[strongSwan] On PPC: netlink error, unable to create IPv4 routing table rule

[MingM Xia]

Thanks for your reply, Aaron.

Since I log into these hosts from VNC,  when I copied out the screen from
the VNC,  some strings messed up on VNC(I have manually edited them, but it
seems I didn't correct them all) , but I'm sure that is not a error. The
Plugins are loaded successfully from the log, and CHILD SA set up
successfully,   the data transmitting between this 2 peers are also wrapped
in ESP protocol,  it seems IPsec works well,  but I'm not sure whether this
"netlink error" is absolute harmless.

I checked the kernel modules dependence info from
http://wiki.strongswan.org/wiki/1/KernelModules,  I found my hosts doesn't
build with CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES,   I
wonder whether this is the reason.

I grep some info from Internet, says that CONFIG_IP_ADVANCED_ROUTER and
CONFIG_IP_MULTIPLE_TABLES are for "Tunnel" mode,  but if I doesn't suppose
to support "Tunnel" mode, I just wish to support "Transport" mode, whether
is still need to build kernel with CONFIG_IP_ADVANCED_ROUTER and
CONFIG_IP_MULTIPLE_TABLES?  Whether the "netlink error" caused by missing
these modules?


2010/4/1 Aaron Zhang <azhang at sonicwall.com>

> strongswan.conf:
> charon {
>
>         # number of worker threads in charon
>         threads = 16
>
>         # plugins to load in charon
>         load =curl aes des sha1 md5 sha2 pem pkcs1 gmp random x509 hmac
> stroke kk
> ernel-netlink updown
> }
>
>
>
> kk
> ernel-netlink may be kernel-netlink not kkernel-netlink
>
>
>
>
>
>
>
> *From:* users-bounces+bzhang=sonicwall.com at lists.strongswan.org [mailto:
> users-bounces+bzhang <users-bounces%2Bbzhang>=sonicwall.com@
> lists.strongswan.org] *On Behalf Of *MingM Xia
> *Sent:* 2010年4月1日 14:43
> *To:* users at lists.strongswan.org
> *Subject:* [strongSwan] On PPC: netlink error, unable to create IPv4
> routing table rule
>
>
>
> Hi,
>
> I'm Running strongSwan 4.3.6rc2 on 2 PPC hosts to accomplish IKEv2  using
> Charon (transport mode).
>
> # uname -a
> Linux hapWibbSc2 2.6.27.39 #5 SMP PREEMPT Fri Feb 26 18:33:03 CST 2010 ppc
> ppc ppc GNU/Linux
>
>
> I met 2 issues:
>
> 1. There are some “netlink error" info:
>
> Feb 19 15:37:00 localhost charon: 00[KNL] received netlink error: Operation
> not
> supported (95)
> Feb 19 15:37:00 localhost charon: 00[KNL] unable to create IPv4 routing
> table ruu
> le
> Feb 19 15:37:00 localhost charon: 00[KNL] received netlink error: Operation
> not
> supported (95)
> Feb 19 15:37:00 localhost charon: 00[KNL] unable to create IPv6 routing
> table ruu
> le
> Feb 19 15:37:00 localhost charon: 00[LIB] plugin 'kernel-netlink': loaded
> success
> sfully
>
> 2.
> root#ipsec up host-host
> initiating IKE_SA host-host[2] to 10.19.156.194
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 10.19.156.242[500] to 10.19.156.194[500]
> received packet: from 10.19.156.194[500] to 10.19.156.242[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> authentication of '10.19.156.242' (myself) with pre-shared key
> establishing CHILD_SA host-host
> generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr
> N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR)
> N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
> sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
> retransmit 1 of request with message ID 1
> sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
> retransmit 2 of request with message ID 1
> sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
> retransmit 3 of request with message ID 1
> sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
> retransmit 4 of request with message ID 1
> sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
> retransmit 5 of request with message ID 1
> sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500]
> giving up after 5 retransmits
> peer not responding, trying again (2/3)
> root# netstat -nlp | grep 4500
> udp        0      0 0.0.0.0:4500            0.0.0.0:*
> 7698/charon
> root# netstat -nlp | grep 500
> udp        0      0 0.0.0.0:4500            0.0.0.0:*
> 7698/charon
> udp        0      0 0.0.0.0:500             0.0.0.0:*
> 7698/charon
>
> I find it has something to do with my Firewall, when I disable the firewall
> for both hosts,  Child SA is created successfully even it's still with the
> “netlink error" mentioned above.
>
>
> I'm kindly confused about "leftfirewall=yes" configuration and
> "charon.routing_table”,
>
> About "left|rightfirewall=yes"， I used to think, with this configuration,
> strongSwan will insert the rule to IPTABLES for the connection at the very
> beginning, obviously I'm wrong, from the log of successful case, I find the
> firewall script "_updown" is for CHILD SA, it will be implemented after
> CHILD SA set up, not at the very beginning.  So we still need to make sure
> the port used IKE is not blocked on both peers,  for IKE v2, by default,
> there will be UDP port 500 and 4500, we need make sure our firewall open UDP
> port 500 and UDP port 4500, am I right?
>
> About "charon.routing_table”,  is this by default enabled for IKEv2? I
> checked the code of  "kernel_netlink_net_create", the print of "netlink
> error" tells me "this->routing_table" is true, but actually I didn't
> configure it in strongswan.conf. I'm not so clear about the purpose of this
> "routing table",   anybody can give some explanation about this "routing
> table" purpose?  And  anybody have some idea with this "unable to create
> IPv4 routing table rule" on my PPC hosts?
>
> It seems like even with this "unable to create IPv4 routing table rule",
> the IPsec (transport mode) works well on my 2 PPC hosts,  is there any
> potential failure I haven't realized with "netlink error" ?
>
>
> ipsec.conf:
> config setup
>         # plutodebug=all
>         # crlcheckinterval=600
>         # strictcrlpolicy=yes
>         # cachecrls=yes
>         # nat_traversal=yes
>         # charonstart=no
>         # plutostart=no
>         plutostart=no
>         plutodebug=all
>         charonstart=yes
>         charondebug="dmn 3,mgr 3,ike 3,chd 3,job 3,cfg 3,knl 3,net 3,enc
> 1,lib 3"
>
> conn host-host-bcu3
>         authby=psk
>         left=10.19.156.194
>         leftfirewall=yes
>         right=10.19.156.242
>         type=transport
>         ike=aes128-sha256-modp2048!
>         keyexchange=ikev2
>         esp=aes128-sha256-modp2048!
>         auto=add
>
> strongswan.conf:
> charon {
>
>         # number of worker threads in charon
>         threads = 16
>
>         # plugins to load in charon
>         load =curl aes des sha1 md5 sha2 pem pkcs1 gmp random x509 hmac
> stroke kk
> ernel-netlink updown
> }
>
>
> Best regards,
>
> Mac
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100401/1d9121e6/attachment.html>