[strongSwan] Users Digest, Vol 125, Issue 34
Rizwan Saleem
malik.chand at hotmail.com
Sun Jun 28 21:46:18 CEST 2020
hi
i have installed strongswan 5.8.4 on centos 8
after configured roadwarrior configuration i'v used exact example configuration with required modification and i got this error .
swanctl[40987]: no files found matching '/etc/strongswan/strongswan.conf'
can you please explain .
almost one month im stuck on it im new on linux .
________________________________
From: Users <users-bounces at lists.strongswan.org> on behalf of users-request at lists.strongswan.org <users-request at lists.strongswan.org>
Sent: Saturday, June 27, 2020 1:36 AM
To: users at lists.strongswan.org <users at lists.strongswan.org>
Subject: Users Digest, Vol 125, Issue 34
Send Users mailing list submissions to
users at lists.strongswan.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.strongswan.org/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at lists.strongswan.org
You can reach the person managing the list at
users-owner at lists.strongswan.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Users digest..."
Today's Topics:
1. Re: StrongSwan w/ multiple local subnets. (TomK)
2. Re: remote_ts to catch in 'updown' - how? (lejeczek)
3. Re: StrongSwan w/ multiple local subnets. (TomK)
----------------------------------------------------------------------
Message: 1
Date: Fri, 26 Jun 2020 10:04:06 -0400
From: TomK <tomkcpr at mdevsys.com>
To: Tobias Brunner <tobias at strongswan.org>, users at lists.strongswan.org
Subject: Re: [strongSwan] StrongSwan w/ multiple local subnets.
Message-ID: <24bc9046-d69d-8830-9415-02f4e456baf3 at mdevsys.com>
Content-Type: text/plain; charset=utf-8; format=flowed
On 6/24/2020 10:40 AM, TomK wrote:
> On 6/24/2020 9:19 AM, Tobias Brunner wrote:
>> Hi Tom,
>>
>>> May I ask which exact line above told you I'm missing sfrm_user? The
>>> ones that start with CUSTOM?
>>
>> Yes, the first one is logged after the kernel-netlink plugin failed to
>> open a Netlink/XFRM socket, plus it is obviously missing in the module
>> lists you posted after that.
>
> Kool
>
>>
>>> This is DD-WRT so it's a minimized router kernel. I was surprised as the
>>> next guy learning that module isn't available.
>>
>> Yeah, makes not much sense to enable the other IPsec-related modules
>> without a means to actually use them. But why did you use the 2.6.23
>> kernel sources to build the missing module if your router uses a 4.4.190
>> kernel?
>
> Was questions my sanity around that as well but initially only found the
> wiki page for 2.6.33 . The SVN appeared a bit messy to me, probably
> because I'm not familiar with it yet, so wasn't sure if they just reused
> the folder name or if it was truly for Linux 2.6.33. And couldn't find
> the Linux 4.4's at the time until I rummaged through the SVN the next day.
>
> Look further down on the post. I've tried the Linux 4.4 branch but
> couldn't get that to work. There's some missing Makefiles.
>
>>
>>> I tinkered around with this at some point. I had it originating from
>>> 192.168.0.6 > 10.10.0.4 but same results. Based on what you wrote,
>>> unless I get xfrm_user module installed, this won't work regardless of
>>> what source IP it's coming from?
>>
>> No, that's unrelated. You need that module to use the IPsec stack in
>> the kernel (i.e. to run without kernel-libipsec or ipsec0 interface).
>> The whole point of the userland IPsec stack is that it bypasses the
>> kernel and can run with reduced privileges (e.g. on Android where apps
>> can create TUN devices via VpnService API but can't access the kernel's
>> IPsec stack via Netlink/XFRM).
>>
>>> instead of originating from the WAN IP. No reply of course. My routes
>>
>> Are ESP packets sent? If yes, are any returned? If not, then this
>> seems to be an issue on the other end. So try to follow the traffic
>> there.
