Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] Strongswan and kernel-4.11.X
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
cdstealer
Guru
Guru


Joined: 30 Oct 2005
Posts: 423
Location: Leeds

PostPosted: Sat May 27, 2017 10:47 am    Post subject: [SOLVED] Strongswan and kernel-4.11.X Reply with quote

Hi,
I run my own VPN solely for the purpose of using my mobile phone on public networks. Everything works great under kernel-4.10.13. On kernel-4.11.X, I used the config from 4.10.13 and made oldconfig. Something in kernel-4.11.X has broken the routing within strongswan. Has anyone come across anything similar? I'll keep chipping away at it, just looking for a way to reduce the number of times I have to recompile the kernel ;)

T.I.A.

*edit* Looks it's something broken in the kernel :( Still isn't fixed in 4.11.4 though.

https://lkml.org/lkml/2017/4/25/937

*edit* Still broken in 4.11.5 and it looks like redhat already patched it.

https://bugzilla.redhat.com/show_bug.cgi?id=1458222

*edit* Still broken in 4.11.6 :(
_________________
# touch it
touch: cannot touch `it': Permission denied


Last edited by cdstealer on Sun Jun 18, 2017 5:17 am; edited 1 time in total
Back to top
View user's profile Send private message
cdstealer
Guru
Guru


Joined: 30 Oct 2005
Posts: 423
Location: Leeds

PostPosted: Sun Jun 18, 2017 5:16 am    Post subject: Reply with quote

OK.. gave up and applied the patch in the lkml thread to kernel 4.11.6. YAY.. it works!

Code:
# cd /usr/src/linux && cat esp_patch
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -223,6 +223,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
    int extralen;
    int tailen;
    __be64 seqno;
+   int esp_offset = 0;
    __u8 proto = *skb_mac_header(skb);
 
    /* skb is pure payload to encrypt */
@@ -288,6 +289,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
          break;
       }
 
+      esp_offset = (unsigned char *)esph - (unsigned char *)uh;
+
       *skb_mac_header(skb) = IPPROTO_UDP;
    }
 
@@ -397,7 +400,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)
       goto error;
    nfrags = err;
    tail = skb_tail_pointer(trailer);
-   esph = ip_esp_hdr(skb);
+   esph = (struct ip_esp_hdr *)(skb_transport_header(skb) + esp_offset);
 
 skip_cow:
    esp_output_fill_trailer(tail, tfclen, plen, proto);


Then executed:
Code:
patch -p1 < esp_patch


Recompiled the kernel in the usual manner and eureka! :)
_________________
# touch it
touch: cannot touch `it': Permission denied
Back to top
View user's profile Send private message
cdstealer
Guru
Guru


Joined: 30 Oct 2005
Posts: 423
Location: Leeds

PostPosted: Sun Jun 25, 2017 4:28 am    Post subject: Reply with quote

Still broken in 4.11.7 but the above patch still works :)
_________________
# touch it
touch: cannot touch `it': Permission denied
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Sun Jun 25, 2017 8:36 am    Post subject: Re: [SOLVED] Strongswan and kernel-4.11.X Reply with quote

cdstealer wrote:
I run my own VPN solely for the purpose of using my mobile phone on public networks.

would you tell me how you do this, or refer some links please? thanks
Back to top
View user's profile Send private message
cdstealer
Guru
Guru


Joined: 30 Oct 2005
Posts: 423
Location: Leeds

PostPosted: Sun Jun 25, 2017 8:53 am    Post subject: Reply with quote

Hi Josephg, I did my own how to as I couldn't find anything complete from start to finish. Have a go. It's just my brain dump, so if you have any questions, please let me know. Here is my http://cdblog.cdstealer.com/?p=1231 blog post. I hope you find it useful.

Cheers

[Moderator edit: expanded tinyurl to point to the actual URL. Some people prefer not to follow tinyurl redirects. -Hu]
_________________
# touch it
touch: cannot touch `it': Permission denied
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Sun Jun 25, 2017 9:07 am    Post subject: Reply with quote

thank you cdstealer :) i've wanted to do something like this for while. just for my mobile to grab internet sometimes on public/restricted wifi.
you blog post is extremely helpful with detailed information. but i don't see any vpn/client setup, possibilities or scenarios. how/what can you do on the android end?
Back to top
View user's profile Send private message
cdstealer
Guru
Guru


Joined: 30 Oct 2005
Posts: 423
Location: Leeds

PostPosted: Sun Jun 25, 2017 9:14 am    Post subject: Reply with quote

I use the strongswan android app. But yes, you are right. I'll knock something up. In the mean time, here's one I found that may suffice ;) https://help.my-private-network.co.uk/support/solutions/articles/6000158345-ikev2-vpn-setup-via-strongswan-app-for-android. There are a couple of steps missing depending on what you're doing. For example, getting your certificate on to the phone and then configuring the client to use it. I'll add my howto, to the bottom of my blog when it's complete.
_________________
# touch it
touch: cannot touch `it': Permission denied
Back to top
View user's profile Send private message
cdstealer
Guru
Guru


Joined: 30 Oct 2005
Posts: 423
Location: Leeds

PostPosted: Sun Jun 25, 2017 11:11 am    Post subject: Reply with quote

Hi, I've now added the client setup howto. Hope it helps.
_________________
# touch it
touch: cannot touch `it': Permission denied
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Sun Jun 25, 2017 12:46 pm    Post subject: Reply with quote

thank you again cdstealer :) that was quick. guess i'll also need static ip or dyndns etc.
Back to top
View user's profile Send private message
cdstealer
Guru
Guru


Joined: 30 Oct 2005
Posts: 423
Location: Leeds

PostPosted: Sun Jun 25, 2017 1:29 pm    Post subject: Reply with quote

No worries :)

I'm not on a static myself, but my IP doesn't change very often ;)
_________________
# touch it
touch: cannot touch `it': Permission denied
Back to top
View user's profile Send private message
cdstealer
Guru
Guru


Joined: 30 Oct 2005
Posts: 423
Location: Leeds

PostPosted: Mon Jul 03, 2017 5:53 pm    Post subject: Reply with quote

*UPDATE* This has now been patched in 4.12.0 :) But now my wireless mouse doesn't work, but that's a new thread ;)
_________________
# touch it
touch: cannot touch `it': Permission denied
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum