrity ikeintegrity encryption dhgroup strict

    tunnel_name="$cfg"
    config_get waniface "$cfg" waniface
    config_get local_lan "$cfg" local_lan
    config_get local_lan_network "$cfg" local_lan_network
    config_get remote_wan "$cfg" remote_wan
    config_get remote_lan "$cfg" remote_lan
    config_get remote_lan_network "$cfg" remote_lan_network
    config_get keyexchange "$cfg" keyexchange
    config_get integrity "$cfg" integrity
    config_get encryption "$cfg" encryption
    config_get dhgroup "$cfg" dhgroup
    config_get_bool strict "$cfg" strict 0
    config_get auto "$cfg" auto


    # calculate local network info
    eval "$(ipcalc.sh $local_lan $local_lan_network)"
    leftsubnet="$NETWORK/$PREFIX"

    # calculate remote network info
    eval "$(ipcalc.sh $remote_lan $remote_lan_network)"
    rightsubnet="$NETWORK/$PREFIX"

    # get the WAN IP
    if [ "$waniface" = "default" ]; then
        wanip="%defaultroute"
    else
        wanip=$(uci -P /var/state get network."$waniface".ipaddr)
    fi

    # if there's no WAN IP, get out of here
    [ -z "$wanip" ] && return

    [ "$strict" = 0 ] && strict=" " || strict="!"
    [ "$integrity" = "sha1" ] && ikeintegrity="sha" || ikeintegrity="md5"

    cat >> /etc/ipsec.conf <<EOF
conn $tunnel_name
    left=$wanip
    leftsubnet=$leftsubnet
    leftfirewall=yes
    right=$remote_wan
    rightsubnet=$rightsubnet
    keyexchange=$keyexchange
    ike=$encryption-$ikeintegrity-$dhgroup$strict
    esp=$encryption-$integrity-$dhgroup$strict
    auto=${auto:-route}

EOF

    setup_secrets
    setup_firewall
}

setup_firewall() {
    echo "iptables -A input_rule -p esp -s $remote_wan -j ACCEPT" >> /etc/firewall.ipsec
    echo "iptables -t nat -A postrouting_rule -d $rightsubnet -j ACCEPT" >> /etc/firewall.ipsec
    # allow all traffic from remote subnet once tunnel is established
    echo "iptables -A input_rule -p tcp -s $rightsubnet -j ACCEPT" >> /etc/firewall.ipsec
    echo "iptables -A input_rule -p udp -s $remote_wan --dport 500 -j ACCEPT # allow ISAKMP" >> /etc/firewall.ipsec
    echo "iptables -A input_rule -p udp -s $remote_wan --dport 4500 -j ACCEPT # allow NAT-T" >> /etc/firewall.ipsec
}

setup_configs() {
    config_load ipsec
    config_foreach check_keyexchange tunnel

    cat > /etc/ipsec.conf << EOF
config setup
    plutodebug=control
    plutostart=${ikev1:-no}
    charonstart=${ikev2:-no}
    nat_traversal=yes

conn %default
    rekeymargin=3m
    keyingtries=2
    authby=secret

EOF
    config_foreach setup_ipsecconf tunnel
}

reload () {
    setup_configs
}

start() {

    setup_configs

    # start strongswan if any tunnels are enabled
    local flen=$(cat /etc/ipsec.conf | wc -l)
    [ "$flen" -gt 15 ] && ipsec start &

    return 0
}


stop() {
    # stop strongswan
    ipsec stop

    # remove config files
    [ -f "/etc/ipsec.conf" ] && rm -r /etc/ipsec.conf
    [ -f "/etc/ipsec.secrets" ] && rm -f /etc/ipsec.secrets
    [ -f "/etc/firewall.ipsec" ] && rm -f /etc/firewall.ipsec
}
config tunnel default
    option enabled 0
    option waniface wan
    option local_lan 192.168.1.1
    option local_lan_network 255.255.255.0
    option remote_lan 192.168.2.1
    option remote_lan_network 255.255.255.0
    option remote_wan 1.1.1.1
    option keyexchange ikev1
    option key password
    option integrity sha1
    option encryption aes
    option dhgroup modp1024
    option auto start

Try it out! It works for me with a basic router-to-router connection, allowing clients behind one router to communicate clients behind the other via their private IPs.