>
> That is what I'm not sure about. Between StrongSwan (SSW) and Azure VPN
> Gateway, I'm not able to find which one is it. I've setup a packet
> trace from the Azure VPN Gateway but the only option it gave me as a
> target was against one of the Azure VM's. Not between Azure VPN Gateway
> and the on-prem gateway.
>
> So in the least I was hoping to confirm if everything was sent correctly
> from SSW then I'll be more sure that the issue is really with Azure VPN
> Gateway blocking traffic.
>
> What I do know is that I can ping from the Azure VM's back down to my
> on-prem VLAN (192.168.0.X/24 ) but NOT FROM my router that's running
> SSW. In other words, traffic flows only one way. Down.
>
> So to me this looked like an issue where:
>
> 1) Like you said, ESP packets are not getting sent properly from SSW to
> Azure VPN Gateway. ( How do I confirm this with 100% certainty? What
> should I look for to determine if there's any dropped packets on my
> on-prem F/W that's on this router? )
>
> 2) The Azure VPN Gateway is blocking on-prem to itself. I've made sure
> the F/W on the Azure side is not an issue.
>
>
>
>>
>>> root at DD-WRT:~# ip route
>>
>> Again, strongSwan installs its routes in table 220, that is, use `ip
>> route show table 220` (or `all`).
>
> root at DD-WRT:~# ip route show table all
> default via 100.100.100.50 dev vlan2
> 10.0.0.0/24 via 192.168.0.1 dev br0 metric 20
> 10.1.0.0/24 via 192.168.0.1 dev br0 metric 20
> 10.1.1.0/24 dev tun2 scope link src 10.1.1.1
> 10.2.0.0/24 via 192.168.0.1 dev br0 metric 20
> 10.3.0.0/24 via 192.168.0.1 dev br0 metric 20
> 100.100.100.75/27 dev vlan2 scope link src 100.100.100.100
> 127.0.0.0/8 dev lo scope link
> 192.168.0.0/24 dev br0 scope link src 192.168.0.6
> 192.168.45.0/24 dev wl0.1 scope link src 192.168.45.1
> 192.168.75.0/24 dev wl1.1 scope link src 192.168.75.1
> broadcast 10.1.1.0 dev tun2 table local scope link src 10.1.1.1
> local 10.1.1.1 dev tun2 table local scope host src 10.1.1.1
> broadcast 10.1.1.255 dev tun2 table local scope link src 10.1.1.1
> broadcast 100.100.100.75 dev vlan2 table local scope link src
> 100.100.100.100
> local 100.100.100.100 dev vlan2 table local scope host src 100.100.100.100
> broadcast 100.100.100.25 dev vlan2 table local scope link src
> 100.100.100.100
> broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
> local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
> local 127.0.0.1 dev lo table local scope host src 127.0.0.1
> broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
> broadcast 192.168.0.0 dev br0 table local scope link src 192.168.0.6
> local 192.168.0.6 dev br0 table local scope host src 192.168.0.6
> broadcast 192.168.0.255 dev br0 table local scope link src 192.168.0.6
> broadcast 192.168.45.0 dev wl0.1 table local scope link src 192.168.45.1
> local 192.168.45.1 dev wl0.1 table local scope host src 192.168.45.1
> broadcast 192.168.45.255 dev wl0.1 table local scope link src 192.168.45.1
> broadcast 192.168.75.0 dev wl1.1 table local scope link src 192.168.75.1
> local 192.168.75.1 dev wl1.1 table local scope host src 192.168.75.1
