The content of this topic has been archived on 7 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
# ipsec start
no files found matching '/etc/strongswan.d/charon/*.conf', ignored
no files found matching '/etc/strongswan.d/*.conf', ignored
Starting strongSwan 5.1.3 IPsec [starter]...
/bin/sh: modprobe: not found
/bin/sh: modprobe: not found
/bin/sh: modprobe: not found
/bin/sh: modprobe: not found
/bin/sh: modprobe: not foundHow do I fix this problem?
Hi,
there seems to be a bug with strongswan 5.1.3. Commit 39377. You have to compile the package manually.
As nbd in a mail replied:
"strongswan is part of the old unmaintained packages repository, which
will at some point no longer be included in the builds. Before further changes can be made to that package, it needs to have a maintainer."
The following patch seems to resolve it (should be placed under feeds/packages/net/strongswan/patches/201-kmodloader.patch:
--- a/src/starter/netkey.c
+++ b/src/starter/netkey.c
@@ -31,7 +31,7 @@ bool starter_netkey_init(void)
/* af_key module makes the netkey proc interface visible */
if (stat(PROC_MODULES, &stb) == 0)
{
- ignore_result(system("modprobe -qv af_key"));
+ ignore_result(system("insmod af_key 2>&1 >/dev/null"));
}
/* now test again */
@@ -45,11 +45,11 @@ bool starter_netkey_init(void)
/* make sure that all required IPsec modules are loaded */
if (stat(PROC_MODULES, &stb) == 0)
{
- ignore_result(system("modprobe -qv ah4"));
- ignore_result(system("modprobe -qv esp4"));
- ignore_result(system("modprobe -qv ipcomp"));
- ignore_result(system("modprobe -qv xfrm4_tunnel"));
- ignore_result(system("modprobe -qv xfrm_user"));
+ ignore_result(system("insmod ah4 2>&1 >/dev/null"));
+ ignore_result(system("insmod esp4 2>&1 >/dev/null"));
+ ignore_result(system("insmod ipcomp 2>&1 >/dev/null"));
+ ignore_result(system("insmod xfrm4_tunnel 2>&1 >/dev/null"));
+ ignore_result(system("insmod xfrm_user 2>&1 >/dev/null"));
}
DBG2(DBG_APP, "found netkey IPsec stack");Furthermore, the conf files of the modules are not installed. The following resolves this:
--- feeds/packages/net/strongswan/Makefile.org 2014-07-25 10:22:29.215768842 +0200
+++ feeds/packages/net/strongswan/Makefile 2014-07-25 11:45:54.107786458 +0200
@@ -319,11 +319,7 @@ define BuildPlugin
strongswan_mod_conf=$(wildcard $(PKG_INSTALL_DIR)/etc/strongswan.d/charon/$(1).conf)
define Package/strongswan-mod-$(1)/install
$(INSTALL_DIR) $$(1)/etc/strongswan.d/charon
- $(if $(call strongswan_mod_conf,$(1)), \
- $(INSTALL_DATA) \
- $(call strongswan_mod_conf,$(1)) \
- $$(1)/etc/strongswan.d/charon/ \
- )
+ $(CP) $(PKG_INSTALL_DIR)/etc/strongswan.d/charon/$(1).conf $$(1)/etc/strongswan.d/charon/
$(INSTALL_DIR) $$(1)/usr/lib/ipsec/plugins
$(CP) $(PKG_INSTALL_DIR)/usr/lib/ipsec/plugins/libstrongswan-$(1).so \
$$(1)/usr/lib/ipsec/plugins/In case you need the *ipk files I could provide them.
(Last edited by scitech on 25 Jul 2014, 11:15)
Hi
I compiled a r42421 openwrt build with strongswan - 5.2.0-1.
Configured it as descibed in Roadwarrior FAQ (http://wiki.openwrt.org/doc/howto/vpn.ipsec.roadwarrior) and get
Sun Sep 7 12:14:35 2014 authpriv.info ipsec_starter[4323]: Starting strongSwan 5.2.0 IPsec [starter]...
