# [SOLVED] Strongswan and kernel-4.11.X

## cdstealer

Hi,

I run my own VPN solely for the purpose of using my mobile phone on public networks.  Everything works great under kernel-4.10.13.  On kernel-4.11.X, I used the config from 4.10.13 and made oldconfig.  Something in kernel-4.11.X has broken the routing within strongswan.  Has anyone come across anything similar?  I'll keep chipping away at it, just looking for a way to reduce the number of times I have to recompile the kernel  :Wink: 

T.I.A.

*edit*  Looks it's something broken in the kernel  :Sad:   Still isn't fixed in 4.11.4 though.

https://lkml.org/lkml/2017/4/25/937

*edit* Still broken in 4.11.5 and it looks like redhat already patched it.

https://bugzilla.redhat.com/show_bug.cgi?id=1458222

*edit* Still broken in 4.11.6  :Sad: 

----------

## cdstealer

OK.. gave up and applied the patch in the lkml thread to kernel 4.11.6.  YAY.. it works!

```
# cd /usr/src/linux && cat esp_patch

--- a/net/ipv4/esp4.c

+++ b/net/ipv4/esp4.c

@@ -223,6 +223,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)

    int extralen;

    int tailen;

    __be64 seqno;

+   int esp_offset = 0;

    __u8 proto = *skb_mac_header(skb);

 

    /* skb is pure payload to encrypt */

@@ -288,6 +289,8 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)

          break;

       }

 

+      esp_offset = (unsigned char *)esph - (unsigned char *)uh;

+

       *skb_mac_header(skb) = IPPROTO_UDP;

    }

 

@@ -397,7 +400,7 @@ static int esp_output(struct xfrm_state *x, struct sk_buff *skb)

       goto error;

    nfrags = err;

    tail = skb_tail_pointer(trailer);

-   esph = ip_esp_hdr(skb);

+   esph = (struct ip_esp_hdr *)(skb_transport_header(skb) + esp_offset);

 

 skip_cow:

    esp_output_fill_trailer(tail, tfclen, plen, proto);
```

Then executed:

```
patch -p1 < esp_patch
```

Recompiled the kernel in the usual manner and eureka!  :Smile: 

----------

## cdstealer

Still broken in 4.11.7 but the above patch still works  :Smile: 

----------

## josephg

 *cdstealer wrote:*   

> I run my own VPN solely for the purpose of using my mobile phone on public networks.

 

would you tell me how you do this, or refer some links please? thanks

----------

## cdstealer

Hi Josephg,  I did my own how to as I couldn't find anything complete from start to finish.  Have a go.  It's just my brain dump, so if you have any questions, please let me know.  Here is my http://cdblog.cdstealer.com/?p=1231 blog post.  I hope you find it useful.

Cheers

[Moderator edit: expanded tinyurl to point to the actual URL.  Some people prefer not to follow tinyurl redirects. -Hu]

----------

## josephg

thank you cdstealer  :Smile:  i've wanted to do something like this for while. just for my mobile to grab internet sometimes on public/restricted wifi.

you blog post is extremely helpful with detailed information. but i don't see any vpn/client setup, possibilities or scenarios. how/what can you do on the android end?

----------

## cdstealer

I use the strongswan android app.  But yes, you are right.  I'll knock something up.  In the mean time, here's one I found that may suffice  :Wink:  https://help.my-private-network.co.uk/support/solutions/articles/6000158345-ikev2-vpn-setup-via-strongswan-app-for-android.  There are a couple of steps missing depending on what you're doing.  For example, getting your certificate on to the phone and then configuring the client to use it.  I'll add my howto, to the bottom of my blog when it's complete.

----------

## cdstealer

Hi, I've now added the client setup howto.  Hope it helps.

----------

## josephg

thank you again cdstealer  :Smile:  that was quick. guess i'll also need static ip or dyndns etc.

----------

## cdstealer

No worries  :Smile: 

I'm not on a static myself, but my IP doesn't change very often  :Wink: 

----------

## cdstealer

*UPDATE*  This has now been patched in 4.12.0  :Smile:   But now my wireless mouse doesn't work, but that's a new thread  :Wink: 

----------