If you have any feedback/improvements please let me know! OpenWrt needs an IPsec implementation with UCI support pretty badly, IMO. OpenVPN is nice and all but a lot of devices still use IPsec.


edit: I know StrongSwan has UCI integration, but it looks like it's only one tunnel... I wanted to support multiple tunnels so I went with the init script route. If StrongSwan's UCI actually supports multiple tunnels then I suppose my work is unneeded.

21 (edited by gabrielvlasiu 2010-04-19 17:30:05)

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

charon does not work for me. Pluto works fine.

KAMIKAZE (bleeding edge, r20639)

**** charon started manually:

# /usr/lib/ipsec/charon                                                                                   
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.3.6)
00[NET] unable to create raw socket: Address family not supported by protocol
00[NET] could not open IPv6 receive socket, IPv6 disabled
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL]   eth1
00[KNL]   br-lan
00[KNL]     192.168.1.1
00[KNL]   wlan0
00[KNL]   mon.wlan0
00[KNL]   ppp0
00[KNL]     79.114.91.63
00[KNL] received netlink error: Address family not supported by protocol (124)
00[KNL] unable to create IPv6 routing table rule
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "C=X, ST=X, L=X, O=X, CN=X, E=X" from '/etc/ipsec.d/cacerts/caCert.der'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG]   loaded crl from '/etc/ipsec.d/crls/crl.pem'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loading secrets from '/etc/ipsec.d/XXXX.secrets'
00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/XXXX.der'
00[DMN] loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey pkcs1 pgp dnskey pem xcbc hmac gmp kernel-netlink stroke updown attr resolve
00[JOB] spawning 1 worker threads

Here is stuck. I can only stop the process via ctrl-c.