Sun Sep 7 12:14:35 2014 user.info syslog: ah4 is already loaded
Sun Sep 7 12:14:35 2014 user.info syslog: esp4 is already loaded
Sun Sep 7 12:14:35 2014 user.info syslog: ipcomp is already loaded
Sun Sep 7 12:14:35 2014 user.info syslog: xfrm4_tunnel is already loaded
Sun Sep 7 12:14:35 2014 user.info syslog: xfrm_user is already loaded
Sun Sep 7 12:14:35 2014 daemon.info syslog: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.0, Linux 3.10.49, mips)
Sun Sep 7 12:14:35 2014 daemon.info syslog: 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN
Sun Sep 7 12:14:35 2014 daemon.info syslog: 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1
Sun Sep 7 12:14:35 2014 daemon.info syslog: 00[LIB] failed to load 2 critical plugin features
Sun Sep 7 12:14:35 2014 daemon.info syslog: 00[DMN] initialization failed - aborting charon
Sun Sep 7 12:14:35 2014 authpriv.info ipsec_starter[4336]: charon has quit: initialization failed
Sun Sep 7 12:14:35 2014 authpriv.info ipsec_starter[4336]: charon refused to be started
Sun Sep 7 12:14:35 2014 authpriv.info ipsec_starter[4336]: ipsec starter stoppedI have strongswan-mod-nonce - 5.2.0-1 and strongswan-mod-sha1 - 5.2.0-1 installed:
root@OpenWrt:/etc/strongswan.d/charon# opkg list_installed
base-files - 156-r42421
block-mount - 2014-06-22-e0430f5c62f367e5a8e02755412977b02c3fc45e
busybox - 1.22.1-2
dnsmasq - 2.71-4
dropbear - 2014.65-2
firewall - 2014-08-11a
fstools - 2014-06-22-e0430f5c62f367e5a8e02755412977b02c3fc45e
hostapd-common - 2014-06-03-1
ip - 3.15.0-1
ip6tables - 1.4.21-1
ipsec-tools - 0.8.2-1
iptables - 1.4.21-1
iptables-mod-ipsec - 1.4.21-1
iw - 3.15-1
iwinfo - 51
jshn - 2014-08-04-dffbc09baf71b294185a36048166d00066d433b5
jsonfilter - 2014-06-19-cdc760c58077f44fc40adbbe41e1556a67c1b9a9
kernel - 3.10.49-1-2d9e719241aa3197a476d21f6b69c29b
kmod-adm8211 - 3.10.49+2014-05-22-1
kmod-ath - 3.10.49+2014-05-22-1
kmod-ath9k - 3.10.49+2014-05-22-1
kmod-ath9k-common - 3.10.49+2014-05-22-1
kmod-bridge - 3.10.49-1
kmod-cfg80211 - 3.10.49+2014-05-22-1
kmod-crypto-aes - 3.10.49-1
kmod-crypto-arc4 - 3.10.49-1
kmod-crypto-authenc - 3.10.49-1
kmod-crypto-cbc - 3.10.49-1
kmod-crypto-core - 3.10.49-1
kmod-crypto-deflate - 3.10.49-1
kmod-crypto-des - 3.10.49-1
kmod-crypto-hash - 3.10.49-1
kmod-crypto-hmac - 3.10.49-1
kmod-crypto-iv - 3.10.49-1
kmod-crypto-manager - 3.10.49-1
kmod-crypto-md5 - 3.10.49-1
kmod-crypto-pcompress - 3.10.49-1
kmod-crypto-rng - 3.10.49-1
kmod-crypto-sha1 - 3.10.49-1
kmod-crypto-wq - 3.10.49-1
kmod-eeprom-93cx6 - 3.10.49-1
kmod-fs-ext4 - 3.10.49-1
kmod-gpio-button-hotplug - 3.10.49-1
kmod-ip6tables - 3.10.49-1
kmod-ipsec - 3.10.49-1
kmod-ipsec4 - 3.10.49-1
kmod-ipsec6 - 3.10.49-1
kmod-ipt-conntrack - 3.10.49-1
kmod-ipt-core - 3.10.49-1
kmod-ipt-ipsec - 3.10.49-1
kmod-ipt-nat - 3.10.49-1
kmod-ipt-nathelper - 3.10.49-1
kmod-iptunnel4 - 3.10.49-1
kmod-iptunnel6 - 3.10.49-1
kmod-ipv6 - 3.10.49-1
kmod-leds-wndr3700-usb - 3.10.49-1
kmod-ledtrig-usbdev - 3.10.49-1
kmod-lib-crc-ccitt - 3.10.49-1
kmod-lib-crc16 - 3.10.49-1
kmod-lib-zlib - 3.10.49-1
kmod-llc - 3.10.49-1
kmod-mac80211 - 3.10.49+2014-05-22-1
kmod-nls-base - 3.10.49-1
kmod-ppp - 3.10.49-1
kmod-pppoe - 3.10.49-1
kmod-pppox - 3.10.49-1
kmod-scsi-core - 3.10.49-1
kmod-slhc - 3.10.49-1
kmod-stp - 3.10.49-1
kmod-usb-core - 3.10.49-1
kmod-usb-ohci - 3.10.49-1
kmod-usb-storage - 3.10.49-1
kmod-usb2 - 3.10.49-1
libblobmsg-json - 2014-08-04-dffbc09baf71b294185a36048166d00066d433b5
libc - 0.9.33.2-1
libcurl - 7.36.0-1
libevent2 - 2.0.21-1
libgcc - 4.8-linaro-1
libgmp - 6.0.0-1
libip4tc - 1.4.21-1
libip6tc - 1.4.21-1
libiwinfo - 51
libjson-c - 0.11-2
libjson-script - 2014-08-04-dffbc09baf71b294185a36048166d00066d433b5
libnl-tiny - 0.1-3
libopenssl - 1.0.1i-1
libpolarssl - 1.3.8-1
libpthread - 0.9.33.2-1
librt - 0.9.33.2-1
libubox - 2014-08-04-dffbc09baf71b294185a36048166d00066d433b5
libubus - 2014-07-03-f688c7ad0b2435a89bfd13f5496cabf596b54c8f
libuci - 2014-04-11.1-1
libxtables - 1.4.21-1
mailsend - 1.17b15-1
mtd - 20
netifd - 2014-08-31-b2dcb02570939d98b92c7c55db1c328693a5d52a
odhcp6c - 2014-08-25-0300fe7589a1701361735ac068e4b57bb1a1896f
odhcpd - 2014-08-23-24452e1e3e9adfd9d8e183db1aa589f77727f5a7
