<div dir="ltr"><div><div><div>Ok, I found out and everything is working flawlessly.<br><br></div>The WD's GPL toolchain for the MyCloud device fooled me.<br><br></div>While the .config had CONFIG_INET_ESP=m, after LOTS of tinkering, I've found that in the source code it has:<br><br>[rfreire@rf ipv4]$ grep esp Makefile <br>#obj-$(CONFIG_INET_ESP) += esp4.o<br><br></div><div>YES: The GPL source had it disabled in the Makefile level.<br><br></div><div>After uncommenting it (and from ipv6 too) and recompiling, everything just.works(TM).<br><br></div><div>A hint for someone else hitting the very same problem:<br><br></div><div>1. Try to add a test connection using ip xfrm, like:<br><br>xfrm state add src 172.16.8.3 dst 172.16.8.158 proto esp spi 1234 reqid 16380 mode transport auth sha1 0x27b12f61fdc46b0f545256a405ac29fc8c137514 enc aes 0x5f5fb739d41eee7a5fe793917d18cadd<br><br></div><div>If it fails at this stage, it means that the kernel backend is flawed.<br><br></div><div>2. A working (considering that most of your ipsec stack is modular) lsmod output:<br><br>root@MyCloud:~# lsmod<br>Module Size Used by<br>xfrm4_mode_tunnel 1586 4 <br>xfrm4_mode_transport 1136 0 <br>pfe 428717 0 <br>xfrm_user 24068 2 <br>xfrm4_tunnel 1443 0 <br>tunnel4 2043 1 xfrm4_tunnel<br>ipcomp 1770 0 <br>xfrm_ipcomp 4059 1 ipcomp<br>esp4 6415 2 <br>ah4 4666 0 <br>af_key 30346 0 <br>cryptosoft 13291 0 <br>cryptodev 11075 0 <br>ocf 23776 2 cryptodev,cryptosoft<br><br></div><div>Hope that helps other users.<br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Apr 23, 2017 at 8:38 PM, Rodrigo Stuffs <span dir="ltr"><<a href="mailto:rbs@brasilia.br" target="_blank">rbs@brasilia.br</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi there list,<br><br>Yes, you have saw $SUBJECT. But I promise, no need to roll eyes: I *think* I did my homework properly.<br><br>Here's the scenario; I have rebuilt a kernel of a WD My Cloud box in order to extend it.<br><br>The Kernel config is available at <a href="https://pastebin.com/mYGiK3eN" target="_blank">https://pastebin.com/mYGiK3eN</a><br><br>Prior to posting here I really tried to do my homework, doing extensive mailing list research. But it seems that the kernel build side is apparently OK.<br><br>The Strongswan output is the following:<br>---<br>Apr 23 23:28:36 MyCloud systemd[1]: Starting Cleanup of Temporary Directories...<br>Apr 23 23:28:36 MyCloud systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf...<br>Apr 23 23:28:36 MyCloud systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.<br>Apr 23 23:28:36 MyCloud ipsec[1734]: Starting strongSwan 5.2.1 IPsec [starter]...<br>Apr 23 23:28:36 MyCloud ipsec_starter[1734]: Starting strongSwan 5.2.1 IPsec [starter]...<br>Apr 23 23:28:36 MyCloud systemd[1]: Started Cleanup of Temporary Directories.<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.2.26, armv7l)<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading crls from '/etc/ipsec.d/crls'<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading secrets from '/etc/ipsec.secrets'<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading secrets from '/etc/ipsec.d/mfrf.secrets'<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loaded IKE secret for 172.16.8.3<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] dropped capabilities, running as uid 0, gid 0<br>Apr 23 23:28:36 MyCloud charon[1749]: 00[JOB] spawning 16 worker threads<br>Apr 23 23:28:36 MyCloud ipsec_starter[1734]: charon (1749) started after 80 ms<br>Apr 23 23:28:36 