View previous topic :: View next topic |
Author |
Message |
cdstealer Guru
Joined: 30 Oct 2005 Posts: 431 Location: Leeds
|
Posted: Sat May 27, 2017 10:47 am Post subject: [SOLVED] Strongswan and kernel-4.11.X |
|
|
Hi,
I run my own VPN solely for the purpose of using my mobile phone on public networks. Everything works great under kernel-4.10.13. On kernel-4.11.X, I used the config from 4.10.13 and made oldconfig. Something in kernel-4.11.X has broken the routing within strongswan. Has anyone come across anything similar? I'll keep chipping away at it, just looking for a way to reduce the number of times I have to recompile the kernel
T.I.A.
*edit* Looks it's something broken in the kernel Still isn't fixed in 4.11.4 though.
https://lkml.org/lkml/2017/4/25/937
*edit* Still broken in 4.11.5 and it looks like redhat already patched it.
https://bugzilla.redhat.com/show_bug.cgi?id=1458222
*edit* Still broken in 4.11.6 _________________ # touch it
touch: cannot touch `it': Permission denied
Last edited by cdstealer on Sun Jun 18, 2017 5:17 am; edited 1 time in total |
|
Back to top |
|
|
cdstealer Guru
Joined: 30 Oct 2005 Posts: 431 Location: Leeds
|
Posted: Sun Jun 18, 2017 5:16 am Post subject: |
|
|
OK.. gave up and applied the patch in the lkml thread to kernel 4.11.6. YAY.. it works!
Code: | # cd /usr/src/linux && cat esp_patch
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -223,6 +223,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
int extralen;
int tailen;
__be64 seqno;
+ int esp_offset = 0;
__u8 proto = *skb_mac_header(skb);
/* skb is pure payload to encrypt */
@@ -288,6 +289,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
break;
}
+ esp_offset = (unsigned char *)esph - (unsigned char *)uh;
+
*skb_mac_header(skb) = IPPROTO_UDP;
}
@@ -397,7 +400,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
goto error;
nfrags = err;
tail = skb_tail_pointer(trailer);
- esph = ip_esp_hdr(skb);
+ esph = (struct ip_esp_hdr *)(skb_transport_header(skb) + esp_offset);
skip_cow:
esp_output_fill_trailer(tail, tfclen, plen, proto); |
Then executed: Code: | patch -p1 < esp_patch |
Recompiled the kernel in the usual manner and eureka! _________________ # touch it
touch: cannot touch `it': Permission denied |
|
Back to top |
|
|
cdstealer Guru
Joined: 30 Oct 2005 Posts: 431 Location: Leeds
|
Posted: Sun Jun 25, 2017 4:28 am Post subject: |
|
|
Still broken in 4.11.7 but the above patch still works _________________ # touch it
touch: cannot touch `it': Permission denied |
|
Back to top |
|
|
josephg l33t
Joined: 10 Jan 2016 Posts: 783 Location: usually offline
|
Posted: Sun Jun 25, 2017 8:36 am Post subject: Re: [SOLVED] Strongswan and kernel-4.11.X |
|
|
cdstealer wrote: | I run my own VPN solely for the purpose of using my mobile phone on public networks. |
would you tell me how you do this, or refer some links please? thanks |
|
Back to top |
|
|
cdstealer Guru
Joined: 30 Oct 2005 Posts: 431 Location: Leeds
|
Posted: Sun Jun 25, 2017 8:53 am Post subject: |
|
|
Hi Josephg, I did my own how to as I couldn't find anything complete from start to finish. Have a go. It's just my brain dump, so if you have any questions, please let me know. Here is my http://cdblog.cdstealer.com/?p=1231 blog post. I hope you find it useful.
Cheers
[Moderator edit: expanded tinyurl to point to the actual URL. Some people prefer not to follow tinyurl redirects. -Hu] _________________ # touch it
touch: cannot touch `it': Permission denied |
|
Back to top |
|
|
josephg l33t
Joined: 10 Jan 2016 Posts: 783 Location: usually offline
|
Posted: Sun Jun 25, 2017 9:07 am Post subject: |
|
|
thank you cdstealer i've wanted to do something like this for while. just for my mobile to grab internet sometimes on public/restricted wifi.
you blog post is extremely helpful with detailed information. but i don't see any vpn/client setup, possibilities or scenarios. how/what can you do on the android end? |
|
Back to top |
|
|
cdstealer Guru
Joined: 30 Oct 2005 Posts: 431 Location: Leeds
|
|
Back to top |
|
|
cdstealer Guru
Joined: 30 Oct 2005 Posts: 431 Location: Leeds
|
Posted: Sun Jun 25, 2017 11:11 am Post subject: |
|
|
Hi, I've now added the client setup howto. Hope it helps. _________________ # touch it
touch: cannot touch `it': Permission denied |
|
Back to top |
|
|
josephg l33t
Joined: 10 Jan 2016 Posts: 783 Location: usually offline
|
Posted: Sun Jun 25, 2017 12:46 pm Post subject: |
|
|
thank you again cdstealer that was quick. guess i'll also need static ip or dyndns etc. |
|
Back to top |
|
|
cdstealer Guru
Joined: 30 Oct 2005 Posts: 431 Location: Leeds
|
Posted: Sun Jun 25, 2017 1:29 pm Post subject: |
|
|
No worries
I'm not on a static myself, but my IP doesn't change very often _________________ # touch it
touch: cannot touch `it': Permission denied |
|
Back to top |
|
|
cdstealer Guru
Joined: 30 Oct 2005 Posts: 431 Location: Leeds
|
Posted: Mon Jul 03, 2017 5:53 pm Post subject: |
|
|
*UPDATE* This has now been patched in 4.12.0 But now my wireless mouse doesn't work, but that's a new thread _________________ # touch it
touch: cannot touch `it': Permission denied |
|
Back to top |
|
|
|