> broadcast 192.168.75.255 dev wl1.1 table local scope link src 192.168.75.1
> root at DD-WRT:~#
>
>
> root at DD-WRT:~# ip route show table 220
> root at DD-WRT:~#
>
>
> ( Redacted the IP hence why you see 100.100.100.X for the ISP GW )
>
>>
>> Regards,
>> Tobias
>>
>
>
What are the dependencies of all these modules listed here? I'm close
and was able to load quite a few:
https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1209261#1209261
https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
but xfrm_user.ko doesn't insert and suspecting due to missing dependencies:
root at DD-WRT:/opt/xfrm4# lsmod
Module Size Used by
tunnel6 1691 0
xfrm4_mode_tunnel 1354 0
xfrm4_mode_transport 778 0
xfrm4_mode_beet 1418 0
ah4 4540 0
esp4 5175 0
xfrm_ipcomp 2853 0
xfrm4_tunnel 1368 0
xfrm_algo 3645 3 ah4,esp4,xfrm_ipcomp
ip_tunnel 10496 0
tunnel4 1692 1 xfrm4_tunnel
ext4 319105 1
jbd2 50250 1 ext4
mbcache 7009 1 ext4
crc16 1060 1 ext4
vhci_hcd 12705 0
usbip_host 12201 0
usbip_core 4593 2 vhci_hcd,usbip_host
usblp 8913 0
usb_storage 37587 1
sr_mod 11005 0
cdrom 24153 1 sr_mod
sd_mod 24627 1
scsi_mod 83966 3 usb_storage,sr_mod,sd_mod
xhci_plat_hcd 2116 0
xhci_pci 2632 0
xhci_hcd 84444 2 xhci_plat_hcd,xhci_pci
ohci_pci 2157 0
ohci_hcd 23292 1 ohci_pci
ehci_pci 2829 0
ehci_hcd 33905 1 ehci_pci
usbcore 127988 12
vhci_hcd,usbip_host,usblp,usb_storage,xhci_plat_hcd,xhci_pci,xhci_hcd,ohci_pci,ohci_hcd,ehci_pci,ehci_hcd
usb_common 1589 2 vhci_hcd,usbcore
ip6_tables 9261 0
xt_ndpi 344541 0
tun 15569 4
fast_classifier 138897 0
jffs2 92216 1
lzo_decompress 1764 0
lzo_compress 1828 0
lzma_decompress 8228 1 jffs2
lzma_compress 23664 1 jffs2
wl 4384906 0
switch_robo 13611 0
switch_core 5449 1 switch_robo
et 42648 0
root at DD-WRT:/opt/xfrm4#
All others insert just fine as long as they are added in a specific
sequence:
root at DD-WRT:/opt/xfrm4# for mods in $(echo tunnel4.ko ip_tunnel.ko
xfrm_algo.ko xfrm4_tunnel.ko xfrm_ipcomp.ko esp4.ko ah4.ko
xfrm4_mode_beet.ko xfrm4
_mode_beet.ko xfrm4_mode_transport.ko xfrm4_mode_tunnel.ko
xfrm_user.ko); do insmod $mods; done
insmod: cannot insert 'tunnel4.ko': File exists
insmod: cannot insert 'ip_tunnel.ko': File exists
insmod: cannot insert 'xfrm_algo.ko': File exists
insmod: cannot insert 'xfrm4_tunnel.ko': File exists
insmod: cannot insert 'xfrm_ipcomp.ko': File exists
insmod: cannot insert 'esp4.ko': File exists
insmod: cannot insert 'ah4.ko': File exists
insmod: cannot insert 'xfrm4_mode_beet.ko': File exists
insmod: cannot insert 'xfrm4_mode_beet.ko': File exists
insmod: cannot insert 'xfrm4_mode_transport.ko': File exists
insmod: cannot insert 'xfrm4_mode_tunnel.ko': File exists
insmod: cannot insert 'xfrm_user.ko': unknown symbol in module
root at DD-WRT:/opt/xfrm4#
root at DD-WRT:/opt/xfrm4# strings xfrm_user.ko|grep -Ei depends
depends=xfrm_algo
root at DD-WRT:/opt/xfrm4# insmod xfrm_algo.ko
insmod: cannot insert 'xfrm_algo.ko': File exists
root at DD-WRT:/opt/xfrm4# lsmod|grep xfrm_algo
xfrm_algo 3645 3 ah4,esp4,xfrm_ipcomp
root at DD-WRT:/opt/xfrm4#
--
Thx,
TK.
