[FS#493] strongSwan no known IPsec stack detected since switch to kernel 4.9

LEDE Bugs lede-bugs at lists.infradead.org
Sat Feb 11 11:51:14 PST 2017 

The following task has a new comment added:

FS#493 - strongSwan no known IPsec stack detected since switch to kernel 4.9
User who did this - KPapad (kpv)

----------
Apparently **using insmod (instead of modprobe) loads the xfrm_* modules and thus ipsec (strongSwan) can start**:


root at LEDE:~# lsmod|fgrep xfrm
tunnel4                 1534  1 xfrm4_tunnel
tunnel6                 1534  1 xfrm6_tunnel
xfrm4_mode_beet         1328  0 
xfrm4_mode_transport     944  0 
xfrm4_mode_tunnel       1328  0 
xfrm4_tunnel            1328  0 
xfrm6_mode_beet         1200  0 
xfrm6_mode_transport     944  0 
xfrm6_mode_tunnel       1200  0 
xfrm6_tunnel            1923  0 
root at LEDE:~# modprobe xfrm_algo
failed to find a module named xfrm_algo
root at LEDE:~# ls -la /lib/modules/4.9.8/xfrm_algo.ko
-rw-r--r--    1 root     root          5764 Feb 10 10:05 /lib/modules/4.9.8/xfrm_algo.ko
root at LEDE:~# md5sum /lib/modules/4.9.8/xfrm_algo.ko
d074b75f463524f2aa8a0d51674a0104  /lib/modules/4.9.8/xfrm_algo.ko
root at LEDE:~# ls -la /lib/modules/4.9.8/xfrm_*ko
-rw-r--r--    1 root     root          5764 Feb 10 10:05 /lib/modules/4.9.8/xfrm_algo.ko
-rw-r--r--    1 root     root          5340 Feb 10 10:05 /lib/modules/4.9.8/xfrm_ipcomp.ko
-rw-r--r--    1 root     root         23348 Feb 10 10:05 /lib/modules/4.9.8/xfrm_user.ko


root at LEDE:~# insmod /lib/modules/4.9.8/xfrm_algo.ko
root at LEDE:~# insmod /lib/modules/4.9.8/xfrm_ipcomp.ko
root at LEDE:~# insmod /lib/modules/4.9.8/xfrm_user.ko
root at LEDE:~# lsmod|fgrep xfrm
tunnel4                 1534  1 xfrm4_tunnel
tunnel6                 1534  1 xfrm6_tunnel
xfrm4_mode_beet         1328  0 
xfrm4_mode_transport     944  0 
xfrm4_mode_tunnel       1328  0 
xfrm4_tunnel            1328  0 
xfrm6_mode_beet         1200  0 
xfrm6_mode_transport     944  0 
xfrm6_mode_tunnel       1200  0 
xfrm6_tunnel            1923  0 
xfrm_algo               3541  2 xfrm_user,xfrm_ipcomp
xfrm_ipcomp             2581  0 
xfrm_user              16560  0 
root at LEDE:~# 
root at LEDE:~# dmesg |tail
[    9.946070] kmodloader: - xfrm_user - 1
[   13.430838] 8021q: adding VLAN 0 to HW filter on device eth0
[   13.433278] br-lan: port 1(eth0) entered blocking state
[   13.435215] br-lan: port 1(eth0) entered disabled state
[   13.437368] device eth0 entered promiscuous mode
[   13.470226] br-lan: port 1(eth0) entered blocking state
[   13.472259] br-lan: port 1(eth0) entered forwarding state
[   13.514444] 8021q: adding VLAN 0 to HW filter on device eth1
[   15.002555] random: crng init done
[ 1119.235177] Initializing XFRM netlink socket
root at LEDE:~#