MyCloud charon[1749]: 15[CFG] received stroke: add connection 'teste'<br>Apr 23 23:28:36 MyCloud charon[1749]: 15[CFG] added configuration 'teste'<br>Apr 23 23:28:36 MyCloud charon[1749]: 09[CFG] received stroke: initiate 'teste'<br>Apr 23 23:28:36 MyCloud charon[1749]: 09[IKE] initiating IKE_SA teste[1] to 172.16.8.3<br>Apr 23 23:28:36 MyCloud charon[1749]: 09[IKE] initiating IKE_SA teste[1] to 172.16.8.3<br>Apr 23 23:28:36 MyCloud ipsec[1734]: charon (1749) started after 80 ms<br>Apr 23 23:28:37 MyCloud charon[1749]: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>Apr 23 23:28:37 MyCloud charon[1749]: 09[NET] sending packet: from 172.16.8.158[500] to 172.16.8.3[500] (1108 bytes)<br>Apr 23 23:28:37 MyCloud charon[1749]: 16[NET] received packet: from 172.16.8.3[500] to 172.16.8.158[500] (376 bytes)<br>Apr 23 23:28:37 MyCloud charon[1749]: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V ]<br>Apr 23 23:28:37 MyCloud charon[1749]: 16[ENC] received unknown vendor ID: 4f:45:75:5c:64:5c:6a:79:5c:5c:<wbr>61:70<br>Apr 23 23:28:37 MyCloud charon[1749]: 16[IKE] authentication of '172.16.8.158' (myself) with pre-shared key<br>Apr 23 23:28:37 MyCloud charon[1749]: 16[IKE] establishing CHILD_SA teste<br>Apr 23 23:28:37 MyCloud charon[1749]: 16[IKE] establishing CHILD_SA teste<br>Apr 23 23:28:37 MyCloud charon[1749]: 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]<br>Apr 23 23:28:37 MyCloud charon[1749]: 16[NET] sending packet: from 172.16.8.158[500] to 172.16.8.3[500] (380 bytes)<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[NET] received packet: from 172.16.8.3[500] to 172.16.8.158[500] (204 bytes)<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] authentication of '172.16.8.3' with pre-shared key successful<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] IKE_SA teste[1] established between 172.16.8.158[172.16.8.158]...<wbr>172.16.8.3[172.16.8.3]<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] IKE_SA teste[1] established between 172.16.8.158[172.16.8.158]...<wbr>172.16.8.3[172.16.8.3]<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] scheduling reauthentication in 3305s<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] maximum IKE_SA lifetime 3485s<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] received netlink error: Protocol not supported (93)<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] unable to add SAD entry with SPI c6781a65<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] received netlink error: Protocol not supported (93)<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] unable to add SAD entry with SPI a6ac1542<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] failed to establish CHILD_SA, keeping IKE_SA<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] sending DELETE for ESP CHILD_SA with SPI c6781a65<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[ENC] generating INFORMATIONAL request 2 [ D ]<br>Apr 23 23:28:37 MyCloud charon[1749]: 14[NET] sending packet: from 172.16.8.158[500] to 172.16.8.3[500] (76 bytes)<br>Apr 23 23:28:41 MyCloud charon[1749]: 06[IKE] retransmit 1 of request with message ID 2<br>Apr 23 23:28:41 MyCloud charon[1749]: 06[NET] sending packet: from 172.16.8.158[500] to 172.16.8.3[500] (76 bytes)<br>Apr 23 23:28:48 MyCloud charon[1749]: 08[IKE] retransmit 2 of request with message ID 2<br>Apr 23 23:28:48 MyCloud charon[1749]: 08[NET] sending packet: from 172.16.8.158[500] to 172.16.8.3[500] (76 bytes)<br>---<br><br>It is a real simple ipsec setup, between two systems in the local network: 172.16.8.158 (the Strongswan box) and 172.16.8.3 (a openswan 2.6.37 box).