**** Running via strace:

strace -f -ff /usr/lib/ipsec/charon
....
write(1, "00[JOB] spawning 1 worker thread"..., 3400[JOB] spawning 1 worker threads) = 34
rt_sigaction(SIGPIPE, {SIG_DFL, [], SA_STACK|SA_INTERRUPT|SA_SIGINFO|0x2b8e4f0}, {SIG_DFL, [RT_67 RT_68 RT_70 RT_71 RT_73 RT_74 RT_75 RT_76 RT_78 RT_79 RT_81
RT_82 RT_85 RT_86 RT_87 RT_89 RT_91 RT_94], SA_NOCLDSTOP}, 16) = 0
time([1271690002])                      = 1271690002
open("/etc/TZ", O_RDONLY)               = 14
read(14, "EET-2EEST,M3.5.0/3,M10.5.0/4\n", 68) = 29
read(14, "", 39)                        = 0
close(14)                               = 0
write(3, "<30>Apr 19 18:13:22 syslog: 00[J"..., 63) = 63
rt_sigaction(SIGPIPE, {SIG_DFL, [RT_67 RT_68 RT_70 RT_71 RT_73 RT_74 RT_75 RT_76 RT_78 RT_79 RT_81 RT_82 RT_85 RT_86 RT_87 RT_89 RT_91 RT_94], SA_NOCLDSTOP},
NULL, 16) = 0
brk(0x463000)                           = 0x463000
pipe([1701650552, 1667392288])          = 14
clone(Process 1577 attached
child_stack=0x462d78, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND) = 1577
[pid  1574] write(15, "\177\344R\260\0\0\0\5 kernel-netlink stroke u"..., 148) = 148
[pid  1574] rt_sigprocmask(SIG_SETMASK, NULL, [HUP INT TERM RT_0], 16) = 0
[pid  1574] write(15, "*\263\220@\0\0\0\0\0\0\0\0*\255\0\250\0E\362\0\200\0@\3\0\0\0\0\0\0\0\0"..., 148) = 148
[pid  1574] rt_sigprocmask(SIG_SETMASK, NULL, [HUP INT TERM RT_0], 16) = 0
[pid  1574] rt_sigsuspend([HUP INT TERM] <unfinished ...>
[pid  1577] rt_sigprocmask(SIG_SETMASK, ~[TRAP RT_1], NULL, 16) = 0
[pid  1577] read(14, "\177\344R\260\0\0\0\5 kernel-netlink stroke u"..., 148) = 148
[pid  1577] poll([{fd=14, events=POLLIN}], 1, 2000) = 1 ([{fd=14, revents=POLLIN}])
[pid  1577] getppid()                   = 1574
[pid  1577] read(14, "*\263\220@\0\0\0\0\0\0\0\0*\255\0\250\0E\362\0\200\0@\3\0\0\0\0\0\0\0\0"..., 148) = 148
[pid  1577] old_mmap(0x7f7fc000, 16384, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_GROWSDOWN, -1, 0) = 0x7f7fc000
[pid  1577] clone(Process 1578 attached
child_stack=0x7f7ffe00, flags=CLONE_VM|CLONE_FS|CLONE_FILES|CLONE_SIGHAND|SIGRT_1) = 1578
[pid  1577] kill(1574, SIGRT_0 <unfinished ...>
[pid  1578] getpid( <unfinished ...>
[pid  1577] <... kill resumed> )        = 0
[pid  1574] <... rt_sigsuspend resumed> ) = ? ERESTARTNOHAND (To be restarted)
[pid  1574] --- SIGRT_0 (Unknown signal 32) @ 0 (0) ---
[pid  1574] sigreturn()                 = ? (mask now [EMT KILL SEGV PIPE ALRM TERM USR2 PWR URG IO TSTP TTIN VTALRM XCPU])
[pid  1574] rt_sigprocmask(SIG_BLOCK, [HUP INT TERM], NULL, 16) = 0
[pid  1574] rt_sigaction(SIGHUP, {SIG_DFL, [RT_68 RT_70 RT_74 RT_75 RT_82 RT_85 RT_86 RT_88 RT_90 RT_92 RT_94], SA_STACK|SA_INTERRUPT|0x2b207a4}, NULL, 16) = 0
[pid  1574] rt_sigaction(SIGINT, {SIG_DFL, [RT_68 RT_70 RT_74 RT_75 RT_82 RT_85 RT_86 RT_88 RT_90 RT_92 RT_94], SA_STACK|SA_INTERRUPT|0x2b207a4}, NULL, 16) = 0
[pid  1574] rt_sigaction(SIGTERM, {SIG_DFL, [RT_68 RT_70 RT_74 RT_75 RT_82 RT_85 RT_86 RT_88 RT_90 RT_92 RT_94], SA_STACK|SA_INTERRUPT|0x2b207a4}, NULL, 16) = 0
[pid  1574] rt_sigaction(128, {SIG_DFL, [RT_68 RT_70 RT_74 RT_75 RT_82 RT_85 RT_86 RT_88 RT_90 RT_92 RT_94], SA_STACK|SA_INTERRUPT|0x2b20720}, NULL, 16) = 0
[pid  1574] rt_sigprocmask(SIG_BLOCK, NULL, [HUP INT TERM RT_0], 16) = 0
[pid  1574] rt_sigsuspend(~[HUP INT TERM RT_1] <unfinished ...>
[pid  1578] <... getpid resumed> )      = 1578
[pid  1577] poll([{fd=14, events=POLLIN}], 1, 2000 <unfinished ...>
[pid  1578] rt_sigprocmask(SIG_SETMASK, [HUP INT TERM RT_0], NULL, 16) = 0
[pid  1578] gettimeofday({1271690002, 343705}, NULL) = 0
[pid  1578] rt_sigprocmask(SIG_SETMASK, NULL, [HUP INT TERM RT_0], 16) = 0
[pid  1578] rt_sigsuspend([HUP INT TERM] <unfinished ...>
[pid  1577] <... poll resumed> )        = 0 (Timeout)
[pid  1577] getppid()                   = 1574
[pid  1577] poll([{fd=14, events=POLLIN}], 1, 2000) = 0 (Timeout)
[pid  1577] getppid()                   = 1574
[pid  1577] poll([{fd=14, events=POLLIN}], 1, 2000) = 0 (Timeout)
[pid  1577] getppid()                   = 1574
[pid  1577] poll([{fd=14, events=POLLIN}], 1, 2000) = 0 (Timeout)
[pid  1577] getppid()                   = 1574
[pid  1577] poll([{fd=14, events=POLLIN}], 1, 2000) = 0 (Timeout)
[pid  1577] getppid()                   = 1574
[pid  1577] poll([{fd=14, events=POLLIN}], 1, 2000
....


