I am trying to build openswan from source for a WRT54Gv2(CAN) router. While I have followed the article at http://wiki.linuxops.net/tiki-read_article.php it is incomplete; --specifically, I cannot build the kernel driver.

I would very much appreciate any help on this. Once I am successful, I will post the full set of commands that work to this thread for all to benefit...

Please note that if you don't add the "modules" option to the openswan ipkg/rules, the ipkg is made, but, not the modules package. Obviously, I am missing something here...

Thanks in advance!

Here's what I've done:

Building WRT54G v2 firmware
using BusyBox v1.00-rc2 (2004.08.11-21:27+0000)

1) cvs -d:pserver:anonymous@openwrt.ksilebo.net:/openwrt login
2) cvs -d:pserver:anonymous@openwrt.ksilebo.net:/openwrt co buildroot
3) cd buildroot
4) make

If this is the first time on the router...

5) Open LinkSys admin page: http://192.168.1.1
6) Open LinkSys update firmware page.
7) Upload openwrt-g-code.bin
8) Reboot

First time logging in...

1) Ethernet cable to a LAN port...
2) ifconfig eth0 192.168.1.2 netmask 255.255.255.0 up
3) route add default gw 192.168.1.1
4) telnet 192.168.1.1
5) firstboot

NOTE: I am running BusyBox v1.00-rc2 (2004.08.14-00:22+0000).

And if this is first time in, run...

Set boot wait...

1) nvram set boot_wait=true
2) nvram commit
3) reboot

as the ping hack doesn't work on the WRT54Gv2 (Canadian version).

OpenSwan:

1) Edit sources/openwrt/busybox/busybox.config as follows:

  a) CONFIG_ID=y  (from not set)
  b) CONFIG_TR=y  (from not set)
  c) CONFIG_DIRNAME=y  (from not set)
  d) CONFIG_HOSTNAME=y   (from not set)

  EXTRA (my choice):
 
  i) CONFIG_IP=y  (from not set)
  ii) CONFIG_IPADDR=y
  iii) CONFIG_IPLINK=y
  iv) CONFIG_IPROUTE=y
  v) CONFIG_IPTUNNEL=y
    Turned on for network settings; --I don't want to rebuild again for these.

2) Build firmware.

Now we want to build GMP (a prereq to openswan)...

3) wget ftp://ftp.sunet.se/pub/gnu/gmp/gmp-4.1.3.tar.gz
4) tar xvzf gmp-4.1.3.tar.gz
5) cd gmp-4.1.3/
6) wget http://www.linuxops.net/ipkg/gmp-4.1.3-ipkg.tar.gz
7) tar xvzf gmp-4.1.3-ipkg.tar.gz
8) vi ipkg/rules
  Edit OPENWRTBR to point to the OpenWRT buildroot directory.
9) vi ipkg/control
  Edit and add name to Maintainer field.
10) export PATH=$PATH:/home/me/linksys/openwrt-cpp/buildroot/build_mipsel/staging_dir/bin
11) ../../buildroot/build_mipsel/staging_dir/bin/ipkg-buildpackage
  NOTE: I am building openswan in .../buildroot/
  NOTE: If building again one may have to remove /tmp/gmp/ and /tmp/gmp.build/.

This works.

Now we want to build openswan...
 
12) wget http://www.openswan.org/code/openswan-2.1.2.tar.gz
13) tar xvzf openswan-2.1.2.tar.gz
14) cd openswan-2.1.2
15) wget http://www.linuxops.net/ipkg/archived/o … pkg.tar.gz
16) tar xvzf openswan-2.1.2-ipkg.tar.gz
17) vi ipkg/rules
  Edit OPENWRTBR to point to the OpenWRT buildroot directory.
  Eg.: OPENWRTBR:=/home/me/linksys/openwrt-cpp/buildroot
18) vi ipkg/control
  Edit and add name to Maintainer field.
19) Edit ipkg/rules...

a) to have /tmp/gmp.build instead of /tmp/gmp:
USERCOMPILE:=$(TARGET_CFLAGS) -L/usr/local/openwrt/buildroot/build_mipsel/root/lib/ -L/tmp/gmp.build/usr/lib -I/usr/local/openwrt/buildroot/build_mipsel/root/include -I/tmp/gmp.build/usr/include

  b) to have KERNELSRC="$(STAGING_DIR)/../linux" and module added...
$(MAKE) DESTDIR=$(DESTDIR) $(TARGET_CONFIGURE_OPTS) USERCOMPILE="$(USERCOMPILE)" KERNELSRC="$(STAGING_DIR)/../linux" programs module

20) ../../buildroot/build_mipsel/staging_dir/bin/ipkg-buildpackage

And then I get...

