<div dir="ltr"><div><div>Hi all,<br>this is my first setup with strongSwan. I really would like to use it, it's so
interensting, and I'm trying to get it working since last week, but I
never succeeded.<br><br>I'm trying to connect 2 hosts together: one is a VPS server (CentOS 6.4, x86_64, 2.6.32), the other one is a laptop behind NAT (Fedora 19, x86_64, 3.10.6). They are both using strongSwan 5.0.4 (epel and Fedora repositories).<br>
<br></div><div>My keys are generated with this command:<br></div><div># strongswan pki --gen --type rsa --size 4096 --out pem > ipsec.d/private/$key.key.pem<br></div><div><br>My certs are generated withi this command:<br>
# strongswan pki --self --type rsa --digest sha512 --in ipsec.d/private/$key.key.pem --outform pem --dn "C=IT, O=<a href="http://frafra.ch">frafra.ch</a>" --san "$key" > ipsec.d/certs/$key.pem<br></div>
<div><br></div><div>Here below you can find: logs (default logging level), configuration, directory listing, and some checks regarding kernel configuration (default VPS kernel).<br><br><br></div><div>Thanks in advance,<br>
</div><div>Francesco Frassinelli<br><br></div><div><br></div># strongswan start --nofork # gateway/server<br>strongswan start --nofork<br>Starting strongSwan 5.0.4 IPsec [starter]...<br>no netkey IPsec stack detected<br>no KLIPS IPsec stack detected<br>
no known IPsec stack detected, ignoring!<br>00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 2.6.32-042stab076.8, x86_64)<br>00[LIB] plugin 'sqlite' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-sqlite.so: cannot open shared object file: No such file or directory<br>
00[LIB] openssl FIPS mode(0) - disabled <br>00[LIB] plugin 'eap-radius' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-eap-radius.so: cannot open shared object file: No such file or directory<br>00[LIB] plugin 'eap-tnc' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-eap-tnc.so: cannot open shared object file: No such file or directory<br>
00[LIB] plugin 'tnc-imc' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnc-imc.so: cannot open shared object file: No such file or directory<br>00[LIB] plugin 'tnc-imv' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnc-imv.so: cannot open shared object file: No such file or directory<br>
00[LIB] plugin 'tnc-tnccs' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnc-tnccs.so: cannot open shared object file: No such file or directory<br>00[LIB] plugin 'tnccs-20' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnccs-20.so: cannot open shared object file: No such file or directory<br>
00[LIB] plugin 'tnccs-11' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnccs-11.so: cannot open shared object file: No such file or directory<br>00[LIB] plugin 'tnccs-dynamic' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnccs-dynamic.so: cannot open shared object file: No such file or directory<br>
00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'<br>00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'<br>00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'<br>
00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'<br>00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'<br>00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'<br>