Does anybody else have this problem?
Thank you.

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

did you use the - in progress work - here or the new added package as mentioned in https://dev.openwrt.org/ticket/2538#comment:19 ? If the first, try compiling it with the version in the link, perhaps that helps.

23 (edited by bobcov 2014-01-15 15:55:47)

Re: StrongSwan 4.3 ikev2 (ipsec) - howto install

I keep getting an error in the Makefile for strongswan. The dump.txt says "Makefile:51: *** missing `endef', unterminated `define'.  Stop."   That's pretty obvious to a programmer, but from looking at it, I can't see the problem.
The lines wrapped, so don't think those are just new lines.
Also, I just found that if I added another "endef" before "define Build/Compile" I do not get the error, but because I do not know what adding "endef" means, my guess is it's not a "fix."  Any ideas?
Update2: Okay, untarring the files again to replace the edited Config.in and Makefile, for the changes suggested by the father of this thread, removed the errors. Is it possible cutting and pasting those changes in  added unseen line endings or something?  They looked normal on screen in nano. These were the changes for openssl and random that were suggested in the tutorial.

#
# Copyright (C) 2006 OpenWrt.org
#
# This is free software, licensed under the GNU General Public License v2.
# See /LICENSE for more information.
#
# $Id$

include $(TOPDIR)/rules.mk
#include $(INCLUDE_DIR)/kernel.mk

PKG_NAME:=strongswan
PKG_VERSION:=4.2.17
PKG_RELEASE:=1

PATCH_DIR=./patches

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=http://download.strongswan.org/
PKG_MD5SUM:=52058098d9ae038f9dc2c1b116f06dbb

PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install

include $(INCLUDE_DIR)/package.mk

define Package/strongswan
  SECTION:=net
  CATEGORY:=Network
TITLE:=StrongSwan IPsec IKEv1 and IKEv2 implementation
  DEFAULT:=m
  URL:=http://www.strongswan.org/
  #DEPENDS:=+libpthread +libgmp +ip +kmod-ipsec +kmod-ipsec4 +iptables-mod-ipsec +kmod-ipt-ipsec +kmod-crypto-aes  +kmod-c$
  DEPENDS:=+libpthread +libgmp +ip +kmod-ipsec +kmod-ipsec4 +iptables-mod-ipsec +kmod-ipt-ipsec +kmod-crypto-authenc +kmod$
endef

define Package/strongswan/description
  IPsec IKEv2 keying daemon:
  strongSwan provides the userland part of IPsec. This minimalistic build
  includes the IKEv2 keying daemon charon, the libstrongswan library and
  crypto plugins for SHA1 and AES.
endef

define Package/strongswan/config
        menu "strongSwan Configuration"
                depends on PACKAGE_strongswan
                source "$(SOURCE)/Config.in"
        endmenu
endef

