Linux Kernel Configuration

Networking support ---> Networking options ---> [*] Transformation user configuration interface [*] PF_KEY sockets [*] TCP/IP networking [*] IP: advanced router [*] IP: policy routing [*] IP: AH transformation [*] IP: ESP transformation [*] IP: IPComp transformation [*] IP: IPsec transport mode [*] IP: IPsec tunnel mode [*] IP: IPsec BEET mode [*] Network packet filtering framework (Netfilter) ---> Core Netfilter Configuration ---> xx[ ] IPSEC protocol support [*] Netfilter Xtables support ??[*] "esp" match support [*] IPsec "policy" match support IP: Netfilter Configuration ---> [*] IP tables support (required for filtering/masq/NAT) ??[*] "ah" match support

IPSEC protocol support 不可以選,在 realtek SDK 會造成 kernel panic,其它 SDK 我就不知了。

編譯

CC=/home/enos/FGN-1000/fib003_res/rtl819x/toolchain/msdk-4.4.7-mips-EB-3.10-0.9.33-m32t-131227b/bin/mips-linux-gcc \ CXX=/home/enos/FGN-1000/fib003_res/rtl819x/toolchain/msdk-4.4.7-mips-EB-3.10-0.9.33-m32t-131227b/bin/mips-linux-g++ \ STRIP=/home/enos/FGN-1000/fib003_res/rtl819x/toolchain/msdk-4.4.7-mips-EB-3.10-0.9.33-m32t-131227b/bin/mips-linux-strip \ AR=/home/enos/FGN-1000/fib003_res/rtl819x/toolchain/msdk-4.4.7-mips-EB-3.10-0.9.33-m32t-131227b/bin/mips-linux-ar \ RANLIB=/home/enos/FGN-1000/fib003_res/rtl819x/toolchain/msdk-4.4.7-mips-EB-3.10-0.9.33-m32t-131227b/bin/mips-linux-ranlib \ CFLAGS="-I/home/enos/FGN-1000/gmp-6.1.0" \ LDFLAGS="-L/home/enos/FGN-1000/gmp-6.1.0/.libs" \ ./configure --host=mips-linux --prefix=/tmp/strongSwan --enable-static=yes --enable-shared=yes \ --with-linux-headers=/home/enos/FGN-1000/fib003_res/rtl819x/linux-3.10/include/uapi

with-linux-headers 這個要指向 linux kernel 的 include,但是要指向 uapi 這個目錄才對;還有一定要用 SDK 的 linux kernel,不可以用 strongswan 的,會造成不可預期的問題。

執行

  • export PATH=$PATH:/tmp/strongSwan/sbin
  • /tmp/strongSwan/sbin/ipsec start
  • iptables -t nat -I POSTROUTING 1 -s 192.168.11.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
    這個指令可以讓本地 ping 到對方
  • iptables -A INPUT -p esp -j ACCEPT
  • iptables -A INPUT -p icmp -j ACCEPT
  • iptables -A FORWARD -p icmp -j ACCEPT
    上面三個指令可以讓對方 ping 到本地

問題排解

# ./ipsec start 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 3.10.24, mips) 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] failed to load 3 critical plugin features 00[LIB] unloading plugin 'charon' without loaded features 00[DMN] initialization failed - aborting charon <span id="selection-marker-1" class="redactor-selection-marker"></span> ./configure --enable-static=yes --enable-shared=no 會有問題,一定要有 --enable-shared=yes。 # ./ipsec start /mnt/strongSwan/libexec/ipsec/starter: can't resolve symbol 'glob' # ./ipsec start /mnt/strongSwan/libexec/ipsec/starter: can't resolve symbol 'setbuf' in lib '/mnt/strongSwan/libexec/ipsec/starter'. # ./ipsec start /mnt/strongSwan/libexec/ipsec/starter: can't resolve symbol 'setegid' in lib '/mnt/strongSwan/libexec/ipsec/starter'. # ./ipsec start /mnt/strongSwan/libexec/ipsec/starter: can't resolve symbol 'pthread_sigmask' in lib '/mnt/strongSwan/libexec/ipsec/starter'. # ./ipsec start /mnt/strongSwan/libexec/ipsec/starter: can't resolve symbol 'syscall' # ./ipsec start /mnt/strongSwan/libexec/ipsec/starter: can't resolve symbol 'dirfd' 上面的問題都是 realtek SDK 造成的,$(LSTRIP) $(DIR_ROMFS) 這個指令出問題。 # ./ipsec start 00[DMN] invalid uid/gid - aborting charon 新增二個參數 --with-user=root,--with-group=root。

參考文件

創作者介紹

邱小新の工作筆記

台南小新 發表在 痞客邦 PIXNET 留言(1) 人氣()


留言列表 (1)

發表留言
  • 訪客
  • 还是不行啊。还报这个错failed to load 3 critical plugin features