目前日期文章:201602 (5)

瀏覽方式: 標題列表 簡短摘要

ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
        authby=secret
        keyexchange=ikev1
        mobike=no
        ike=aes128-sha1-modp1024
        esp=aes128-sha1
        left=172.16.9.21
        leftsubnet=192.168.11.0/24
        leftfirewall=yes

conn RTX1000
        right=172.16.9.22
        rightsubnet=192.168.22.0/24
        auto=start

ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file

: PSK "abcd1234"

Yamaha config

console character ascii
ip route default gateway 172.16.9.254
ip route 192.168.11.0/24 gateway tunnel 1
ip lan1 address 192.168.22.1/24
ip lan2 address 172.16.9.22/24
ip lan2 nat descriptor 1
tunnel select 1
 ipsec tunnel 101
  ipsec sa policy 101 1 esp aes-cbc sha-hmac
  ipsec ike group 1 modp1024
  ipsec ike local address 1 172.16.9.22
  ipsec ike pre-shared-key 1 text abcd1234
  ipsec ike remote address 1 172.16.9.21
 tunnel enable 1
tunnel select none
nat descriptor type 1 masquerade
nat descriptor address outer 1 172.16.9.22
nat descriptor address inner 1 192.168.22.1-192.168.22.254
nat descriptor masquerade static 1 1 172.16.9.22 udp 500
nat descriptor masquerade static 1 2 172.16.9.22 esp
dhcp service server
dhcp scope 1 192.168.22.100-192.168.22.254/24
dns server 8.8.8.8

iptables


雖然已經設定 leftfirewall=yes,strongSwan 會自動設定 firewall,但是還缺少一些設定。

台南小新 發表在 痞客邦 留言(0) 人氣()

整合

  • 記得先將 gmp 整合到 SDK。
  • 將 strongswan-5.3.5.tar.gz 解壓到 user 目錄。
  • 修改 user/Makefile,在 # application 下面新增一行。
    # application
    app_y += strongswan-5.3.5
    
  • 修改 user/Makefile,在 prepare: 下面新增數行。

台南小新 發表在 痞客邦 留言(0) 人氣()

整合

  • 將 gmp-6.1.0.tar.bz2 解壓到 user 目錄。
  • 修改 user/Makefile,在 # application 下面新增一行。
    # application
    app_y += gmp-6.1.0
    
  • 修改 user/Makefile,在 prepare: 下面新增數行。

台南小新 發表在 痞客邦 留言(0) 人氣()

修改 Makefile

  • CFLAGS:=-Wall -Wunused -Werror 改成 CFLAGS:=-Wall -Wunused
  • CC:=gcc 改成 CC:=/opt/buildroot-gcc342/bin/mipsel-linux-gcc
  • KERNEL_INCLUDES?=include/ 改成 KERNEL_INCLUDES?=../../linux-2.6.36.x/include/

build code

  • 修改 Makefile
  • 修改 extensions/ebt_ip6.c 把 EBT_IP6_ICMP6 相關程式碼移除
  • make
  • make static

install

  • 把 ethertypes 拷貝到 /etc/ethertypes
  • make static 後會產生一個 static 的執行檔,可以直接執行不用其它 .so 檔。
  • ebtables 為另一個執行檔,需要 .so 檔,把 extensions/*.so 拷貝到 /lib 即可。

問題排解

/opt/buildroot-gcc342/bin/mipsel-linux-gcc -Wall -Wunused -Werror -fPIC -O3 -DPROGVERSION=\"2.0.10-4\" -DPROGNAME=\"ebtables\" -DPROGDATE=\"December\ 2011\" -D_PATH_ETHERTYPES=\"/etc/ethertypes\" -DEBTD_ARGC_MAX=50 -DEBTD_CMDLINE_MAXLN=2048 -DLOCKFILE=\"/var/lib/ebtables/lock\" -DLOCKDIR=\"/var/lib/ebtables/\" -c -o extensions/ebt_nat.o extensions/ebt_nat.c -I/home/enos/FGN-R3/RT288x_SDK/source/linux-2.6.36.x/include/
extensions/ebt_nat.c: In function `parse_s':
extensions/ebt_nat.c:95: warning: 'tmp' might be used uninitialized in this function
make: *** [extensions/ebt_nat.o] Error 1
CFLAGS:=-Wall -Wunused -Werror 改成 CFLAGS:=-Wall -Wunused
/opt/buildroot-gcc342/bin/mipsel-linux-gcc -Wall -Wunused -fPIC -O3 -DPROGVERSION=\"2.0.10-4\" -DPROGNAME=\"ebtables\" -DPROGDATE=\"December\ 2011\" -D_PATH_ETHERTYPES=\"/etc/ethertypes\" -DEBTD_ARGC_MAX=50 -DEBTD_CMDLINE_MAXLN=2048 -DLOCKFILE=\"/var/lib/ebtables/lock\" -DLOCKDIR=\"/var/lib/ebtables/\" -c -o extensions/ebt_ip6.o extensions/ebt_ip6.c -I/home/enos/FGN-R3/RT288x_SDK/source/linux-2.6.36.x/include/
extensions/ebt_ip6.c: In function `parse':
extensions/ebt_ip6.c:369: error: `EBT_IP6_ICMP6' undeclared (first use in this function)
extensions/ebt_ip6.c:369: error: (Each undeclared identifier is reported only once
extensions/ebt_ip6.c:369: error: for each function it appears in.)
extensions/ebt_ip6.c:373: error: structure has no member named `icmpv6_type'
extensions/ebt_ip6.c:373: error: structure has no member named `icmpv6_code'
extensions/ebt_ip6.c: In function `final_check':
extensions/ebt_ip6.c:430: error: `EBT_IP6_ICMP6' undeclared (first use in this function)
extensions/ebt_ip6.c: In function `print':
extensions/ebt_ip6.c:488: error: `EBT_IP6_ICMP6' undeclared (first use in this function)
extensions/ebt_ip6.c:492: error: structure has no member named `icmpv6_type'
extensions/ebt_ip6.c:492: error: structure has no member named `icmpv6_code'
extensions/ebt_ip6.c: In function `compare':
extensions/ebt_ip6.c:536: error: `EBT_IP6_ICMP6' undeclared (first use in this function)
extensions/ebt_ip6.c:537: error: structure has no member named `icmpv6_type'
extensions/ebt_ip6.c:537: error: structure has no member named `icmpv6_type'
extensions/ebt_ip6.c:538: error: structure has no member named `icmpv6_type'
extensions/ebt_ip6.c:538: error: structure has no member named `icmpv6_type'
extensions/ebt_ip6.c:539: error: structure has no member named `icmpv6_code'
extensions/ebt_ip6.c:539: error: structure has no member named `icmpv6_code'
extensions/ebt_ip6.c:540: error: structure has no member named `icmpv6_code'
extensions/ebt_ip6.c:540: error: structure has no member named `icmpv6_code'
make: *** [extensions/ebt_ip6.o] Error 1
由於 linux-2.6.36.x 不支援 EBT_IP6_ICMP6,所以必須把 EBT_IP6_ICMP6 相關程式碼移除。

台南小新 發表在 痞客邦 留言(0) 人氣()

其實很簡單,只要把 wanif 加入 bridge 再把 ipv4 protocol 全擋掉即可。

如果只是單純把 wanif 加入 bridge 會造成 ipv6 通,但 ipv4 不通。

台南小新 發表在 痞客邦 留言(0) 人氣()