ipsec on Sharp Zaurus

IPSec on Sharp Zaurus

 english This page in german

News

The first binaries for Openzaurus are avaiable. Ken Bantoft tells us about the progress (see here) and releases the binaries in this feed. But be carefull and read his announce, because not everything is running out-of-the-box at the moment.
Update: Starting with the new Openzaurus version 3.1rc2 you do not need to install expr, because expr is enabled in busybox allready. Furthermore Joachim Ritschel (TU-Ilmenau) gave me the ipsec and tun-device kernelmodules crosscompiled for 2.4.18-rmk7-pxa3-embedix (SL-C7X0). The paket is avaiable here.

Why use a VPN?

The Zaurus comes with a compact flash slot. So it suggest itself to equiq it with a wireless lan card. Unfourtunately the widly used standard encryption WEP is not really secure (see eg. wep_attack), so one needs an alternative. freeswan fits perfectly for this situation.

Upcoming problems

Since ipsec is working on the networking layer, the user has to change the kernel. The zaurus kernel is located in flash rom, so updating is not an easy task (see kernel update). Fortunately you can compile freeswan as a module, so you don't have to deal with these problems. Since now there was only an old freeswan version allready crosscompiled and no module for the original kernel (linux-2.4.6-rmk1-np2-embedix), so I had to compile myself.

The result

The result is a ready to run kernel module for the orginal Zaurus kernel (linux-2.4.6-rmk1-np2-embedix) as well as the freeswan 1.98b daemons and userland tools. This enables the user to establish a VPN with his zaurus without having to flash a new kernel.

Downloads

Here you can get freeswan 1.98b as well as the associated kernel module suitable for the orignial kernel linux-2.4.6-rmk1-np2-embedix:
freeswan 1.98b
ipsec kernel module suitable linux-2.4.6-rmk1-np2-embedix

freeswan depends on awk and libgmp. You can find them at ipkgfind.

Tips for the use

Shortly after establishing the first ipsec connection, one is surprised with a very unfavorable feature by the Sharp supplied QPE. Approximately every 2 minutes an alert box comes up, which criticizes a netwok conflict, because eth0 and ipsec0 are using the same IP. Unfourtunately I could not find out, where exactly this message comes from. As a well working workaround for this one can do the following:

In /usr/lib/ipsec/_realsetup wait at the end of start for a few seconds and then change eth0's ip to another subnet. This does not affect ipsec, because ipsec does only need the real ip for establishing the secure connection. That is why you need to use sleep to give ipsec some time for establishing the connection. So enter eg sleep 6 && ifconfig eth0 192.168.123.123 at the end of the start function. And of course you have to change the ip back again at the end of the stop function using ifconfig.

Additionaly one normally does not need the log function of ipsec on the Zaurus, because syslogd is not running mostly. Therefore you can comment out all logfunctions in the scripts to save memory.

Developer: Compiling the module

If someone wants to try to crosscompile the module himself, here are the most important steps I did:
  1. Get the kernel sources and compile (see kernel compiling)
  2. Get freeswan
  3. Run make menugo in the freeswan directory (do not setup the crosscompile environment for that)
  4. Abort the compiling after menuconfig
  5. Run make clean at kernel toplevel
  6. Run make gcc in linux/net/ipsec/libdes/
  7. make dep && make modules

Developer: Compiling freeswan

Again only some steps:
  1. Adjust Makefile.inc
  2. Setup the crosscompiling environment
  3. You needs gmp.h
  4. libgmp.so is needed as shared library for the Zaurus
  5. make programs
  6. Use arm-linux-strip --strip-unneeded to reduce binary sizes

Contact

I am hoping this page is usefull for many people, for me ipsec is one of the most important programs for the Zaurus. My thanks goes to Markus Tavenrath for the friendly assistance with the crosscompiling options.
Jens Liebchen