目前日期文章:201602 (5)

瀏覽方式: 標題列表 簡短摘要

ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

config setup

conn %default
        authby=secret
        keyexchange=ikev1
        mobike=no
        ike=aes128-sha1-modp1024
        esp=aes128-sha1
        left=172.16.9.21
        leftsubnet=192.168.11.0/24
        leftfirewall=yes

conn RTX1000
        right=172.16.9.22
        rightsubnet=192.168.22.0/24
        auto=start

ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file

: PSK "abcd1234"

Yamaha config

console character ascii
ip route default gateway 172.16.9.254
ip route 192.168.11.0/24 gateway tunnel 1
ip lan1 address 192.168.22.1/24
ip lan2 address 172.16.9.22/24
ip lan2 nat descriptor 1
tunnel select 1
 ipsec tunnel 101
  ipsec sa policy 101 1 esp aes-cbc sha-hmac
  ipsec ike group 1 modp1024
  ipsec ike local address 1 172.16.9.22
  ipsec ike pre-shared-key 1 text abcd1234
  ipsec ike remote address 1 172.16.9.21
 tunnel enable 1
tunnel select none
nat descriptor type 1 masquerade
nat descriptor address outer 1 172.16.9.22
nat descriptor address inner 1 192.168.22.1-192.168.22.254
nat descriptor masquerade static 1 1 172.16.9.22 udp 500
nat descriptor masquerade static 1 2 172.16.9.22 esp
dhcp service server
dhcp scope 1 192.168.22.100-192.168.22.254/24
dns server 8.8.8.8

iptables


雖然已經設定 leftfirewall=yes,strongSwan 會自動設定 firewall,但是還缺少一些設定。

台南小新 發表在 痞客邦 PIXNET 留言(0) 人氣()

整合

  • 記得先將 gmp 整合到 SDK。
  • 將 strongswan-5.3.5.tar.gz 解壓到 user 目錄。
  • 修改 user/Makefile,在 # application 下面新增一行。
    # application
    app_y += strongswan-5.3.5
    
  • 修改 user/Makefile,在 prepare: 下面新增數行。

台南小新 發表在 痞客邦 PIXNET 留言(0) 人氣()

整合

  • 將 gmp-6.1.0.tar.bz2 解壓到 user 目錄。
  • 修改 user/Makefile,在 # application 下面新增一行。
    # application
    app_y += gmp-6.1.0
    
  • 修改 user/Makefile,在 prepare: 下面新增數行。

台南小新 發表在 痞客邦 PIXNET 留言(0) 人氣()

修改 Makefile

  • CFLAGS:=-Wall -Wunused -Werror 改成 CFLAGS:=-Wall -Wunused
  • CC:=gcc 改成 CC:=/opt/buildroot-gcc342/bin/mipsel-linux-gcc
  • KERNEL_INCLUDES?=include/ 改成 KERNEL_INCLUDES?=../../linux-2.6.36.x/include/

build code

  • 修改 Makefile
  • 修改 extensions/ebt_ip6.c 把 EBT_IP6_ICMP6 相關程式碼移除
  • make
  • make static

install

  • 把 ethertypes 拷貝到 /etc/ethertypes
  • make static 後會產生一個 static 的執行檔,可以直接執行不用其它 .so 檔。
  • ebtables 為另一個執行檔,需要 .so 檔,把 extensions/*.so 拷貝到 /lib 即可。

問題排解

/opt/buildroot-gcc342/bin/mipsel-linux-gcc -Wall -Wunused -Werror -fPIC -O3 -DPROGVERSION=\"2.0.10-4\" -DPROGNAME=\"ebtables\" -DPROGDATE=\"December\ 2011\" -D_PATH_ETHERTYPES=\"/etc/ethertypes\" -DEBTD_ARGC_MAX=50 -DEBTD_CMDLINE_MAXLN=2048 -DLOCKFILE=\"/var/lib/ebtables/lock\" -DLOCKDIR=\"/var/lib/ebtables/\" -c -o extensions/ebt_nat.o extensions/ebt_nat.c -I/home/enos/FGN-R3/RT288x_SDK/source/linux-2.6.36.x/include/
extensions/ebt_nat.c: In function `parse_s':
extensions/ebt_nat.c:95: warning: 'tmp' might be used uninitialized in this function
make: *** [extensions/ebt_nat.o] Error 1
CFLAGS:=-Wall -Wunused -Werror 改成 CFLAGS:=-Wall -Wunused
/opt/buildroot-gcc342/bin/mipsel-linux-gcc -Wall -Wunused -fPIC -O3 -DPROGVERSION=\"2.0.10-4\" -DPROGNAME=\"ebtables\" -DPROGDATE=\"December\ 2011\" -D_PATH_ETHERTYPES=\"/etc/ethertypes\" -DEBTD_ARGC_MAX=50 -DEBTD_CMDLINE_MAXLN=2048 -DLOCKFILE=\"/var/lib/ebtables/lock\" -DLOCKDIR=\"/var/lib/ebtables/\" -c -o extensions/ebt_ip6.o extensions/ebt_ip6.c -I/home/enos/FGN-R3/RT288x_SDK/source/linux-2.6.36.x/include/
extensions/ebt_ip6.c: In function `parse':
extensions/ebt_ip6.c:369: error: `EBT_IP6_ICMP6' undeclared (first use in this function)
extensions/ebt_ip6.c:369: error: (Each undeclared identifier is reported only once
extensions/ebt_ip6.c:369: error: for each function it appears in.)
extensions/ebt_ip6.c:373: error: structure has no member named `icmpv6_type'
extensions/ebt_ip6.c:373: error: structure has no member named `icmpv6_code'
extensions/ebt_ip6.c: In function `final_check':
extensions/ebt_ip6.c:430: error: `EBT_IP6_ICMP6' undeclared (first use in this function)
extensions/ebt_ip6.c: In function `print':
extensions/ebt_ip6.c:488: error: `EBT_IP6_ICMP6' undeclared (first use in this function)
extensions/ebt_ip6.c:492: error: structure has no member named `icmpv6_type'
extensions/ebt_ip6.c:492: error: structure has no member named `icmpv6_code'
extensions/ebt_ip6.c: In function `compare':
extensions/ebt_ip6.c:536: error: `EBT_IP6_ICMP6' undeclared (first use in this function)
extensions/ebt_ip6.c:537: error: structure has no member named `icmpv6_type'
extensions/ebt_ip6.c:537: error: structure has no member named `icmpv6_type'
extensions/ebt_ip6.c:538: error: structure has no member named `icmpv6_type'
extensions/ebt_ip6.c:538: error: structure has no member named `icmpv6_type'
extensions/ebt_ip6.c:539: error: structure has no member named `icmpv6_code'
extensions/ebt_ip6.c:539: error: structure has no member named `icmpv6_code'
extensions/ebt_ip6.c:540: error: structure has no member named `icmpv6_code'
extensions/ebt_ip6.c:540: error: structure has no member named `icmpv6_code'
make: *** [extensions/ebt_ip6.o] Error 1
由於 linux-2.6.36.x 不支援 EBT_IP6_ICMP6,所以必須把 EBT_IP6_ICMP6 相關程式碼移除。

台南小新 發表在 痞客邦 PIXNET 留言(0) 人氣()

其實很簡單,只要把 wanif 加入 bridge 再把 ipv4 protocol 全擋掉即可。

如果只是單純把 wanif 加入 bridge 會造成 ipv6 通,但 ipv4 不通。

台南小新 發表在 痞客邦 PIXNET 留言(0) 人氣()