Now we can build openswan...
 
12) wget http://www.openswan.org/code/openswan-2.1.2.tar.gz
13) tar xvzf openswan-2.1.2.tar.gz
14) cd openswan-2.1.2
15) wget http://www.linuxops.net/ipkg/archived/o … pkg.tar.gz
16) tar xvzf openswan-2.1.2-ipkg.tar.gz
17) vi ipkg/rules
  Edit OPENWRTBR to point to the OpenWRT buildroot directory.
  Eg.: OPENWRTBR:=/home/me/linksys/openwrt-cpp/buildroot
18) vi ipkg/control
  Edit and add name to Maintainer field.
19) Edit ipkg/rules...

a) to have /tmp/gmp.build instead of /tmp/gmp:
USERCOMPILE:=$(TARGET_CFLAGS) -L/usr/local/openwrt/buildroot/build_mipsel/root/lib/ -L/tmp/gmp.build/usr/lib -I/usr/local/openwrt/buildroot/build_mipsel/root/include -I/tmp/gmp.build/usr/include

  b) to have KERNELSRC="$(STAGING_DIR)/../linux" and module added...
$(MAKE) DESTDIR=$(DESTDIR) $(TARGET_CONFIGURE_OPTS) USERCOMPILE="$(USERCOMPILE)" KERNELSRC="$(STAGING_DIR)/../linux" programs module

20) ../../buildroot/build_mipsel/staging_dir/bin/ipkg-buildpackage

And then I get as output...

[snip]
/home/me/linksys/openwrt-cpp/buildroot/build_mipsel/staging_dir/bin/mipsel-linux-uclibc-gcc  -DIPCOMP_PREFIX -include /home/me/linksys/openwrt-cpp/openswan/openswan-2.1.2/packaging/linus/config-all.h -I../../include -I/home/me/linksys/openwrt-cpp/buildroot/build_mipsel/staging_dir/../linux/include  -I../../lib/zlib  -Wall -DARCH=i386  -DMODVERSIONS -include /home/me/linksys/openwrt-cpp/buildroot/build_mipsel/staging_dir/../linux/include/linux/modversions.h -DMODULE  -D__KERNEL__ -I/home/me/linksys/openwrt-cpp/buildroot/build_mipsel/WRT54GS/release/src/linux/linux/include -Wall -Wstrict-prototypes -Wno-trigraphs -Os -fno-strict-aliasing -fno-common -fomit-frame-pointer -pipe  -DKBUILD_BASENAME=ipsec_sa  -c -o ipsec_sa.o ipsec_sa.c
{standard input}: Assembler messages:
{standard input}:1348: Error: opcode not supported on this processor: mips1 (mips1) `ll $2,4($16)'
{standard input}:1350: Error: opcode not supported on this processor: mips1 (mips1) `sc $2,4($16)'
{standard input}:1570: Error: opcode not supported on this processor: mips1 (mips1) `ll $2,4($4)'
{standard input}:1572: Error: opcode not supported on this processor: mips1 (mips1) `sc $2,4($4)'
{standard input}:1677: Error: opcode not supported on this processor: mips1 (mips1) `ll $2,4($16)'
{standard input}:1679: Error: opcode not supported on this processor: mips1 (mips1) `sc $2,4($16)'
{standard input}:1753: Error: opcode not supported on this processor: mips1 (mips1) `ll $2,4($5)'
{standard input}:1755: Error: opcode not supported on this processor: mips1 (mips1) `sc $2,4($5)'
{standard input}:1996: Error: opcode not supported on this processor: mips1 (mips1) `ll $2,4($17)'
{standard input}:1998: Error: opcode not supported on this processor: mips1 (mips1) `sc $2,4($17)'
{standard input}:2021: Error: opcode not supported on this processor: mips1 (mips1) `ll $2,4($3)'
{standard input}:2023: Error: opcode not supported on this processor: mips1 (mips1) `sc $2,4($3)'
{standard input}:2259: Error: opcode not supported on this processor: mips1 (mips1) `ll $2,4($17)'
{standard input}:2261: Error: opcode not supported on this processor: mips1 (mips1) `sc $2,4($17)'
{standard input}:2267: Error: opcode not supported on this processor: mips1 (mips1) `ll $2,4($16)'
{standard input}:2269: Error: opcode not supported on this processor: mips1 (mips1) `sc $2,4($16)'
{standard input}:2453: Error: opcode not supported on this processor: mips1 (mips1) `ll $2,4($17)'
{standard input}:2455: Error: opcode not supported on this processor: mips1 (mips1) `sc $2,4($17)'
{standard input}:2490: Error: opcode not supported on this processor: mips1 (mips1) `ll $2,4($17)'
{standard input}:2492: Error: opcode not supported on this processor: mips1 (mips1) `sc $2,4($17)'
make[2]: *** [ipsec_sa.o] Error 1
make[2]: Leaving directory `/home/me/linksys/openwrt-cpp/openswan/openswan-2.1.2/linux/net/ipsec'
make[1]: *** [module] Error 2
make[1]: Leaving directory `/home/me/linksys/openwrt-cpp/openswan/openswan-2.1.2'
make: *** [build-stamp] Error 2
Build failed
me@electron:~/linksys/openwrt-cpp/openswan/openswan-2.1.2$