------------------------------
Message: 2
Date: Fri, 26 Jun 2020 23:24:22 +0100
From: lejeczek <peljasz at yahoo.co.uk>
To: users at lists.strongswan.org
Subject: Re: [strongSwan] remote_ts to catch in 'updown' - how?
Message-ID: <28c1e89f-4014-0810-4a47-f30e467e0633 at yahoo.co.uk>
Content-Type: text/plain; charset=utf-8
On 25/06/2020 08:50, Tobias Brunner wrote:
> Hi,
>
>> But I see it appear only once with the latter IP/net.
> Then you either use IKEv1, or your peer narrowed the traffic selectors
> (due to its configuration or maybe because it only supports a single TS
> per CHILD_SA), check the log for details.
>
> Regards,
> Tobias
Could it be buggy Strongswan, the version I have?
$ swanctl --list-conn
muni: IKEv2, no reauthentication, rekeying every 14400s
local: %any
remote:....
....
muni: TUNNEL, rekeying every 3600s
local: dynamic
remote: 10.5.4.204/32 172.16.0.0/12
And my 'updown':
----
set -o nounset
set -o errexit
VTI_IF="vti${PLUTO_UNIQUEID}"
_vtiLog="/var/log/vti-iface.log"
_serverClient=${1}
_myLocalIP=$(hostname -i)
echo -ne "\n----RUN\n${VTI_IF} - ${PLUTO_VERB}\n" >> ${_vtiLog}
case "${PLUTO_VERB}" in
up-client)
ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
"${PLUTO_PEER}" mode vti key "${PLUTO_MARK_OUT%%/*}"
echo ip tunnel add "${VTI_IF}" local "${PLUTO_ME}"
remote "${PLUTO_PEER}" mode vti key "${PLUTO_MARK_OUT%%/*}"
>> ${_vtiLog}
ip link set "${VTI_IF}" mtu 1400 up >> ${_vtiLog}
echo ip link set "${VTI_IF}" mtu 1400 up >> ${_vtiLog}
>> ${_vtiLog}
if [ ${_serverClient} = "roadwarrior" ]; then
ip addr add "${PLUTO_MY_SOURCEIP}" dev "${VTI_IF}"
echo ip route add "${PLUTO_PEER_CLIENT}" dev
"${VTI_IF}" >> ${_vtiLog}
ip route add "${PLUTO_PEER_CLIENT}" dev "${VTI_IF}"
firewall-cmd --zone=strongswan --add-interface="${VTI_IF}"
elif [ ${_serverClient} = "server" ]; then
ip route add "${PLUTO_PEER_SOURCEIP}" dev "${VTI_IF}"
src ${_myLocalIP}
echo ip route add "${PLUTO_PEER_SOURCEIP}" dev
"${VTI_IF}" src ${_myLocalIP} >> ${_vtiLog}
fi
sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
echo sysctl -w
"net.ipv4.conf.${VTI_IF}.disable_policy=1" >> ${_vtiLog}
;;
down-client)
ip tunnel del "${VTI_IF}"
echo ip tunnel del "${VTI_IF}" >> ${_vtiLog}
firewall-cmd --zone=strongswan
--remove-interface="${VTI_IF}"
;;
esac
----
And the log's content:
----RUN
vti2 - up-client
ip tunnel add vti2 local _IPa remote _IPb mode vti key 12
ip link set vti2 mtu 1400 up
ip addr add 172.16.32.59 dev vti2
ip route add 10.5.4.204/32 dev vti2
sysctl -w net.ipv4.conf.vti2.disable_policy=1
----RUN
vti2 - up-client
(here I'd expect something but it's where the file ends)
ps. One thing I should mention with I realize seems odd:
10.5.4.204/32 - in reality is a public IP and in swanctl
conf no matter how I put it:
...
remote_ts = "10.5.4.204/32,172.16.0.0/12"
or
remote_ts = "172.16.0.0/12,10.5.4.204/32"
I always get that "public IP" only, whereas before I thought
I got it only when it was specified as last one in the pack.
thanks, L
------------------------------
Message: 3
Date: Fri, 26 Jun 2020 18:36:12 -0400
From: TomK <tomkcpr at mdevsys.com>
To: Tobias Brunner <tobias at strongswan.org>, users at lists.strongswan.org
Subject: Re: [strongSwan] StrongSwan w/ multiple local subnets.
