BPI-Router-Linux icon indicating copy to clipboard operation
BPI-Router-Linux copied to clipboard
verified publisher icon frank-w

I need IPSec support on BPI r4

Open akibsayyed opened this issue 3 months ago • 19 comments

Dear Frank

Thank you for great REPO.I was able to install and get it working but I dont have user level IPSec capability using user xfrm module.

Can you tell me how to compile as part of this image or add only module to existing module.

Thanks.

akibsayyed avatar Oct 30 '25 08:10 akibsayyed

this is kernel only, but you can build it with your needed config option (./build.sh config after importconfig) and install to one of my debian/ubuntu images.

have not done anything with ipsec, so i do not know which options are needed for it

i only have seen offloading for ipsec on a quick search

maybe this is related (INET_XFRM_TUNNEL and INET_IPCOMP seems not selected):

  │ Symbol: INET_XFRM_TUNNEL [=n]                                                                                                            │  
  │ Type  : tristate                                                                                                                         │  
  │ Defined at net/ipv4/Kconfig:415                                                                                                          │  
  │   Depends on: NET [=y] && INET [=y]                                                                                                      │  
  │ Selects: INET_TUNNEL [=y]                                                                                                                │  
  │ Selected by [n]:                                                                                                                         │  
  │   - INET_IPCOMP [=n] && NET [=y] && INET [=y]                                                                                            │  
  │                                                                                                                                          │  
  │                                                                                                                                          │  
  │ Symbol: NFT_XFRM [=m]                                                                                                                    │  
  │ Type  : tristate                                                                                                                         │  
  │ Defined at net/netfilter/Kconfig:630                                                                                                     │  
  │   Prompt: Netfilter nf_tables xfrm/IPSec security association matching

maybe you have any errors in running system which point to the missing options?

frank-w avatar Oct 30 '25 08:10 frank-w

I am trying to complile kernel but after compilation i am facing following error make[1]: Entering directory '/home/akib/build'

ERROR: Kernel configuration is invalid. include/generated/autoconf.h or include/config/auto.conf are missing. Run 'make oldconfig && make prepare' on kernel src to fix it.

/home/akib/BPI-Router-Linux/Makefile:730: include/config/auto.conf: No such file or directory make[2]: *** [/home/akib/BPI-Router-Linux/Makefile:795: include/config/auto.conf] Error 1 make[1]: *** [/home/akib/BPI-Router-Linux/Makefile:224: __sub-make] Error 2 make[1]: Leaving directory '/home/akib/build' make: *** [Makefile:224: __sub-make] Error 2 find: '../SD/BPI-ROOT/lib/modules/*': No such file or directory

akibsayyed avatar Nov 14 '25 05:11 akibsayyed

Do you always use build.sh?

frank-w avatar Nov 14 '25 05:11 frank-w

got it working forgot to use prepare config (sorry importconfig)

akibsayyed avatar Nov 14 '25 06:11 akibsayyed

importconfig before should be enough

frank-w avatar Nov 14 '25 06:11 frank-w

I want to build header deb package what is the procedure for same ?

akibsayyed avatar Nov 14 '25 06:11 akibsayyed

It is done in pipeline (.github/workflows/build.yml) afair build_debs

frank-w avatar Nov 14 '25 06:11 frank-w

I am trying ./build.sh pack_debs will it work too ? or just build_debs cause build_debs only built kernel deb

akibsayyed avatar Nov 14 '25 06:11 akibsayyed

Could also be pack_debs...i do not do this manually :)

frank-w avatar Nov 14 '25 06:11 frank-w

I am not getting support for tunnel in transport mode unable to set CONFIG_INET_XFRM_MODE_TRANSPORT

akibsayyed avatar Nov 15 '25 08:11 akibsayyed

You mean you cannot enable it? When you have menuconfig (./build.sh config) and search for it with "/" you see depends on,i guess something there is missing and have to be enabled before your option. Also depencies can have depencies...

frank-w avatar Nov 15 '25 08:11 frank-w

it says no match found when i search it

akibsayyed avatar Nov 15 '25 08:11 akibsayyed

Can you help I need ipsec in transport mode also is there a way to compile it as external module and then use ?

akibsayyed avatar Nov 15 '25 09:11 akibsayyed

it says no match found when i search it

same for me...as i said i have not done anything with ipsec yet, so i have no idea how to archive this...if there is additional code you could also add it to your kernel tree. building external module ist mostly more complex as you still need headers for same kernel version and manual copy module etc.

maybe ipsec support was dropped due to wireguard integration?

seems earlier dropped

https://cateee.net/lkddb/web-lkddb/INET_XFRM_MODE_TRANSPORT.html

but looks like the option is not needed since then ;)

$ git logone -SINET_XFRM_MODE_TRANSPORT net/ipv4/Kconfig
4c145dce2601 2019-03-29 xfrm: make xfrm modes builtin Florian Westphal 
b59f45d0b287 2006-05-27 [IPSEC] xfrm: Abstract out encapsulation modes Herbert Xu

but top commit removing the option is in since 5.3...cateee tells about this option available till 5.1 (should be 5.2), but this is only detail

frank-w avatar Nov 15 '25 09:11 frank-w

Thank you for more clear answer,

Can i compile kernel 5.1 for noble ? i guess not if not then how can I go back to jammy ?

akibsayyed avatar Nov 15 '25 09:11 akibsayyed

you can switch to branch 5.1-main and work on this ;) should be still compilable (have compiled 5.4-main yesterday due to updates), but it is no LTS kernel (last LTS before was 4.19 which is EOL, next will be 5.4 which have it builtin). but why using older kernel as this code is builtin? just ignore this option

sorry,forgot that you have R4...it is only supported from 6.12+

frank-w avatar Nov 15 '25 09:11 frank-w

I am performing many tests now but would like to know following I am getting packed rootfs already exists when i replace old kernel package with new one. does this right approach

here is details

i compile kernel in tar file and place kernel in images generating folder BPI-Images now it says that rootfs already exist

now i can continue or will have to restart everything again

akibsayyed avatar Nov 15 '25 12:11 akibsayyed

MY BAD

it does support transport mode even if it doenst give config option

akibsayyed avatar Nov 15 '25 13:11 akibsayyed

You do not have to create and flash image everytine you want to test new kernel. Just install the new kernel to your sdcard.

If you get error that sdcard not found check if partitions are mounted (p5 to /media/$USER/BPI-BOOT and p6 to BPI-ROOT). You can mount it also with build.sh (needed on r2pro)

https://github.com/frank-w/BPI-Router-Linux/blob/6.18-rc/build.sh#L1071

The info (packed rootfs already exists) is just a not that the buildchroot/debootstrap is not run again and the existing packed file is used amd unpacked to the resulting image.

frank-w avatar Nov 15 '25 14:11 frank-w