openssl-util - 1.0.1i-1
opkg - 9c97d5ecd795709c8584e972bfdf3aee3a5b846d-7
ppp - 2.4.6-2
ppp-mod-pppoe - 2.4.6-2
procd - 2014-08-29-6a6fa0a6067cb3c522f5dc735e808a68f62b30b2
samba36-server - 3.6.24-1
strongswan - 5.2.0-1
strongswan-charon - 5.2.0-1
strongswan-default - 5.2.0-1
strongswan-mod-aes - 5.2.0-1
strongswan-mod-attr - 5.2.0-1
strongswan-mod-constraints - 5.2.0-1
strongswan-mod-des - 5.2.0-1
strongswan-mod-dnskey - 5.2.0-1
strongswan-mod-fips-prf - 5.2.0-1
strongswan-mod-gmp - 5.2.0-1
strongswan-mod-hmac - 5.2.0-1
strongswan-mod-kernel-netlink - 5.2.0-1
strongswan-mod-md5 - 5.2.0-1
strongswan-mod-nonce - 5.2.0-1
strongswan-mod-openssl - 5.2.0-1
strongswan-mod-pem - 5.2.0-1
strongswan-mod-pgp - 5.2.0-1
strongswan-mod-pkcs1 - 5.2.0-1
strongswan-mod-pubkey - 5.2.0-1
strongswan-mod-random - 5.2.0-1
strongswan-mod-resolve - 5.2.0-1
strongswan-mod-revocation - 5.2.0-1
strongswan-mod-sha1 - 5.2.0-1
strongswan-mod-sha2 - 5.2.0-1
strongswan-mod-socket-default - 5.2.0-1
strongswan-mod-stroke - 5.2.0-1
strongswan-mod-updown - 5.2.0-1
strongswan-mod-x509 - 5.2.0-1
strongswan-mod-xauth-generic - 5.2.0-1
strongswan-mod-xcbc - 5.2.0-1
strongswan-utils - 5.2.0-1
swconfig - 10
transmission-daemon - 2.84-1
transmission-remote - 2.84-1
uboot-envtools - 2014.07-1
ubox - 2014-05-30-c3d4118eee505f41c4d20a87f326479530837569
ubus - 2014-07-03-f688c7ad0b2435a89bfd13f5496cabf596b54c8f
ubusd - 2014-07-03-f688c7ad0b2435a89bfd13f5496cabf596b54c8f
uci - 2014-04-11.1-1
wpad-mini - 2014-06-03-1
zlib - 1.2.8-1/etc/strongswan.d/charon directory is empty. Should it be?
Probably scitech patch should be altered somehow? Could you please help, guys?
I believe there should be default configuration files in /etc/strongswan.conf and the /etc/strongswan.d hierarchy (or perhaps the /usr/share documentation hierarchy).
I recently setup a StrongSwan 5.1.3 connection and copied my initial strongswan.d hierarchy from a Ubuntu 14.04 /usr/share/strongswan/templates. I had installed the strongswan-full. My notes indicate that I also installed; ipsec-tools, kmod-ipsec, strongswan-mod-ccm, and strongswan-mod-gcm.
I am an openwrt newbie so I can't yet help with the OpenWrt StrongSwan package.
/etc/strongswan.d/charon directory is empty. Should it be?
Probably scitech patch should be altered somehow? Could you please help, guys?
Did you resolve this? It has been sometime since I developed the patch but eventually I could help. What is your current status?
This strongswan update is a total mess. There are broken/impossible dependencies (modprobe), missing conf files and the whole thing is a complete screw up.
I built patched packages but of course their checksums don't match the official versions so to install them I had to unpack them and do it manually. Even so I never did manage to get my VPN working again with these new packages.
Fortunately the older, working versions are still available at http://downloads.openwrt.org/attitude_a … /packages/ so I downloaded them, force-downgrade installed them, then restored configs from backup archive and finally I have a working VPN again. I have now pinned the working strongswan packages by doing
opkg list-installed |grep strongswan |awk -F " - " '{print $1}' |xargs opkg flag holdThis has been a huge time sink and a real pita (setting up a buildroot just to apply a couple of patches, which didn't fix the problem!).
Is there a pressing reason why a working strongswan was replaced with a newer version, this in a stable repository, not some bleeding edge or testing build? If there really is a security issue then fair enough but could it not at least be tested and verified functional before being rolled out? If the patches are actually good then why are broken binaries still made available? Surely patched, tested, working binaries should replace the faulty ones?
/etc/strongswan.d/charon directory is empty. Should it be?
Probably scitech patch should be altered somehow? Could you please help, guys?
I was not able to start StrongSwan without commenting out this line in /etc/strongswan.conf:
load_modular = yes
The discussion might have continued from here.