Message-ID: <de7e6c3f-6367-86f5-f5c8-d95f7dade76a at mdevsys.com>
Content-Type: text/plain; charset=utf-8; format=flowed
On 6/26/2020 10:04 AM, TomK wrote:
> On 6/24/2020 10:40 AM, TomK wrote:
>> On 6/24/2020 9:19 AM, Tobias Brunner wrote:
>>> Hi Tom,
>>>
>>>> May I ask which exact line above told you I'm missing sfrm_user? The
>>>> ones that start with CUSTOM?
>>>
>>> Yes, the first one is logged after the kernel-netlink plugin failed to
>>> open a Netlink/XFRM socket, plus it is obviously missing in the module
>>> lists you posted after that.
>>
>> Kool
>>
>>>
>>>> This is DD-WRT so it's a minimized router kernel. I was surprised as
>>>> the
>>>> next guy learning that module isn't available.
>>>
>>> Yeah, makes not much sense to enable the other IPsec-related modules
>>> without a means to actually use them. But why did you use the 2.6.23
>>> kernel sources to build the missing module if your router uses a 4.4.190
>>> kernel?
>>
>> Was questions my sanity around that as well but initially only found
>> the wiki page for 2.6.33 . The SVN appeared a bit messy to me,
>> probably because I'm not familiar with it yet, so wasn't sure if they
>> just reused the folder name or if it was truly for Linux 2.6.33. And
>> couldn't find the Linux 4.4's at the time until I rummaged through the
>> SVN the next day.
>>
>> Look further down on the post. I've tried the Linux 4.4 branch but
>> couldn't get that to work. There's some missing Makefiles.
>>
>>>
>>>> I tinkered around with this at some point. I had it originating from
>>>> 192.168.0.6 > 10.10.0.4 but same results. Based on what you wrote,
>>>> unless I get xfrm_user module installed, this won't work regardless of
>>>> what source IP it's coming from?
>>>
>>> No, that's unrelated. You need that module to use the IPsec stack in
>>> the kernel (i.e. to run without kernel-libipsec or ipsec0 interface).
>>> The whole point of the userland IPsec stack is that it bypasses the
>>> kernel and can run with reduced privileges (e.g. on Android where apps
>>> can create TUN devices via VpnService API but can't access the kernel's
>>> IPsec stack via Netlink/XFRM).
>>>
>>>> instead of originating from the WAN IP. No reply of course. My routes
>>>
>>> Are ESP packets sent? If yes, are any returned? If not, then this
>>> seems to be an issue on the other end. So try to follow the traffic
>>> there.
>>
>> That is what I'm not sure about. Between StrongSwan (SSW) and Azure
>> VPN Gateway, I'm not able to find which one is it. I've setup a
>> packet trace from the Azure VPN Gateway but the only option it gave me
>> as a target was against one of the Azure VM's. Not between Azure VPN
>> Gateway and the on-prem gateway.
>>
>> So in the least I was hoping to confirm if everything was sent
>> correctly from SSW then I'll be more sure that the issue is really
>> with Azure VPN Gateway blocking traffic.
>>
>> What I do know is that I can ping from the Azure VM's back down to my
>> on-prem VLAN (192.168.0.X/24 ) but NOT FROM my router that's running
>> SSW. In other words, traffic flows only one way. Down.
>>
>> So to me this looked like an issue where:
>>
>> 1) Like you said, ESP packets are not getting sent properly from SSW
>> to Azure VPN Gateway. ( How do I confirm this with 100% certainty?