00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/frafra.ch.key.pem'<br>00[DMN] loaded plugins: charon curl aes des sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap dhcp<br>
00[JOB] spawning 16 worker threads<br>charon (826) started after 60 ms<br>14[CFG] received stroke: add connection 'franetwork'<br>14[CFG] loaded certificate "C=IT, O=<a href="http://frafra.ch">frafra.ch</a>" from 'frafra.ch.pem'<br>
14[CFG] loaded certificate "C=IT, O=<a href="http://frafra.ch">frafra.ch</a>" from 'frafra@calimero.pem'<br>14[CFG] added configuration 'franetwork'<br>15[NET] received packet: from 93.147.151.147[500] to 37.247.55.126[500] (744 bytes)<br>
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>15[IKE] 93.147.151.147 is initiating an IKE_SA<br>15[IKE] remote host is behind NAT<br>15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
15[NET] sending packet: from 37.247.55.126[500] to 93.147.151.147[500] (440 bytes)<br>16[NET] received packet: from 93.147.151.147[4500] to 37.247.55.126[4500] (892 bytes)<br>16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
16[CFG] looking for peer configs matching 37.247.55.126[<a href="http://frafra.ch">frafra.ch</a>]...93.147.151.147[frafra@calimero]<br>16[CFG] selected peer config 'franetwork'<br>16[CFG] using trusted certificate "C=IT, O=<a href="http://frafra.ch">frafra.ch</a>"<br>
16[IKE] authentication of 'frafra@calimero' with RSA signature successful<br>16[IKE] peer supports MOBIKE<br>16[IKE] authentication of '<a href="http://frafra.ch">frafra.ch</a>' (myself) with RSA signature successful<br>
16[IKE] IKE_SA franetwork[1] established between 37.247.55.126[<a href="http://frafra.ch">frafra.ch</a>]...93.147.151.147[frafra@calimero]<br>16[IKE] scheduling reauthentication in 9971s<br>16[IKE] maximum IKE_SA lifetime 10511s<br>
16[KNL] received netlink error: Protocol not supported (93)<br>16[KNL] unable to add SAD entry with SPI cc8f7f2d<br>16[KNL] received netlink error: Protocol not supported (93)<br>16[KNL] unable to add SAD entry with SPI cf7be3c3<br>
16[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel<br>16[IKE] failed to establish CHILD_SA, keeping IKE_SA<br>16[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(NO_PROP) ]<br>
16[NET] sending packet: from 37.247.55.126[4500] to 93.147.151.147[4500] (684 bytes)<br><br></div># strongswan start --nofork # roadwarrior/client<br>Starting strongSwan 5.0.4 IPsec [starter]...<br>00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.10.6-200.fc19.x86_64, x86_64)<br>
00[LIB] openssl FIPS mode(0) - disabled <br>00[CFG] loaded 0 RADIUS server configurations<br>00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'<br>00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'<br>
00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'<br>00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'<br>00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'<br>
00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'<br>00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/frafra@calimero.key.pem'<br>00[TNC] loading IMCs from '/etc/tnc_config'<br>
00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory<br>00[TNC] TNC recommendation policy is 'default'<br>00[TNC] loading IMVs from '/etc/tnc_config'<br>00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory<br>
00[DMN] loaded plugins: charon curl sqlite aes des sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp<br>