You're right, the instructions given don't describe how to build a kernel module package. personally, I create that package manually, as I have not found a way to create more than one package from a single control file yet.

Anyway, the extra command you need in ipkg/rules to build a kernel module which will work is:

build-stamp: $(BASE_DIR)/.patched
  $(MAKE) $(TARGET_CONFIGURE_OPTS) KERNELSRC=$(KERNELSRC) ARCH=mips module

That doesn't spit out a package ready to install, so you'll have to create that by hand using ipkg-build like so:

1) create a directory to make a package from

mkdir -p temp/lib/modules/2.4.20/kernel/net/ipsec

2) copy the module to it

cp modobj/ipsec.o temp/lib/modules/2.4.20/kernel/net/ipsec/

3) create a CONTROL directory

mkdir temp/CONTROL

4) Create a control file in it

vi temp/CONTROL/control

with the following contents:

Package: openswan-module
Version: <version>
Priority: optional
Section: Communications
Architecture: mipsel
Maintainer: <you>
Description: Openswan ipsec.o binary module for openwrt 2.4.20 kernel
Source: http://www.openswan.org/code/openswan-<versiom>.tar.gz

5) create a postinst file

temp/CONTROL/postinst

with the content:

#!/bin/sh
echo "/lib/modules/2.4.20/kernel/net/ipsec/ipsec.o:" >> /lib/modules/modules.dep 
insmod ipsec.o

6) create a prerm script

vi temp/CONTROL/prerm

with the content:

#!/bin/sh
rmmod ipsec.o
mv /lib/modules/modules.dep /tmp

cat /tmp/modules.dep | grep -v ipsec.o > /lib/modules/modules.dep

rm /tmp/modules.dep

7) create the package for the module

ipkg-build -o root -g root temp/ .

I've included the module build in the latest stuff I've been working on for openswan-2.2.0. As soon as it gets released (openswan-2.2.0, I mean) I'm going to build new packages with some bugfixes, a new ipkg/rules which makes a bit more sense and an updated document. I hope to get to all that before I go on vacation next week. If not, I'll have to do it while on my vacation address.

Polarwolf... Thanks for your help!

As I said in my original post, I'd post how I compiled it, so here it goes...

0) mkdir -p linksys/openwrt-fakeroot ; cd linksys/openwrt-fakeroot
1) fakeroot
2) cvs -d:pserver:anonymous@openwrt.ksilebo.net:/openwrt login
3) cvs -d:pserver:anonymous@openwrt.ksilebo.net:/openwrt co buildroot
4) cd buildroot

NOTE: If you want C++ compiling support you must edit buildroot/Makefile and set
      INSTALL_LIBSTDCPP:=true to true from false.

5) make
6) Open LinkSys admin page: http://192.168.1.1
7) Open LinkSys update firmware page.
8) Upload openwrt-g-code.bin

NOTE: I am using a WRT54G. If you are using something else, upload the correct binary as instructed on the Getting Started page on this site.