root at LEDE:~# dmesg |tail
[    9.946070] kmodloader: - xfrm_user - 1
[   13.430838] 8021q: adding VLAN 0 to HW filter on device eth0
[   13.433278] br-lan: port 1(eth0) entered blocking state
[   13.435215] br-lan: port 1(eth0) entered disabled state
[   13.437368] device eth0 entered promiscuous mode
[   13.470226] br-lan: port 1(eth0) entered blocking state
[   13.472259] br-lan: port 1(eth0) entered forwarding state
[   13.514444] 8021q: adding VLAN 0 to HW filter on device eth1
[   15.002555] random: crng init done
[ 1119.235177] Initializing XFRM netlink socket
root at LEDE:~# /etc/init.d/ipsec stop
Stopping strongSwan IPsec failed: starter is not running
root at LEDE:~# /etc/init.d/ipsec start
no files found matching '/etc/strongswan.d/*.conf'
Starting strongSwan 5.5.1 IPsec [starter]...
root at LEDE:~# ps
  PID USER       VSZ STAT COMMAND
    1 root      1028 S    /sbin/procd
    2 root         0 SW   [kthreadd]
    3 root         0 SW   [ksoftirqd/0]
    4 root         0 SW   [kworker/0:0]
    5 root         0 SW<  [kworker/0:0H]
    6 root         0 SW   [kworker/u2:0]
    7 root         0 SW   [rcu_sched]
    8 root         0 SW   [rcu_bh]
    9 root         0 SW   [migration/0]
   10 root         0 SW<  [lru-add-drain]
   11 root         0 SW   [cpuhp/0]
   12 root         0 SW<  [netns]
   14 root         0 SW   [oom_reaper]
  353 root         0 SW<  [writeback]
  355 root         0 SW<  [crypto]
  356 root         0 SW<  [bioset]
  358 root         0 SW<  [kblockd]
  421 root         0 SW<  [ata_sff]
  533 root         0 SW   [kworker/0:1]
  547 root         0 SW   [kswapd0]
  548 root         0 SW<  [vmstat]
  627 root         0 SW<  [pencrypt]
  629 root         0 SW<  [pdecrypt]
  652 root         0 SW<  [acpi_thermal_pm]
  690 root         0 SW<  [bioset]
  693 root         0 SW<  [bioset]
  696 root         0 SW<  [bioset]
  699 root         0 SW<  [bioset]
  702 root         0 SW<  [bioset]
  705 root         0 SW<  [bioset]
  708 root         0 SW<  [bioset]
  711 root         0 SW<  [bioset]
  725 root         0 SW   [scsi_eh_0]
  726 root         0 SW<  [scsi_tmf_0]
  729 root         0 SW   [scsi_eh_1]
  739 root         0 SW<  [scsi_tmf_1]
  742 root         0 SW   [scsi_eh_2]
  743 root         0 SW<  [scsi_tmf_2]
  746 root         0 SW<  [ipv6_addrconf]
  747 root         0 SW   [kworker/u2:3]
  809 root         0 SW<  [bioset]
  813 root         0 SW<  [bioset]
  817 root         0 SW<  [kworker/0:1H]
  826 root         0 SW<  [ext4-rsv-conver]
 1069 root       780 S    /sbin/ubusd
 1076 root       660 S    /sbin/askfirst /usr/libexec/login.sh
 1499 root         0 SW<  [cfg80211]
 1622 root       884 S    /sbin/logd -S 64
 1670 root      1176 S    /sbin/netifd
 1710 root       984 S    /usr/sbin/odhcpd
 1757 root       852 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 22 -K 300
 1900 root       740 S    odhcp6c -s /lib/netifd/dhcpv6.script -P0 -t120 eth1
 1901 root       972 S    udhcpc -p /var/run/udhcpc-eth1.pid -s /lib/netifd/dhcp.script -f -t 0 -i eth1 -C -O 121
 2103 root       976 S <  /usr/sbin/ntpd -n -N -S /usr/sbin/ntpd-hotplug -p 0.lede.pool.ntp.org -p 1.lede.pool.ntp.org -p 2.lede.pool.ntp.org -p 3.lede.pool.ntp.org
 2400 root       976 S    {mwan3track} /bin/sh /usr/sbin/mwan3track wan eth1 2 1 2 5 3 8 208.67.220.220 208.67.222.222 8.8.8.8 8.8.4.4
 2645 root      1812 S    {dnsmasq} /sbin/ujail -n dnsmasq -u -l -r /dev/null -r /dev/urandom -r /etc/TZ -r /etc/dnsmasq.conf -r /etc/ethers -r /etc/group -r /etc/hosts -r /etc/passwd
