[strongSwan] On PPC: netlink error, unable to create IPv4 routing table rule

MingM Xia macguffin.xia at gmail.com
Thu Apr 1 08:42:54 CEST 2010 

Hi,

I'm Running strongSwan 4.3.6rc2 on 2 PPC hosts to accomplish IKEv2  using
Charon (transport mode).

# uname -a
Linux hapWibbSc2 2.6.27.39 #5 SMP PREEMPT Fri Feb 26 18:33:03 CST 2010 ppc
ppc ppc GNU/Linux


I met 2 issues:

1. There are some “netlink error" info:

Feb 19 15:37:00 localhost charon: 00[KNL] received netlink error: Operation
not
supported (95)
Feb 19 15:37:00 localhost charon: 00[KNL] unable to create IPv4 routing
table ruu
le
Feb 19 15:37:00 localhost charon: 00[KNL] received netlink error: Operation
not
supported (95)
Feb 19 15:37:00 localhost charon: 00[KNL] unable to create IPv6 routing
table ruu
le
Feb 19 15:37:00 localhost charon: 00[LIB] plugin 'kernel-netlink': loaded
success
sfully

2.
root#ipsec up host-host
initiating IKE_SA host-host[2] to 10.19.156.194
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.19.156.242[500] to 10.19.156.194[500]
received packet: from 10.19.156.194[500] to 10.19.156.242[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
authentication of '10.19.156.242' (myself) with pre-shared key
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
retransmit 1 of request with message ID 1
sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
retransmit 2 of request with message ID 1
sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
retransmit 3 of request with message ID 1
sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
retransmit 4 of request with message ID 1
sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
retransmit 5 of request with message ID 1
sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
giving up after 5 retransmits
peer not responding, trying again (2/3)
root# netstat -nlp | grep 4500
udp        0      0 0.0.0.0:4500            0.0.0.0:*
7698/charon
root# netstat -nlp | grep 500
udp        0      0 0.0.0.0:4500            0.0.0.0:*
7698/charon
udp        0      0 0.0.0.0:500             0.0.0.0:*
7698/charon

I find it has something to do with my Firewall, when I disable the firewall
for both hosts,  Child SA is created successfully even it's still with the
“netlink error" mentioned above.


I'm kindly confused about "leftfirewall=yes" configuration and
"charon.routing_table”,

About "left|rightfirewall=yes", I used to think, with this configuration,
strongSwan will insert the rule to IPTABLES for the connection at the very
beginning, obviously I'm wrong, from the log of successful case, I find the
firewall script "_updown" is for CHILD SA, it will be implemented after
CHILD SA set up, not at the very beginning.  So we still need to make sure
the port used IKE is not blocked on both peers,  for IKE v2, by default,
there will be UDP port 500 and 4500, we need make sure our firewall open UDP
port 500 and UDP port 4500, am I right?

About "charon.routing_table”,  is this by default enabled for IKEv2? I
checked the code of  "kernel_netlink_net_create", the print of "netlink
error" tells me "this->routing_table" is true, but actually I didn't
configure it in strongswan.conf. I'm not so clear about the purpose of this
"routing table",   anybody can give some explanation about this "routing
table" purpose?  And  anybody have some idea with this "unable to create
IPv4 routing table rule" on my PPC hosts?

It seems like even with this "unable to create IPv4 routing table rule", the
IPsec (transport mode) works well on my 2 PPC hosts,  is there any potential
failure I haven't realized with "netlink error" ?


ipsec.conf:
config setup
        # plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        # nat_traversal=yes
        # charonstart=no
        # plutostart=no
        plutostart=no
        plutodebug=all
        charonstart=yes
        charondebug="dmn 3,mgr 3,ike 3,chd 3,job 3,cfg 3,knl 3,net 3,enc
1,lib 3"

conn host-host-bcu3
        authby=psk
        left=10.19.156.194
        leftfirewall=yes
        right=10.19.156.242
        type=transport
        ike=aes128-sha256-modp2048!
        keyexchange=ikev2
        esp=aes128-sha256-modp2048!
        auto=add

strongswan.conf:
charon {

        # number of worker threads in charon
        threads = 16

        # plugins to load in charon
        load =curl aes des sha1 md5 sha2 pem pkcs1 gmp random x509 hmac
stroke kk
ernel-netlink updown
}


Best regards,

Mac
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100401/52919314/attachment.html>

More information about the Users mailing list