neo2 strongswan ipsec ikev2 tunnel

[Joe]

I'm running what I believe is the latest experimental for the neo2 - 5.27.170601. This could well be a problem related to something that doesn't yet work in this build.

 

I've built strongswan on the neo and everything built fine and installed. ipsec starts and I'm able to bring a tunnel up to a remote vpn server that I know is fine and is verified working from some other box with identical connection and key configuration that I'm using on the neo2.

 

When the tunnel is brought up on the neo2 it seems I'm not able to get any traffic to flow i.e. curl api.ipify.org should return the public ip of the remote vpn server but it just hangs.  When the tunnel is down the same curl command works fine.

 

This feels routing / firewall / NAT related but to be honest I don't know where to start digging now. 

 

Does anyone have any suggestions? Anyone managed to get something similar working yet?

 

Cheers

Joe

[Joe]

I've still not got this fully working but for me moment I have switched from armbian to the friendlyElec debian image and I'm seeing exactly the same behavior on that platform too. 

 

I've raised an issue with strongswan and there's some more information and wireshark traffic captures over there: https://wiki.strongswan.org/issues/2351?issue_count=220&issue_position=2&next_issue_id=2349&prev_issue_id=2352

 

Very odd at this stage and I'm not convinced this actually is a strongswan issue at all..

[gnasch]

   leftsubnet=192.168.0.1/24
   rightsubnet=192.168.0.1/24
 

I am not used to strongswan syntax, but if the left subnet is the same as the right one,

how do you expect routing to decide which packets have to go through the tunnel between

left and right?

 

best, gnasch

[Joe]

The cause of this mystery is found by Noel Kuntze at StrongSwan: https://wiki.strongswan.org/issues/2351?issue_count=221&issue_position=3&next_issue_id=2349&prev_issue_id=2352#note-9

 

https://patchwork.kernel.org/patch/9704017/ : ipsec doesn't route TCP with 4.11 kernel

 

It looks like there's a fix but it's not found it's way into the Armbian Neo2 Experimental yet which I believe is based on 4.11. FriendlyArm Debian is also based on 4.11.

 

ipsec is basically broken everywhere right now   Perfect timing by me!

[martinayotte]

We should probably add that patch to Armbian until Mainline is merging it ...

 

[Joe]

I agree martinayotte it would be very nice to get this patch in early. I believe this is the progress of the patch at the moment:

 

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/net/ipv4/esp4.c?id=0e78a87306a6f55b1c7bbafad1de62c3975953ca

https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/net/ipv4/esp4.c?id=0e78a87306a6f55b1c7bbafad1de62c3975953ca

 

Personally I'd like to get this patched into the experimental AllWinner H5 firmware build just to test if it fixes the problem but unfortunately I'm struggling to see how to graft this patch onto /sources/linux-sun50i-dev/sunxi64-4.11.y/net/ipv4/esp4.c. The sunxi64-4.11.y flavour of the esp4.c file is significantly different to the esp4.c file that this patch was created against / where this patch is at the moment. The patch certainly doesn't auto patch as-is via the Armbian build system, it just gets rejected.

 

I'd be very interested to hear all/any ideas about how to translate this patch to Armbian.

[Joe]

I totally winged it and won  

 

I was unable to read the patch and translate what I was looking at into the change that needed to be made to /sources/linux-sun50i-dev/sunxi64-4.11.y/net/ipv4/esp4.c just by looking at the patch alone. So I cloned https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git and looked at Steffen Klassert's diff with SmartGit - this enabled me to see what change I "might" need to make.

 

Next I put the Armbian build system into CREATE_PATCHES mode, made the change and in an almost unbelievably way it seems that I've got this right first time. Armbian build created the attached kernel-sun50iw2-dev.patch file, applied it.

 

Now I've built strongswan on the neo2 and reconfigured my tunnel it finally seems to be working. It's early days but it's definitely a whole lot better than it was. Happy days.

kernel-sun50iw2-dev.patch