00[JOB] spawning 16 worker threads<br>charon (2956) started after 120 ms<br>05[CFG] received stroke: add connection 'franetwork'<br>05[CFG] loaded certificate "C=IT, O=<a href="http://frafra.ch">frafra.ch</a>" from 'frafra@calimero.pem'<br>
05[CFG] loaded certificate "C=IT, O=<a href="http://frafra.ch">frafra.ch</a>" from 'frafra.ch.pem'<br>05[CFG] added configuration 'franetwork'<br>10[CFG] received stroke: initiate 'franetwork'<br>
03[IKE] initiating IKE_SA franetwork[1] to 37.247.55.126<br>03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>03[NET] sending packet: from 192.168.0.25[500] to 37.247.55.126[500] (744 bytes)<br>
02[NET] received packet: from 37.247.55.126[500] to 192.168.0.25[500] (440 bytes)<br>02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>02[IKE] local host is behind NAT, sending keep alives<br>
02[IKE] authentication of 'frafra@calimero' (myself) with RSA signature successful<br>02[IKE] establishing CHILD_SA franetwork<br>02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
02[NET] sending packet: from 192.168.0.25[4500] to 37.247.55.126[4500] (892 bytes)<br>01[NET] received packet: from 37.247.55.126[4500] to 192.168.0.25[4500] (684 bytes)<br>01[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(NO_PROP) ]<br>
01[CFG] using trusted certificate "C=IT, O=<a href="http://frafra.ch">frafra.ch</a>"<br>01[IKE] authentication of '<a href="http://frafra.ch">frafra.ch</a>' with RSA signature successful<br>01[IKE] IKE_SA franetwork[1] established between 192.168.0.25[frafra@calimero]...37.247.55.126[<a href="http://frafra.ch">frafra.ch</a>]<br>
01[IKE] scheduling reauthentication in 10154s<br>01[IKE] maximum IKE_SA lifetime 10694s<br>01[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built<br>01[IKE] failed to establish CHILD_SA, keeping IKE_SA<br>01[IKE] received AUTH_LIFETIME of 9971s, scheduling reauthentication in 9431s<br>
01[IKE] peer supports MOBIKE<br>03[IKE] sending keep alive to 37.247.55.126[4500]<br><br># strongswan up franetwork # roadwarrior/client<br>initiating IKE_SA franetwork[1] to 37.247.55.126<br>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<br>
sending packet: from 192.168.0.25[500] to 37.247.55.126[500] (744 bytes)<br>received packet: from 37.247.55.126[500] to 192.168.0.25[500] (440 bytes)<br>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]<br>
local host is behind NAT, sending keep alives<br>authentication of 'frafra@calimero' (myself) with RSA signature successful<br>establishing CHILD_SA franetwork<br>generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]<br>
sending packet: from 192.168.0.25[4500] to 37.247.55.126[4500] (892 bytes)<br>received packet: from 37.247.55.126[4500] to 192.168.0.25[4500] (684 bytes)<br>parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(NO_PROP) ]<br>
using trusted certificate "C=IT, O=<a href="http://frafra.ch">frafra.ch</a>"<br>authentication of '<a href="http://frafra.ch">frafra.ch</a>' with RSA signature successful<br>IKE_SA franetwork[1] established between 192.168.0.25[frafra@calimero]...37.247.55.126[<a href="http://frafra.ch">frafra.ch</a>]<br>
scheduling reauthentication in 10154s<br>maximum IKE_SA lifetime 10694s<br>received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built<br>failed to establish CHILD_SA, keeping IKE_SA<br>establishing connection 'franetwork' failed<br>