9) Reboot (your router)

-----

First time logging in...

1) Ethernet cable to a LAN port...
2) ifconfig eth0 192.168.1.2 netmask 255.255.255.0 up
3) route add default gw 192.168.1.1
4) telnet 192.168.1.1
5) Run "firstboot" on the router.

-----

Also, the first time you log in, you'll want to set boot wait on the router...

1) nvram set boot_wait=true
2) nvram commit
3) reboot

-----

Okay, now you'll want to build OpenSwan. I assume you are using the Debian distribution version of Linux, if not, substitute the various package commands with their equivalent...

0) apt-get install htmldoc

NOTE #1: The openswan sources depend on this. I wasn't able to get it to compile the docs properly anyways, so I "rm -rf"'d the openswan docs directory and removed "docs" from the SUBDIRS variable in openswan's Makefile.

NOTE #2: Being a developer, I already have all of the major Linux development packages installed. However, you may find that you need to install a package or two to get openswan to compile if you don't normally compile/develop software.

1) Edit sources/openwrt/busybox/busybox.config as follows:

  a) CONFIG_ID=y  (from not set)
  b) CONFIG_TR=y  (from not set)
  c) CONFIG_DIRNAME=y  (from not set)
  d) CONFIG_HOSTNAME=y   (from not set)

  EXTRA (my preferences but these aren't required):
 
  i) CONFIG_IP=y  (from not set)
  ii) CONFIG_IPADDR=y
  iii) CONFIG_IPLINK=y
  iv) CONFIG_IPROUTE=y
  v) CONFIG_IPTUNNEL=y
    Turned on for network settings.
   
2) Build firmware (as per above).

Now we want to build GMP (a prereq to openswan). I decided to build my openswan stuff in linksys/openwrt-fakeroot/openswan/. Assume that we are in that directory to start.

3) wget ftp://ftp.sunet.se/pub/gnu/gmp/gmp-4.1.3.tar.gz
4) tar xvzf gmp-4.1.3.tar.gz
5) cd gmp-4.1.3/
6) wget http://www.linuxops.net/ipkg/gmp-4.1.3-ipkg.tar.gz
7) tar xvzf gmp-4.1.3-ipkg.tar.gz
8) vi ipkg/rules
  Edit OPENWRTBR to point to the OpenWRT buildroot directory.
9) vi ipkg/control
  Edit and add name to Maintainer field.
10) export PATH=$PATH:/home/me/linksys/openwrt-cpp/buildroot/build_mipsel/staging_dir/bin
11) ../../buildroot/build_mipsel/staging_dir/bin/ipkg-buildpackage -c

  NOTE: If building again one may have to remove /tmp/gmp/ and /tmp/gmp.build/.

  NOTE: There may be a better way to build this inside of buildroot.
 
Now we can build openswan. Assume we are again in linksys/openwrt-fakeroot/openswan.

12) wget http://www.openswan.org/code/openswan-2.1.2.tar.gz
13) tar xvzf openswan-2.1.2.tar.gz
14) cd openswan-2.1.2
15) wget http://www.linuxops.net/ipkg/archived/o … pkg.tar.gz
16) tar xvzf openswan-2.1.2-ipkg.tar.gz
17) vi ipkg/rules
  Edit OPENWRTBR to point to the OpenWRT buildroot directory.
  Eg.: OPENWRTBR:=/home/me/linksys/openwrt-cpp/buildroot
18) vi ipkg/control
  Edit and add name to Maintainer field.
19) Edit ipkg/rules...

a) to have /tmp/gmp.build instead of /tmp/gmp:
USERCOMPILE:=$(TARGET_CFLAGS) -L/home/me/linksys/openwrt-fakeroot/buildroot/build_mipsel/root/lib/ -L/tmp/gmp.build/usr/lib -I/usr/local/openwrt/buildroot/build_mipsel/root/include -I/tmp/gmp.build/usr/include

  b) and to build the kernel as well as the program, you'll need to ensure that the lines:

build-stamp: $(BASE_DIR)/.patched
  $(MAKE) DESTDIR=$(DESTDIR) $(TARGET_CONFIGURE_OPTS) USERCOMPILE="$(USERCOMPILE)" programs

is followed by:

  $(MAKE) $(TARGET_CONFIGURE_OPTS) KERNELSRC=$(STAGING_DIR)/../linux ARCH=mips module

That is you should have:

build-stamp: $(BASE_DIR)/.patched
  $(MAKE) DESTDIR=$(DESTDIR) $(TARGET_CONFIGURE_OPTS) USERCOMPILE="$(USERCOMPILE)" programs
  $(MAKE) $(TARGET_CONFIGURE_OPTS) KERNELSRC=$(STAGING_DIR)/../linux ARCH=mips module

NOTE: Those are single tabs (NOT spaces!) in front of $(MAKE).

  c) Remove doc directory and remove doc from SUBDIRS in Makefile.

NOTE: See above. The docs wouldn't build properly so I simply got rid of them.

20) ../../buildroot/build_mipsel/staging_dir/bin/ipkg-buildpackage -c

NOTE: The -c is VERY important; --you need a tar gzip'd package not a Debian one!

There's more! (See next section...)

-----

Now for the remainder of PolarWolf's instructions not placed above, except I have done them as a script for ease-of-compilation.

In linksys/openwrt-fakeroot/openswan open in your favourite text editor a file called "mk-openswan-module" and place the following in it:

--- BEGIN mk-openswan-module SCRIPT ---
#!/bin/bash
OPENSWAN_DIR=./openswan-2.1.2
OPENSWAN_MODDIR=./${OPENSWAN_DIR}-module

rm -rf $OPENSWAN_MODDIR
mkdir -p $OPENSWAN_MODDIR/lib/modules/2.4.20/kernel/net/ipsec
cp $OPENSWAN_DIR/linux/net/ipsec/ipsec.o $OPENSWAN_MODDIR/lib/modules/2.4.20/kernel/net/ipsec/

# Create the CONTROL file...
mkdir -p $OPENSWAN_MODDIR/CONTROL
cat >$OPENSWAN_MODDIR/CONTROL/control <<ZZEOF
Package: openswan-module
Version: 2.1.2-2.4.20
Priority: optional
Section: Communications
Architecture: mipsel
Maintainer: me <me@myaddress.something>
Description: Openswan ipsec.o binary module for openwrt 2.4.20 kernel
Source: http://www.openswan.org/code/openswan-2.1.2.tar.gz
ZZEOF

# Create the postinst file...
cat >$OPENSWAN_MODDIR/CONTROL/postinst <<ZZEOF
#!/bin/sh
echo "/lib/modules/2.4.20/kernel/net/ipsec/ipsec.o:" >> /lib/modules/modules.dep
insmod ipsec.o
ZZEOF
chmod +x $OPENSWAN_MODDIR/CONTROL/postinst

# Create the prerem script...
cat >$OPENSWAN_MODDIR/CONTROL/prerem <<ZZEOF
#!/bin/sh
rmmod ipsec.o
mv /lib/modules/modules.dep /tmp
cat /tmp/modules.dep | grep -v ipsec.o > /lib/modules/modules.dep
rm /tmp/modules.dep
ZZEOF
chmod +x $OPENSWAN_MODDIR/CONTROL/prerem

# Create the package
ipkg-build -c -o root -g root $OPENSWAN_MODDIR/ .
--- END mk-openswan-module SCRIPT ---

Run "chmod +x mk-openswan-module" after you have saved the script.

Run "./mk-openswan-module" to build the kernel module package.

-----

Okay, now you want to INSTALL this onto your favourite router...

1) In linksys/openwrt-fakeroot/openswan you'll have 3 .ipk files from the above instructions:

  gmp_4.1.3_mipsel.ipk
  openswan_2.1.2_mipsel.ipk
  openswan-module_2.1.2-2.4.20_mipsel.ipk

so you'll want to copy these files to a directory on some webserver that you have set up or can access.

2) In addition to step (1), you'll need to make the required ipkg Packages files. Because you will run this more than once, I recommend creating a file called Makefile in the directory you put your .ipk files into. The Makefile should have the following in it:

all:
   /home/me/linksys/openwrt-fakeroot/buildroot/build_mipsel/staging_dir/bin/ipkg-make-index . > Packages.new ; cp -f Packages.new Packages ; rm Packages.new

NOTE: The line after "all:" MUST start with a tab NOT spaces. Use an editor that stores tabs!