 2647 dnsmasq   1028 S    /usr/sbin/dnsmasq -C /var/etc/dnsmasq.conf.cfg02411c -k -x /var/run/dnsmasq/dnsmasq.cfg02411c.pid
 3373 root       920 S    /usr/sbin/dropbear -F -P /var/run/dropbear.1.pid -p 22 -K 300
 3380 root       980 S    -ash
 6382 root      1592 S    /usr/lib/ipsec/starter --daemon charon
 6383 root      4120 S    /usr/lib/ipsec/charon --use-syslog
 6412 root       972 S    sleep 5
 6418 root       972 R    ps
root at LEDE:~#
root at LEDE:~# logread |tail -30
Sat Feb 11 19:23:57 2017 daemon.info dnsmasq[1]: using local addresses only for domain lan
Sat Feb 11 19:23:57 2017 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.auto
Sat Feb 11 19:23:57 2017 daemon.info dnsmasq[1]: using local addresses only for domain lan
Sat Feb 11 19:23:57 2017 daemon.info dnsmasq[1]: using nameserver 10.0.3.1#53
Sat Feb 11 19:23:57 2017 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Sat Feb 11 19:23:57 2017 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg02411c - 2 addresses
Sat Feb 11 19:23:57 2017 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Sat Feb 11 19:23:58 2017 user.notice ddns-scripts[2682]: myddns_ipv4: PID '2682' started at 2017-02-11 19:23
Sat Feb 11 19:23:58 2017 user.warn ddns-scripts[2682]: myddns_ipv4: Service section disabled! - TERMINATE
Sat Feb 11 19:23:58 2017 user.warn ddns-scripts[2682]: myddns_ipv4: PID '2682' exit WITH ERROR '1' at 2017-02-11 19:23
Sat Feb 11 19:24:38 2017 daemon.info dnsmasq[1]: read /etc/hosts - 4 addresses
Sat Feb 11 19:24:38 2017 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg02411c - 2 addresses
Sat Feb 11 19:24:38 2017 daemon.info dnsmasq-dhcp[1]: read /etc/ethers - 0 addresses
Sat Feb 11 19:27:29 2017 authpriv.info dropbear[3373]: Child connection from 10.0.3.1:33839
Sat Feb 11 19:27:32 2017 authpriv.notice dropbear[3373]: Password auth succeeded for 'root' from 10.0.3.1:33839
Sat Feb 11 19:42:18 2017 kern.info kernel: [ 1119.235177] Initializing XFRM netlink socket
Sat Feb 11 19:44:30 2017 authpriv.info ipsec_starter[6362]: Starting strongSwan 5.5.1 IPsec [starter]...
Sat Feb 11 19:44:30 2017 kern.info kernel: [ 1251.338997] NET: Registered protocol family 15
Sat Feb 11 19:44:30 2017 daemon.err modprobe: xfrm4_tunnel is already loaded
Sat Feb 11 19:44:30 2017 daemon.err modprobe: xfrm_user is already loaded
Sat Feb 11 19:44:31 2017 daemon.info : 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.9.8, i686)
Sat Feb 11 19:44:31 2017 daemon.info : 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Sat Feb 11 19:44:31 2017 daemon.info : 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Sat Feb 11 19:44:31 2017 daemon.info : 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Sat Feb 11 19:44:31 2017 daemon.info : 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Sat Feb 11 19:44:31 2017 daemon.info : 00[CFG] loading crls from '/etc/ipsec.d/crls'
Sat Feb 11 19:44:31 2017 daemon.info : 00[CFG] loading secrets from '/etc/ipsec.secrets'
Sat Feb 11 19:44:31 2017 daemon.info : 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default connmark stroke updown xauth-generic
Sat Feb 11 19:44:31 2017 daemon.info : 00[JOB] spawning 16 worker threads
Sat Feb 11 19:44:31 2017 authpriv.info ipsec_starter[6382]: charon (6383) started after 40 ms
root at LEDE:~#
----------

More information can be found at the following URL:
https://bugs.lede-project.org/index.php?do=details&task_id=493#comment1716

More information about the lede-bugs mailing list