<br># grep -Pv '^\W*#' ipsec.conf # gateway/server<br>config setup<br><br>conn franetwork<br> keyingtries=1<br> keyexchange=ikev2<br> left=<a href="http://frafra.ch">frafra.ch</a><br> leftsubnet=<a href="http://37.247.55.126/32">37.247.55.126/32</a><br>
leftcert=frafra.ch.pem<br> leftid=@<a href="http://frafra.ch">frafra.ch</a><br> right=%any<br> rightsubnet=<a href="http://192.168.0.25/16">192.168.0.25/16</a><br> rightcert=frafra@calimero.pem<br> rightid=frafra@calimero<br>
auto=add<br><br># grep -Pv '^\W*#' ipsec.conf # roadwarrior/client<br>config setup<br><br>conn franetwork<br> keyingtries=1<br> keyexchange=ikev2<br> left=192.168.0.25<br> leftsubnet=<a href="http://192.168.0.25/16">192.168.0.25/16</a><br>
leftcert=frafra@calimero.pem<br> leftid=frafra@calimero<br> leftfirewall=yes<br> right=<a href="http://frafra.ch">frafra.ch</a><br> rightsubnet=<a href="http://37.247.55.126/32">37.247.55.126/32</a><br> rightcert=frafra.ch.pem<br>
rightid=@<a href="http://frafra.ch">frafra.ch</a><br> auto=add<br><br># ls -R /etc/strongswan/ | grep -v ^$ # gateway/server<br>/etc/strongswan/:<br>ipsec.conf<br>ipsec.d<br>ipsec.secrets<br>strongswan.conf<br>/etc/strongswan/ipsec.d:<br>
aacerts<br>acerts<br>cacerts<br>certs<br>crls<br>ocspcerts<br>private<br>reqs<br>/etc/strongswan/ipsec.d/aacerts:<br>/etc/strongswan/ipsec.d/acerts:<br>/etc/strongswan/ipsec.d/cacerts:<br>/etc/strongswan/ipsec.d/certs:<br>
frafra@calimero.pem<br>frafra.ch.pem<br>/etc/strongswan/ipsec.d/crls:<br>/etc/strongswan/ipsec.d/ocspcerts:<br>/etc/strongswan/ipsec.d/private:<br>frafra.ch.key.pem<br>/etc/strongswan/ipsec.d/reqs:<br><br># ls -R /etc/strongswan/ | grep -v ^$ # roadwarriow/client<br>
/etc/strongswan/:<br>ipsec.conf<br>ipsec.d<br>ipsec.secrets<br>strongswan.conf<br>/etc/strongswan/ipsec.d:<br>aacerts<br>acerts<br>cacerts<br>certs<br>crls<br>ocspcerts<br>private<br>reqs<br>/etc/strongswan/ipsec.d/aacerts:<br>
/etc/strongswan/ipsec.d/acerts:<br>/etc/strongswan/ipsec.d/cacerts:<br>/etc/strongswan/ipsec.d/certs:<br>frafra@calimero.pem<br>frafra.ch.pem<br>/etc/strongswan/ipsec.d/crls:<br>/etc/strongswan/ipsec.d/ocspcerts:<br>/etc/strongswan/ipsec.d/private:<br>
frafra@calimero.key.pem<br>/etc/strongswan/ipsec.d/reqs:<br><br># bash test.sh /boot/config-2.6.32-358.14.1.el6.x86_64 # script derived from <a href="http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules">http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules</a><br>
CONFIG_XFRM_USER=y<br>CONFIG_NET_KEY=m<br>CONFIG_NET_KEY_MIGRATE=y<br>CONFIG_INET=y<br>CONFIG_INET_AH=m<br>CONFIG_INET_ESP=m<br>CONFIG_INET_IPCOMP=m<br>CONFIG_INET_XFRM_TUNNEL=m<br>CONFIG_INET_TUNNEL=m<br>CONFIG_INET_XFRM_MODE_TRANSPORT=m<br>
CONFIG_INET_XFRM_MODE_TUNNEL=m<br>CONFIG_INET_XFRM_MODE_BEET=m<br>CONFIG_INET_LRO=y<br>CONFIG_INET_DIAG=m<br>CONFIG_INET_TCP_DIAG=m<br>CONFIG_INET6_AH=m<br>CONFIG_INET6_ESP=m<br>CONFIG_INET6_IPCOMP=m<br>CONFIG_INET6_XFRM_TUNNEL=m<br>
CONFIG_INET6_TUNNEL=m<br>CONFIG_INET6_XFRM_MODE_TRANSPORT=m<br>CONFIG_INET6_XFRM_MODE_TUNNEL=m<br>CONFIG_INET6_XFRM_MODE_BEET=m<br>CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m<br>CONFIG_INET_DCCP_DIAG=m<br>CONFIG_IP_ADVANCED_ROUTER=y<br>
CONFIG_IP_MULTIPLE_TABLES=y<br>CONFIG_INET_AH=m<br>CONFIG_INET_ESP=m<br>CONFIG_INET_IPCOMP=m<br>CONFIG_INET_XFRM_MODE_TRANSPORT=m<br>CONFIG_INET_XFRM_MODE_TUNNEL=m<br>CONFIG_INET_XFRM_MODE_BEET=m<br>CONFIG_IPV6=m<br>CONFIG_IPV6_PRIVACY=y<br>