If you aren't running a Linux based-webserver, then you'll need to do this on a Linux system prior to uploading your files on a web server. Those files are in:

  linksys/openwrt-fakeroot/buildroot/build-mipsel

3) Run "make" in that directory. While you are at it, you may also want to copy the .ipk files out of buildroot into that directory as well. Don't forget to re-run "make".

4) Verify with a normal web browser that everything can be downloaded from your web server. If not, you may need to run:

  chmod 644 Makefile *.ipk Packages*

in your web server directory. :-)

Okay, now it is time to do stuff on your router:

1) telnet 192.168.1.1
2) ls -ld /etc/ipkg.conf

If ipkg.conf is a symbolic link, then:

  a) cd /etc
  b) cp ipkg.conf ipkg.conf2
  c) rm ipkg.conf
  d) mv ipkg.conf2 ipkg.conf

3) vi /etc/ipkg.conf
4) Add a line to the effect of:

  src openswan http://192.168.1.2/~me/wrt54g

obviously replacing the URL as appropriate. You may want to delete the openwrt.org URL that is already in there. You can always add it back later if you want.

5) ipkg update
6) ipkg list

NOTE: You should see your packages.

7) ipkg install gmp
8) ipkg install openswan-module
9) ipkg install openswan

And then all you need to so is configure openswan. See the openswan documentation/website for details.

Don't forget to install mawk.

Apparently there are some openswan scripts which rely on having mawk available. You can get that ipkg package from openswan.org or from linuxops.net.

I haven't read your instructions from start to finish as I assume they're right. Given the amount of steps required, I'd say things are still too complicated. I've already rid the requirement of `tr` and `id` in my packages, and I have to look at `dirname` and `hostname`. Not to mention mawk. The fewer dependencies, the better. I hope I can rewrite the mawk dependent bits to proper awk.

It seems openswan-2.2.0 won't get released before I go on vacation, so creating new packages will have to wait. I'm tagging along my laptop, so I'll be able to package stuff when I feel like it.

Note the script I put above that permits easy creating of an ipkg for the kernel modules and there are minor corrections to my original instructions.

Thanks for the instruction.

However, I think there is something missing here about nat-t, since nat-t requires patch to the kernel udp.c file, the kernel needs to be patched and rebuild.

I am wondering if this can be included as a standard patch in future release. This patch is pretty 'stable' in the sense that additional features of openswan usually don't need to change this.

A few comments.

First, gmp and mawk pacakges are already available from the openswan ftp server in ftp.openswan.org/openswan/binaries/openwrt

Just add it to your ipkg.conf

Second, you need a kernel patch if you want nat traversal support. Without this patch it will be impossible to connect to your openwrt ipsec server from behind a NAT router.

It seems my posting, which included the patch, has been removed from this forum; you will have to ask mbm why. 

openswan-2.2 will not be out in the next few days, because of a bug with the algo patch and xauth.

openswan-2.1.5 is the current version. I will be creating that package hopefully over the weekend. It will be available on the ftp server as well.

I am sorry to see the Openwrt project is not intesested in integrating IPsec support. We were planning of adding openwrt as a standard binary build package with our official Openswan releases, but that does require some cooperation between Openswan and Openwrt.

Paul

You need gmp available to build openswan anyway, hence the instructions to build it.

On a side note, can you explain why openswan depends on mawk, and if that can be "fixed"?

I still see your post and patch in the forum thread for it, so unless you mean a different post, it's still there. mbm did mention something about the patch file being in an invalid format or something.

I'm sure things can be worked out between projects. I for one intend to keep working on this as one of the reasons I'm using OpenWRT is that it'll run openswan. And it's not like it's hard to package or anything, it's just that there need to be a few prerequisites met which can be worked around though (see the `tr` and `id` stuff). With respect to NAT-T, well, it would be very nice to have that little bit included in the default kernel to make everyone's life a little bit easier. I'm not in dire need of it myself since I have no hosts connecting from behind NAT to my ipsec gateway, but I'm sure some people would like to see it supported anyways.

In my own biased opinion, having full ipsec support, including NAT-T is a strong selling point for OpenWRT on cheap linksys-like devices. It doesn't perform that well, but hey, 1.5-2.5mbps is plenty for a VPN uplink to the office!