>> What should I look for to determine if there's any dropped packets on
>> my on-prem F/W that's on this router? )
>>
>> 2) The Azure VPN Gateway is blocking on-prem to itself. I've made
>> sure the F/W on the Azure side is not an issue.
>>
>>
>>
>>>
>>>> root at DD-WRT:~# ip route
>>>
>>> Again, strongSwan installs its routes in table 220, that is, use `ip
>>> route show table 220` (or `all`).
>>
>> root at DD-WRT:~# ip route show table all
>> default via 100.100.100.50 dev vlan2
>> 10.0.0.0/24 via 192.168.0.1 dev br0 metric 20
>> 10.1.0.0/24 via 192.168.0.1 dev br0 metric 20
>> 10.1.1.0/24 dev tun2 scope link src 10.1.1.1
>> 10.2.0.0/24 via 192.168.0.1 dev br0 metric 20
>> 10.3.0.0/24 via 192.168.0.1 dev br0 metric 20
>> 100.100.100.75/27 dev vlan2 scope link src 100.100.100.100
>> 127.0.0.0/8 dev lo scope link
>> 192.168.0.0/24 dev br0 scope link src 192.168.0.6
>> 192.168.45.0/24 dev wl0.1 scope link src 192.168.45.1
>> 192.168.75.0/24 dev wl1.1 scope link src 192.168.75.1
>> broadcast 10.1.1.0 dev tun2 table local scope link src 10.1.1.1
>> local 10.1.1.1 dev tun2 table local scope host src 10.1.1.1
>> broadcast 10.1.1.255 dev tun2 table local scope link src 10.1.1.1
>> broadcast 100.100.100.75 dev vlan2 table local scope link src
>> 100.100.100.100
>> local 100.100.100.100 dev vlan2 table local scope host src
>> 100.100.100.100
>> broadcast 100.100.100.25 dev vlan2 table local scope link src
>> 100.100.100.100
>> broadcast 127.0.0.0 dev lo table local scope link src 127.0.0.1
>> local 127.0.0.0/8 dev lo table local scope host src 127.0.0.1
>> local 127.0.0.1 dev lo table local scope host src 127.0.0.1
>> broadcast 127.255.255.255 dev lo table local scope link src 127.0.0.1
>> broadcast 192.168.0.0 dev br0 table local scope link src 192.168.0.6
>> local 192.168.0.6 dev br0 table local scope host src 192.168.0.6
>> broadcast 192.168.0.255 dev br0 table local scope link src 192.168.0.6
>> broadcast 192.168.45.0 dev wl0.1 table local scope link src 192.168.45.1
>> local 192.168.45.1 dev wl0.1 table local scope host src 192.168.45.1
>> broadcast 192.168.45.255 dev wl0.1 table local scope link src
>> 192.168.45.1
>> broadcast 192.168.75.0 dev wl1.1 table local scope link src 192.168.75.1
>> local 192.168.75.1 dev wl1.1 table local scope host src 192.168.75.1
>> broadcast 192.168.75.255 dev wl1.1 table local scope link src
>> 192.168.75.1
>> root at DD-WRT:~#
>>
>>
>> root at DD-WRT:~# ip route show table 220
>> root at DD-WRT:~#
>>
>>
>> ( Redacted the IP hence why you see 100.100.100.X for the ISP GW )
>>
>>>
>>> Regards,
>>> Tobias
>>>
>>
>>
>
> What are the dependencies of all these modules listed here? I'm close
> and was able to load quite a few:
>
> https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1209261#1209261
>
> https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
>
> but xfrm_user.ko doesn't insert and suspecting due to missing dependencies:
>
