| View previous topic :: View next topic |
| Author |
Message |
cdstealer
Guru
Joined: 30 Oct 2005
Posts: 431
Location: Leeds
|
 Posted: Sat May 27, 2017 10:47 am Post subject: [SOLVED] Strongswan and kernel-4.11.X |
 |
|
Hi,
I run my own VPN solely for the purpose of using my mobile phone on public networks. Everything works great under kernel-4.10.13. On kernel-4.11.X, I used the config from 4.10.13 and made oldconfig. Something in kernel-4.11.X has broken the routing within strongswan. Has anyone come across anything similar? I'll keep chipping away at it, just looking for a way to reduce the number of times I have to recompile the kernel 
T.I.A.
*edit* Looks it's something broken in the kernel  Still isn't fixed in 4.11.4 though.
https://lkml.org/lkml/2017/4/25/937
*edit* Still broken in 4.11.5 and it looks like redhat already patched it.
https://bugzilla.redhat.com/show_bug.cgi?id=1458222
*edit* Still broken in 4.11.6
_________________
# touch it
touch: cannot touch `it': Permission denied
Last edited by cdstealer on Sun Jun 18, 2017 5:17 am; edited 1 time in total |
|
| Back to top |
|
 |
cdstealer
Guru
Joined: 30 Oct 2005
Posts: 431
Location: Leeds
|
| Posted: Sun Jun 18, 2017 5:16 am Post subject: |
|
|
OK.. gave up and applied the patch in the lkml thread to kernel 4.11.6. YAY.. it works!
| Code: | # cd /usr/src/linux && cat esp_patch
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -223,6 +223,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
int extralen;
int tailen;
__be64 seqno;
+ int esp_offset = 0;
__u8 proto = *skb_mac_header(skb);
/* skb is pure payload to encrypt */
@@ -288,6 +289,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
break;
}
+ esp_offset = (unsigned char *)esph - (unsigned char *)uh;
+
*skb_mac_header(skb) = IPPROTO_UDP;
}
@@ -397,7 +400,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
goto error;
nfrags = err;
tail = skb_tail_pointer(trailer);
- esph = ip_esp_hdr(skb);
+ esph = (struct ip_esp_hdr *)(skb_transport_header(skb) + esp_offset);
skip_cow:
esp_output_fill_trailer(tail, tfclen, plen, proto); |
Then executed: | Code: | | patch -p1 < esp_patch |
Recompiled the kernel in the usual manner and eureka! 
_________________
# touch it
touch: cannot touch `it': Permission denied |
|
| Back to top |
|
|
cdstealer
Guru
Joined: 30 Oct 2005
Posts: 431
Location: Leeds
|
| Posted: Sun Jun 25, 2017 4:28 am Post subject: |
|
|
Still broken in 4.11.7 but the above patch still works
_________________
# touch it
touch: cannot touch `it': Permission denied |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Sun Jun 25, 2017 8:36 am Post subject: Re: [SOLVED] Strongswan and kernel-4.11.X |
|
|
| cdstealer wrote: | | I run my own VPN solely for the purpose of using my mobile phone on public networks. |
would you tell me how you do this, or refer some links please? thanks |
|
| Back to top |
|
|
cdstealer
Guru
Joined: 30 Oct 2005
Posts: 431
Location: Leeds
|
| Posted: Sun Jun 25, 2017 8:53 am Post subject: |
|
|
Hi Josephg, I did my own how to as I couldn't find anything complete from start to finish. Have a go. It's just my brain dump, so if you have any questions, please let me know. Here is my http://cdblog.cdstealer.com/?p=1231 blog post. I hope you find it useful.
Cheers
[Moderator edit: expanded tinyurl to point to the actual URL. Some people prefer not to follow tinyurl redirects. -Hu]
_________________
# touch it
touch: cannot touch `it': Permission denied |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Sun Jun 25, 2017 9:07 am Post subject: |
|
|
thank you cdstealer i've wanted to do something like this for while. just for my mobile to grab internet sometimes on public/restricted wifi.
you blog post is extremely helpful with detailed information. but i don't see any vpn/client setup, possibilities or scenarios. how/what can you do on the android end? |
|
| Back to top |
|
|
cdstealer
Guru
Joined: 30 Oct 2005
Posts: 431
Location: Leeds
|
|
| Back to top |
|
|
cdstealer
Guru
Joined: 30 Oct 2005
Posts: 431
Location: Leeds
|
| Posted: Sun Jun 25, 2017 11:11 am Post subject: |
|
|
Hi, I've now added the client setup howto. Hope it helps.
_________________
# touch it
touch: cannot touch `it': Permission denied |
|
| Back to top |
|
|
josephg
l33t
Joined: 10 Jan 2016
Posts: 783
Location: usually offline
|
| Posted: Sun Jun 25, 2017 12:46 pm Post subject: |
|
|
| thank you again cdstealer that was quick. guess i'll also need static ip or dyndns etc. |
|
| Back to top |
|
|
cdstealer
Guru
Joined: 30 Oct 2005
Posts: 431
Location: Leeds
|
| Posted: Sun Jun 25, 2017 1:29 pm Post subject: |
|
|
No worries
I'm not on a static myself, but my IP doesn't change very often
_________________
# touch it
touch: cannot touch `it': Permission denied |
|
| Back to top |
|
|
cdstealer
Guru
Joined: 30 Oct 2005
Posts: 431
Location: Leeds
|
| Posted: Mon Jul 03, 2017 5:53 pm Post subject: |
|
|
*UPDATE* This has now been patched in 4.12.0 But now my wireless mouse doesn't work, but that's a new thread
_________________
# touch it
touch: cannot touch `it': Permission denied |
|
| Back to top |
|
|
|
Networking & Security