CONFIG_IPV6_ROUTER_PREF=y<br>CONFIG_IPV6_ROUTE_INFO=y<br>CONFIG_IPV6_OPTIMISTIC_DAD=y<br>CONFIG_IPV6_MIP6=m<br>CONFIG_IPV6_SIT=m<br>CONFIG_IPV6_NDISC_NODETYPE=y<br>CONFIG_IPV6_TUNNEL=m<br>CONFIG_IPV6_MULTIPLE_TABLES=y<br>
# CONFIG_IPV6_SUBTREES is not set<br>CONFIG_IPV6_MROUTE=y<br>CONFIG_IPV6_PIMSM_V2=y<br>CONFIG_INET6_AH=m<br>CONFIG_INET6_ESP=m<br>CONFIG_INET6_IPCOMP=m<br>CONFIG_INET6_XFRM_MODE_TRANSPORT=m<br>CONFIG_INET6_XFRM_MODE_TUNNEL=m<br>
CONFIG_INET6_XFRM_MODE_BEET=m<br>CONFIG_IPV6_MULTIPLE_TABLES=y<br>CONFIG_NETFILTER=y<br># CONFIG_NETFILTER_DEBUG is not set<br>CONFIG_NETFILTER_ADVANCED=y<br>CONFIG_NETFILTER_NETLINK=m<br>CONFIG_NETFILTER_NETLINK_QUEUE=m<br>
CONFIG_NETFILTER_NETLINK_LOG=m<br>CONFIG_NETFILTER_TPROXY=m<br>CONFIG_NETFILTER_XTABLES=y<br>CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br>CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m<br>CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m<br>CONFIG_NETFILTER_XT_TARGET_CONNMARK=m<br>
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m<br>CONFIG_NETFILTER_XT_TARGET_DSCP=m<br>CONFIG_NETFILTER_XT_TARGET_HL=m<br>CONFIG_NETFILTER_XT_TARGET_LED=m<br>CONFIG_NETFILTER_XT_TARGET_MARK=m<br>CONFIG_NETFILTER_XT_TARGET_NFLOG=m<br>
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m<br>CONFIG_NETFILTER_XT_TARGET_NOTRACK=m<br>CONFIG_NETFILTER_XT_TARGET_RATEEST=m<br>CONFIG_NETFILTER_XT_TARGET_TPROXY=m<br>CONFIG_NETFILTER_XT_TARGET_TRACE=m<br>CONFIG_NETFILTER_XT_TARGET_SECMARK=m<br>
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m<br>CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m<br>CONFIG_NETFILTER_XT_SET=m<br>CONFIG_NETFILTER_XT_MATCH_CLUSTER=m<br>CONFIG_NETFILTER_XT_MATCH_COMMENT=m<br>CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m<br>
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m<br>CONFIG_NETFILTER_XT_MATCH_CONNMARK=m<br>CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m<br>CONFIG_NETFILTER_XT_MATCH_DCCP=m<br>CONFIG_NETFILTER_XT_MATCH_DSCP=m<br>CONFIG_NETFILTER_XT_MATCH_ESP=m<br>
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m<br>CONFIG_NETFILTER_XT_MATCH_HELPER=m<br>CONFIG_NETFILTER_XT_MATCH_HL=m<br>CONFIG_NETFILTER_XT_MATCH_IPRANGE=m<br>CONFIG_NETFILTER_XT_MATCH_LENGTH=m<br>CONFIG_NETFILTER_XT_MATCH_LIMIT=m<br>
CONFIG_NETFILTER_XT_MATCH_MAC=m<br>CONFIG_NETFILTER_XT_MATCH_MARK=m<br>CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m<br>CONFIG_NETFILTER_XT_MATCH_OWNER=m<br>CONFIG_NETFILTER_XT_MATCH_POLICY=m<br>CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m<br>
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m<br>CONFIG_NETFILTER_XT_MATCH_QUOTA=m<br>CONFIG_NETFILTER_XT_MATCH_RATEEST=m<br>CONFIG_NETFILTER_XT_MATCH_REALM=m<br>CONFIG_NETFILTER_XT_MATCH_RECENT=m<br># CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT is not set<br>
CONFIG_NETFILTER_XT_MATCH_SCTP=m<br>CONFIG_NETFILTER_XT_MATCH_SOCKET=m<br>CONFIG_NETFILTER_XT_MATCH_STATE=m<br>CONFIG_NETFILTER_XT_MATCH_STATISTIC=m<br>CONFIG_NETFILTER_XT_MATCH_STRING=m<br>CONFIG_NETFILTER_XT_MATCH_TCPMSS=m<br>
CONFIG_NETFILTER_XT_MATCH_TIME=m<br>CONFIG_NETFILTER_XT_MATCH_U32=m<br>CONFIG_NETFILTER_XT_MATCH_OSF=m<br>CONFIG_NETFILTER_XTABLES=y<br>CONFIG_NETFILTER_XT_MATCH_POLICY=m<br></div>