<br>The ipsec endpoints should use a PSK key.<br><br>The configuration is pretty much standard and untouched. I have only added a include clause, see below:<br>---<br>root@MyCloud:/dev/shm# grep -v \# /etc/ipsec.conf <br>config setup<br>include /etc/ipsec.d/*.conf<br>---<br>root@MyCloud:/dev/shm# grep -v \# /etc/ipsec.secrets <br>include /etc/ipsec.d/*.secrets<br>---<br><br></div>And here are the relevant config files:<br><div><br>root@MyCloud:/dev/shm# cat /etc/ipsec.d/mfrf.conf (the only .conf file over there)<br>conn teste<br> left=172.16.8.158<br> right=172.16.8.3<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> keyingtries=1<br> authby=secret<br> auto=start<br>---<br>root@MyCloud:/dev/shm# cat /etc/ipsec.d/mfrf.secrets (the only .secrets file over here too)<br>172.16.8.3 : PSK "zomgsecretkeyhere"<br>---<br><br>The Strongswan version:<br>---<br>root@MyCloud:/dev/shm# dpkg -l | grep strongsw<br>ii libstrongswan 5.2.1-6+deb8u2 armhf strongSwan utility and crypto library<br>ii libstrongswan-standard-plugins 5.2.1-6+deb8u2 armhf strongSwan utility and crypto library (standard plugins)<br>ii strongswan 5.2.1-6+deb8u2 all IPsec VPN solution metapackage<br>ii strongswan-charon 5.2.1-6+deb8u2 armhf strongSwan Internet Key Exchange daemon<br>ii strongswan-libcharon 5.2.1-6+deb8u2 armhf strongSwan charon library<br>ii strongswan-starter 5.2.1-6+deb8u2 armhf strongSwan daemon starter and configuration file parser<br><br><br>The loaded modules output:<br><br>---<br>root@MyCloud:~# bash teste.sh <br>CONFIG_XFRM_USER=m<br>CONFIG_NET_KEY=m<br>CONFIG_INET=y<br>CONFIG_IP_ADVANCED_ROUTER=y<br>CONFIG_IP_MULTIPLE_TABLES=y<br>CONFIG_INET_AH=m<br>CONFIG_INET_ESP=m<br>CONFIG_INET_IPCOMP=m<br>CONFIG_INET_XFRM_MODE_<wbr>TRANSPORT=m<br>CONFIG_INET_XFRM_MODE_TUNNEL=m<br>CONFIG_INET_XFRM_MODE_BEET=m<br>CONFIG_IPV6=m<br>CONFIG_INET6_AH=m<br>CONFIG_INET6_ESP=m<br>CONFIG_INET6_IPCOMP=m<br>CONFIG_INET6_XFRM_MODE_<wbr>TRANSPORT=m<br>CONFIG_INET6_XFRM_MODE_TUNNEL=<wbr>m<br>CONFIG_INET6_XFRM_MODE_BEET=m<br>CONFIG_IPV6_MULTIPLE_TABLES=y<br>CONFIG_NETFILTER=y<br>CONFIG_NETFILTER_XTABLES=m<br>CONFIG_NETFILTER_XT_MATCH_<wbr>POLICY=m<br>---<br>root@MyCloud:/dev/shm# grep -e XFRM -e IPCOMP -e DEFLATE /boot/config-3.2.26 <br>CONFIG_XFRM=y<br>CONFIG_XFRM_USER=m<br>CONFIG_XFRM_SUB_POLICY=y<br>CONFIG_XFRM_MIGRATE=y<br>CONFIG_XFRM_STATISTICS=y<br>CONFIG_XFRM_IPCOMP=m<br>CONFIG_INET_IPCOMP=m<br>CONFIG_INET_XFRM_TUNNEL=m<br>CONFIG_INET_XFRM_MODE_<wbr>TRANSPORT=m<br>CONFIG_INET_XFRM_MODE_TUNNEL=m<br>CONFIG_INET_XFRM_MODE_BEET=m<br>CONFIG_INET6_IPCOMP=m<br>CONFIG_INET6_XFRM_TUNNEL=m<br>CONFIG_INET6_XFRM_MODE_<wbr>TRANSPORT=m<br>CONFIG_INET6_XFRM_MODE_TUNNEL=<wbr>m<br>CONFIG_INET6_XFRM_MODE_BEET=m<br>CONFIG_INET6_XFRM_MODE_<wbr>ROUTEOPTIMIZATION=m<br>CONFIG_CRYPTO_DEFLATE=y<br>CONFIG_ZLIB_DEFLATE=y<br>---<br>lsmod output:<br>root@MyCloud:/dev/shm# lsmod<br>Module Size Used by<br>xfrm6_mode_tunnel 1514 0 <br>xfrm4_mode_tunnel 1586 0 <br>xfrm_user 24068 2 <br>xfrm4_tunnel 1443 0 <br>tunnel4 2043 1 xfrm4_tunnel<br>pfe 428717 0 <br>ipcomp 1770 0 <br>xfrm_ipcomp 4059 1 ipcomp<br>ah4 4666 0 <br>af_key 30346 0 <br>cryptosoft 13291 0 <br>cryptodev 11075 0 <br>ocf 23776 2 cryptodev,cryptosoft<br>ipv6 262883 20 xfrm6_mode_tunnel<br>---<br><br>Any hints? /o\<br><br>Thanks for stopping by! \o<span class="HOEnZb"><font color="#888888"><br><br>- Rodrigo.<br></font></span></div></div>
</blockquote></div><br></div>