<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=gb2312"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:宋体;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"\@宋体";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:宋体;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=ZH-CN link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span lang=EN-US>strongswan.conf:<br>charon {<br><br> # number of worker threads in charon<br> threads = 16<br><br> # plugins to load in charon<br> load =curl aes des sha1 md5 sha2 pem pkcs1 gmp random x509 hmac stroke kk<br>ernel-netlink updown<br>}<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>kk<br>ernel-netlink may be kernel-netlink not kkernel-netlink<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US><br><br></span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> users-bounces+bzhang=sonicwall.com@lists.strongswan.org [mailto:users-bounces+bzhang=sonicwall.com@lists.strongswan.org] <b>On Behalf Of </b>MingM Xia<br><b>Sent:</b> 2010</span><span style='font-size:10.0pt'>年</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>4</span><span style='font-size:10.0pt'>月</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>1</span><span style='font-size:10.0pt'>日</span><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> 14:43<br><b>To:</b> users@lists.strongswan.org<br><b>Subject:</b> [strongSwan] On PPC: netlink error, unable to create IPv4 routing table rule<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal style='margin-bottom:12.0pt'><span lang=EN-US>Hi,<br><br>I'm Running strongSwan 4.3.6rc2 on 2 PPC hosts to accomplish IKEv2 using Charon (transport mode).<br><br># uname -a <br>Linux hapWibbSc2 2.6.27.39 #5 SMP PREEMPT Fri Feb 26 18:33:03 CST 2010 ppc ppc ppc GNU/Linux<br><br><br>I met 2 issues:<br><br>1. There are some “netlink error" info:<br><br>Feb 19 15:37:00 localhost charon: 00[KNL] received netlink error: Operation not <br>supported (95)<br>Feb 19 15:37:00 localhost charon: 00[KNL] unable to create IPv4 routing table ruu<br>le<br>Feb 19 15:37:00 localhost charon: 00[KNL] received netlink error: Operation not <br>supported (95)<br>Feb 19 15:37:00 localhost charon: 00[KNL] unable to create IPv6 routing table ruu<br>le<br>Feb 19 15:37:00 localhost charon: 00[LIB] plugin 'kernel-netlink': loaded success<br>sfully<br><br>2. <br>root#ipsec up host-host<br>initiating IKE_SA host-host[2] to 10.19.156.194<br>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>sending packet: from 10.19.156.242[500] to 10.19.156.194[500]<br>received packet: from 10.19.156.194[500] to 10.19.156.242[500]<br>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>authentication of '10.19.156.242' (myself) with pre-shared key<br>establishing CHILD_SA host-host<br>generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]<br>sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]<br>retransmit 1 of request with message ID 1<br>sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]<br>retransmit 2 of request with message ID 1<br>sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]<br>retransmit 3 of request with message ID 1<br>sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]<br>retransmit 4 of request with message ID 1<br>sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]<br>retransmit 5 of request with message ID 1<br>sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]<br>giving up after 5 retransmits<br>peer not responding, trying again (2/3)<br>root# netstat -nlp | grep 4500<br>udp 0 0 <a href="http://0.0.0.0:4500">0.0.0.0:4500</a> 0.0.0.0:* 7698/charon <br>root# netstat -nlp | grep 500 <br>udp 0 0 <a href="http://0.0.0.0:4500">0.0.0.0:4500</a> 0.0.0.0:* 7698/charon <br>udp 0 0 <a href="http://0.0.0.0:500">0.0.0.0:500</a> 0.0.0.0:* 7698/charon <br><br>I find it has something to do with my Firewall, when I disable the firewall for both hosts, Child SA is created successfully even it's still with the “netlink error" mentioned above.<br><br><br>I'm kindly confused about "leftfirewall=yes" configuration and "charon.routing_table”,<br><br>About "left|rightfirewall=yes"</span>,<span lang=EN-US> I used to think, with this configuration, strongSwan will insert the rule to IPTABLES for the connection at the very beginning, obviously I'm wrong, from the log of successful case, I find the firewall script "_updown" is for CHILD SA, it will be implemented after CHILD SA set up, not at the very beginning. So we still need to make sure the port used IKE is not blocked on both peers, for IKE v2, by default, there will be UDP port 500 and 4500, we need make sure our firewall open UDP port 500 and UDP port 4500, am I right?<br><br>About "charon.routing_table”, is this by default enabled for IKEv2? I checked the code of "kernel_netlink_net_create", the print of "netlink error" tells me "this->routing_table" is true, but actually I didn't configure it in strongswan.conf. I'm not so clear about the purpose of this "routing table", anybody can give some explanation about this "routing table" purpose? And anybody have some idea with this "unable to create IPv4 routing table rule" on my PPC hosts? <br><br>It seems like even with this "unable to create IPv4 routing table rule", the IPsec (transport mode) works well on my 2 PPC hosts, is there any potential failure I haven't realized with "netlink error" ?<br><br><br>ipsec.conf:<br>config setup<br> # plutodebug=all<br> # crlcheckinterval=600<br> # strictcrlpolicy=yes<br> # cachecrls=yes<br> # nat_traversal=yes<br> # charonstart=no<br> # plutostart=no<br> plutostart=no<br> plutodebug=all<br> charonstart=yes<br> charondebug="dmn 3,mgr 3,ike 3,chd 3,job 3,cfg 3,knl 3,net 3,enc 1,lib 3"<br><br>conn host-host-bcu3<br> authby=psk<br> left=10.19.156.194<br> leftfirewall=yes<br> right=10.19.156.242<br> type=transport<br> ike=aes128-sha256-modp2048!<br> keyexchange=ikev2<br> esp=aes128-sha256-modp2048!<br> auto=add<br><br>strongswan.conf:<br>charon {<br><br> # number of worker threads in charon<br> threads = 16<br><br> # plugins to load in charon<br> load =curl aes des sha1 md5 sha2 pem pkcs1 gmp random x509 hmac stroke kk<br>ernel-netlink updown<br>}<br><br><br>Best regards,<br><br>Mac<o:p></o:p></span></p></div></body></html>