define Build/Configure
        $(call Build/Configure/Default, \
                $(if $(CONFIG_STRONGSWAN_DEVICE_RANDOM),--with-random-device=$(CONFIG_STRONGSWAN_DEVICE_RANDOM)) \
#               $(if $(CONFIG_STRONGSWAN_DEVICE_URANDOM),--with-random-device=$(CONFIG_STRONGSWAN_DEVICE_RANDOM)) \
                $(if $(CONFIG_STRONGSWAN_WITH_URANDOM_DEVICE),--with-urandom-device=$(CONFIG_STRONGSWAN_DEVICE_URANDOM)) \
                $(if $(CONFIG_STRONGSWAN_DISABLE_RANDOM),--disable-random) \
                $(if $(CONFIG_STRONGSWAN_CURL),--enable-curl) \
                $(if $(CONFIG_STRONGSWAN_LDAP),--enable-ldap) \
                $(if $(CONFIG_STRONGSWAN_MANAGER),--enable-manager) \
                $(if $(CONFIG_STRONGSWAN_DISABLE_AES),--disable-aes) \
                $(if $(CONFIG_STRONGSWAN_DISABLE_DES),--disable-des) \
                $(if $(CONFIG_STRONGSWAN_DISABLE_MD5),--disable-md5) \
                $(if $(CONFIG_STRONGSWAN_DISABLE_SHA1),--disable-sha1) \
                $(if $(CONFIG_STRONGSWAN_DISABLE_SHA2),--disable-sha2) \
                $(if $(CONFIG_STRONGSWAN_DISABLE_FIPS_PRF),--disable-fips-prf) \
                $(if $(CONFIG_STRONGSWAN_DISABLE_GMP),--disable-gmp) \
                $(if $(CONFIG_STRONGSWAN_DISABLE_X509),--disable-x509) \
                $(if $(CONFIG_STRONGSWAN_DISABLE_PUBKEY),--disable-pubkey) \
                $(if $(CONFIG_STRONGSWAN_DISABLE_HMAC),--disable-hmac) \
                $(if $(CONFIG_STRONGSWAN_DISABLE_XCBC),--disable-xcbc) \
                $(if $(CONFIG_STRONGSWAN_STROKE),--disable-stroke) \
                $(if $(CONFIG_STRONGSWAN_CISCO_QUIRKS),--enable-cisco-quirks) \
                $(if $(CONFIG_STRONGSWAN_NAT_TRANSPORT),--enable-nat-transport) \
                $(if $(CONFIG_STRONGSWAN_PLUTO),--disable-pluto) \
               $(if $(CONFIG_STRONGSWAN_CHARON),--disable-charon) \
                $(if $(CONFIG_STRONGSWAN_ENABLE_OPENSSL),--enable-openssl) \
                $(if $(CONFIG_STRONGSWAN_TOOLS),--disable-tools) \
                $(if $(CONFIG_STRONGSWAN_ROUTING_TABLE),--with-routing-table=$(CONFIG_STRONGSWAN_ROUTING_TABLE),--disable-$
endef

define Build/Compile
        $(MAKE) -C $(PKG_BUILD_DIR) \
        INSTALL_PREFIX="$(PKG_INSTALL_DIR)" \
                DESTDIR="$(PKG_INSTALL_DIR)" \
                install
endef

define Package/strongswan/install
        $(INSTALL_DIR) $(1)/usr/lib/ipsec/plugins
        $(INSTALL_DIR) $(1)/etc
        $(INSTALL_DIR) $(1)/usr/sbin
        $(CP) -R $(PKG_INSTALL_DIR)/etc/* $(1)/etc/
        $(CP) $(PKG_INSTALL_DIR)/usr/sbin/ipsec $(1)/usr/sbin
        $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/* $(1)/usr/lib/ipsec/
        $(CP) $(PKG_INSTALL_DIR)/usr/lib/libstrongswan.so.* $(1)/usr/lib/
        $(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/*.so.* $(1)/usr/lib/ipsec/plugins/
        mkdir -p $(1)/etc/modules.d/
        # really needed?
        $(CP) ./files/50-strongswan $(1)/etc/modules.d/
endef

$(eval $(call BuildPackage,strongswan))