> root at DD-WRT:/opt/xfrm4# lsmod
> Module Size Used by
> tunnel6 1691 0
> xfrm4_mode_tunnel 1354 0
> xfrm4_mode_transport 778 0
> xfrm4_mode_beet 1418 0
> ah4 4540 0
> esp4 5175 0
> xfrm_ipcomp 2853 0
> xfrm4_tunnel 1368 0
> xfrm_algo 3645 3 ah4,esp4,xfrm_ipcomp
> ip_tunnel 10496 0
> tunnel4 1692 1 xfrm4_tunnel
> ext4 319105 1
> jbd2 50250 1 ext4
> mbcache 7009 1 ext4
> crc16 1060 1 ext4
> vhci_hcd 12705 0
> usbip_host 12201 0
> usbip_core 4593 2 vhci_hcd,usbip_host
> usblp 8913 0
> usb_storage 37587 1
> sr_mod 11005 0
> cdrom 24153 1 sr_mod
> sd_mod 24627 1
> scsi_mod 83966 3 usb_storage,sr_mod,sd_mod
> xhci_plat_hcd 2116 0
> xhci_pci 2632 0
> xhci_hcd 84444 2 xhci_plat_hcd,xhci_pci
> ohci_pci 2157 0
> ohci_hcd 23292 1 ohci_pci
> ehci_pci 2829 0
> ehci_hcd 33905 1 ehci_pci
> usbcore 127988 12
> vhci_hcd,usbip_host,usblp,usb_storage,xhci_plat_hcd,xhci_pci,xhci_hcd,ohci_pci,ohci_hcd,ehci_pci,ehci_hcd
>
> usb_common 1589 2 vhci_hcd,usbcore
> ip6_tables 9261 0
> xt_ndpi 344541 0
> tun 15569 4
> fast_classifier 138897 0
> jffs2 92216 1
> lzo_decompress 1764 0
> lzo_compress 1828 0
> lzma_decompress 8228 1 jffs2
> lzma_compress 23664 1 jffs2
> wl 4384906 0
> switch_robo 13611 0
> switch_core 5449 1 switch_robo
> et 42648 0
> root at DD-WRT:/opt/xfrm4#
>
>
> All others insert just fine as long as they are added in a specific
> sequence:
>
>
> root at DD-WRT:/opt/xfrm4# for mods in $(echo tunnel4.ko ip_tunnel.ko
> xfrm_algo.ko xfrm4_tunnel.ko xfrm_ipcomp.ko esp4.ko ah4.ko
> xfrm4_mode_beet.ko xfrm4
> _mode_beet.ko xfrm4_mode_transport.ko xfrm4_mode_tunnel.ko
> xfrm_user.ko); do insmod $mods; done
> insmod: cannot insert 'tunnel4.ko': File exists
> insmod: cannot insert 'ip_tunnel.ko': File exists
> insmod: cannot insert 'xfrm_algo.ko': File exists
> insmod: cannot insert 'xfrm4_tunnel.ko': File exists
> insmod: cannot insert 'xfrm_ipcomp.ko': File exists
> insmod: cannot insert 'esp4.ko': File exists
> insmod: cannot insert 'ah4.ko': File exists
> insmod: cannot insert 'xfrm4_mode_beet.ko': File exists
> insmod: cannot insert 'xfrm4_mode_beet.ko': File exists
> insmod: cannot insert 'xfrm4_mode_transport.ko': File exists
> insmod: cannot insert 'xfrm4_mode_tunnel.ko': File exists
> insmod: cannot insert 'xfrm_user.ko': unknown symbol in module
> root at DD-WRT:/opt/xfrm4#
>
>
> root at DD-WRT:/opt/xfrm4# strings xfrm_user.ko|grep -Ei depends
> depends=xfrm_algo
> root at DD-WRT:/opt/xfrm4# insmod xfrm_algo.ko
> insmod: cannot insert 'xfrm_algo.ko': File exists
> root at DD-WRT:/opt/xfrm4# lsmod|grep xfrm_algo
> xfrm_algo 3645 3 ah4,esp4,xfrm_ipcomp
> root at DD-WRT:/opt/xfrm4#
>
>
>
Is the xfrm_user.ko module used for both traffic going out and coming
back in via StrongSwan / IPSEC ?
--
Thx,
TK.
End of Users Digest, Vol 125, Issue 34
**************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200628/70db46d4/attachment-0001.html>
More information about the Users
mailing list