StrongSWAN error: unable to install inbound and outbound IPsec SA (SAD) in kernel

It does not behave like it did with openswan. No ip address is assigned for example.
Ran iperf on local subnet thru an ipsec tunnel from the turris router to an debian vm. It reaches 120MBit/sec with eap=aes128-sha1
Anyway I think turris-os needs this patch kernel/modules: fix crypto API RNG for >=4.2 · openwrt-mirror/openwrt@5d40955 · GitHub

kernel/modules: fix crypto API RNG for >=4.2

Since kernel 4.2, DRBG is the default crypto API RNG, replacing krng. As
DRBG is not enabled, there is no crypto API RNG available when running
kernel 4.2 or later. Because of this, IPsec SAs fail to install. In
strongSwan, this results in a vague error that is difficult to debug:

received netlink error: No such file or directory (2)

Solve this by adding DRBG to the kmod-crypto-rng package. As enabling
DRBG in the kernel config also enables the Jitterentropy RNG, include it
in kmod-crypto-rng instead of having it in a separate package.

Signed-off-by: Stijn Tintel stijn@linux-ipv6.be

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@47827 3c298f89-4303-0410-b956-a3cf2f4a3e73

Christian can you please reopen the issue? I added an description for the required patch but can not reopen.

I have strongswan up and running now without the libipsec module. Without the marvell_cesa module loaded i get ~160-180MBit/sec with iperf. With the hardware encryption module loaded ~310-330MBit/sec. Both crypt packages (crypto-iv and crypto-rng) needed fixes and also an new kernel module package crypto-echainiv.ko is needed. For details look at the issue https://github.com/CZ-NIC/turris-os/issues/5.

@Christian_Kuhnel

Hi Christian,

I’m new to Turris Omnia and just trying to replace an Fritz!Box 6490 Cable.

Could you describe all steps needed to establish a VPN-connection between Turris Omnia and a Fritz!Box?

Thank you very much

Gerhard