blob: 680c615a9365f830b45473ec541121d83b600d5e [file] [log] [blame]
In order to explore the CESA through the OpenSWAN, 1 patch should be applied to the OpenSWAN.
download openswan-2.6.29 (, then untar+unzip it.
apply the patch:
- mv_openswan_2_6_29.patch -
change default configs to remove DEBUG and to include OCF.
- fix icmp_send failure caused by IFF_XMIT_DST_RELEASE flag set on the net dev.
- fix rmmod BUG by removing duplicated free_netdev call.
- include patch from openswan git that make sure we have the skb->dst in place before we call
ip_select_ident otherwise we get kernel warn: "rt_bind_peer(0) .. "
and compile:
+ ipsec module (cross compilation) :
'make KERNELSRC=<path to this release, after config> module ARCH=arm CC=<path_to_cross_compile> LD=<path_to_cross_loader>'
then copy the module to the host FS: /lib/modules/<kernel_name>/kernel/net/ipsec/
+ ipsec user (native) :
make sure that you have the kernel source on the FS.
'make KERNELSRC=<path to this release, after config> programs'
'make install'
Note: before tunnel is enabled on target, reverse path filtering(rp_filter) must be disabled under sysfs, using
the following commands:
- echo 0 > /proc/sys/net/ipv4/conf/eth<x>/rp_filter
- echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
Reverse Path Filtering(rp_filter): it is a technology that is used on IP routers to try and prevent source address spoofing,
which is often used for DenialOfService attacks. RPF works by checking the source IP of each packet received on an interface
against the routing table. If the best route for the source IP address does not use the same interface that the packet was received
on the packet is dropped.
IPSec routing using encryption/authentication only
basic vpn connection:
- platform: conncted with egiga.
- make sure you have 'ip' (part of the iproute package) installed.
- edit /etc/ipsec.conf (on both sides) ,check the "man ipsec.conf" :
config setup
interfaces="ipsec0=eth0" # Virtual/physical interfaces
klipsdebug="none" # Debug KLIPS
plutodebug="none" # Debug PLUTO
conn dove_psk_vpn
type=tunnel # type of the connection: tunnel(default),passthrough,transport,reject,drop
right= # Remote information
auto=start # start this connection at startup
- edit /etc/ipsec.secrets (on both sides) to have shared secret. : PSK "123456"
- side1: 'ifconfig eth0 netmask'
- side2: 'ifconfig eth0 netmask'
- check connectivity: ping from side1 to
- '/etc/init.d/ipsec start' (on both sides), create new interface ipsec0.
- check connectivity: ping from side1 to --> VPN is working (make sure by sniffing)