[strongSwan] On PPC: netlink error, unable to create IPv4 routing table rule

Aaron Zhang azhang at SonicWALL.com
Thu Apr 1 10:30:52 CEST 2010 

strongswan.conf:
charon {

        # number of worker threads in charon
        threads = 16

        # plugins to load in charon
        load =curl aes des sha1 md5 sha2 pem pkcs1 gmp random x509 hmac stroke kk
ernel-netlink updown
}

kk
ernel-netlink may be kernel-netlink not kkernel-netlink




From: users-bounces+bzhang=sonicwall.com at lists.strongswan.org [mailto:users-bounces+bzhang=sonicwall.com at lists.strongswan.org] On Behalf Of MingM Xia
Sent: 2010年4月1日 14:43
To: users at lists.strongswan.org
Subject: [strongSwan] On PPC: netlink error, unable to create IPv4 routing table rule

Hi,

I'm Running strongSwan 4.3.6rc2 on 2 PPC hosts to accomplish IKEv2  using Charon (transport mode).

# uname -a
Linux hapWibbSc2 2.6.27.39 #5 SMP PREEMPT Fri Feb 26 18:33:03 CST 2010 ppc ppc ppc GNU/Linux


I met 2 issues:

1. There are some “netlink error" info:

Feb 19 15:37:00 localhost charon: 00[KNL] received netlink error: Operation not
supported (95)
Feb 19 15:37:00 localhost charon: 00[KNL] unable to create IPv4 routing table ruu
le
Feb 19 15:37:00 localhost charon: 00[KNL] received netlink error: Operation not
supported (95)
Feb 19 15:37:00 localhost charon: 00[KNL] unable to create IPv6 routing table ruu
le
Feb 19 15:37:00 localhost charon: 00[LIB] plugin 'kernel-netlink': loaded success
sfully

2.
root#ipsec up host-host
initiating IKE_SA host-host[2] to 10.19.156.194
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.19.156.242[500] to 10.19.156.194[500]
received packet: from 10.19.156.194[500] to 10.19.156.242[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
authentication of '10.19.156.242' (myself) with pre-shared key
establishing CHILD_SA host-host
generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
retransmit 1 of request with message ID 1
sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
retransmit 2 of request with message ID 1
sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
retransmit 3 of request with message ID 1
sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
retransmit 4 of request with message ID 1
sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
retransmit 5 of request with message ID 1
sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
giving up after 5 retransmits
peer not responding, trying again (2/3)
root# netstat -nlp | grep 4500
udp        0      0 0.0.0.0:4500<http://0.0.0.0:4500>            0.0.0.0:*                          7698/charon
root# netstat -nlp | grep 500
udp        0      0 0.0.0.0:4500<http://0.0.0.0:4500>            0.0.0.0:*                          7698/charon
udp        0      0 0.0.0.0:500<http://0.0.0.0:500>             0.0.0.0:*                          7698/charon

I find it has something to do with my Firewall, when I disable the firewall for both hosts,  Child SA is created successfully even it's still with the “netlink error" mentioned above.


I'm kindly confused about "leftfirewall=yes" configuration and "charon.routing_table”,

About "left|rightfirewall=yes", I used to think, with this configuration, strongSwan will insert the rule to IPTABLES for the connection at the very beginning, obviously I'm wrong, from the log of successful case, I find the firewall script "_updown" is for CHILD SA, it will be implemented after CHILD SA set up, not at the very beginning.  So we still need to make sure the port used IKE is not blocked on both peers,  for IKE v2, by default,  there will be UDP port 500 and 4500, we need make sure our firewall open UDP port 500 and UDP port 4500, am I right?

About "charon.routing_table”,  is this by default enabled for IKEv2? I checked the code of  "kernel_netlink_net_create", the print of "netlink error" tells me "this->routing_table" is true, but actually I didn't configure it in strongswan.conf. I'm not so clear about the purpose of this "routing table",   anybody can give some explanation about this "routing table" purpose?  And  anybody have some idea with this "unable to create IPv4 routing table rule" on my PPC hosts?

It seems like even with this "unable to create IPv4 routing table rule", the IPsec (transport mode) works well on my 2 PPC hosts,  is there any potential failure I haven't realized with "netlink error" ?


ipsec.conf:
config setup
        # plutodebug=all
        # crlcheckinterval=600
        # strictcrlpolicy=yes
        # cachecrls=yes
        # nat_traversal=yes
        # charonstart=no
        # plutostart=no
        plutostart=no
        plutodebug=all
        charonstart=yes
        charondebug="dmn 3,mgr 3,ike 3,chd 3,job 3,cfg 3,knl 3,net 3,enc 1,lib 3"

conn host-host-bcu3
        authby=psk
        left=10.19.156.194
        leftfirewall=yes
        right=10.19.156.242
        type=transport
        ike=aes128-sha256-modp2048!
        keyexchange=ikev2
        esp=aes128-sha256-modp2048!
        auto=add

strongswan.conf:
charon {

        # number of worker threads in charon
        threads = 16

        # plugins to load in charon
        load =curl aes des sha1 md5 sha2 pem pkcs1 gmp random x509 hmac stroke kk
ernel-netlink updown
}


Best regards,

Mac
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100401/5cce09d6/attachment.html>

More information about the Users mailing list