[strongSwan] ERROR: netlink response for Add SA esp.383251e8 at 10.19.156.242 included errno 93: Protocol not supported

MingM Xia macguffin.xia at gmail.com
Wed Apr 14 05:13:02 CEST 2010 

I checked the Kernel code used by my hosts, it's 2.6.27,  it seems to be
there is a bug in this version Kernel source code when IPV6 is disabled on
hosts, and it has been fixed in later Kernel version.

/net/xfrm/xfrm_state.c:

Function xfrm_init_state(), line 2024 to 2035:

...
  inner_mode = xfrm_get_mode(x->props.mode, AF_INET);
  if (inner_mode == NULL)
   goto error;

  if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
   xfrm_put_mode(inner_mode);
   goto error;
  }

  inner_mode_iaf = xfrm_get_mode(x->props.mode, AF_INET6);
  if (inner_mode_iaf == NULL)
   goto error;
.....

On my hosts,  IPv6 is disable, inner_mode_iaf == NULL will be true,  this
function will return error.

The code has changed in latest Kernel version 2.6.31, but I didn't find the
detailed patch info about this modification:
...
  inner_mode = xfrm_get_mode(x->props.mode, x->props.family);
  if (inner_mode == NULL)
   goto error;

  if (!(inner_mode->flags & XFRM_MODE_FLAG_TUNNEL)) {
   xfrm_put_mode(inner_mode);
   goto error;
  }
  x->inner_mode = inner_mode;

  if (x->props.family == AF_INET)
   iafamily = AF_INET6;

  inner_mode_iaf = xfrm_get_mode(x->props.mode, iafamily);
  if (inner_mode_iaf) {
   if (inner_mode_iaf->flags & XFRM_MODE_FLAG_TUNNEL)
    x->inner_mode_iaf = inner_mode_iaf;
   else
    xfrm_put_mode(inner_mode_iaf);
  }
....





On Mon, Apr 12, 2010 at 5:38 PM, MingM Xia <macguffin.xia at gmail.com> wrote:

> Hi,
>
> I try to switch "Racoon" to "strongswan" on some Power PC machines, I met a
> "esp.5dd3baaa at 10.19.156.194 included errno 93: Protocol not support"
> netlink error in "tunnel mode" when strongwan try to build CHILD SA.
> strongswan IKEv2 charon also has a similar problem on my machines in
> "tunnel" mode:"add sa", kernel return "protocol not support".
>
> I use the latest version of strongswan 4.3.6.
>
> ERROR: netlink response for Add SA esp.383251e8 at 10.19.156.242 included
> errno 93: Protocol not supported
>
> ....
> Apr 12 02:23:23 localhost pluto[25980]: | install_inbound_ipsec_sa()
> checking if we can route
> Apr 12 02:23:23 localhost pluto[25980]: | route owner of "host-host"
> unrouted: NULL; eroute owner: NULL
> Apr 12 02:23:23 localhost pluto[25980]: | kernel_alg_esp_info():transid=12,
> auth=2, ei=0x10086cc8, enckeylen=32, authkeylen=20, encryptalg=12, authalg=3
> Apr 12 02:23:23 localhost pluto[25980]: | configured authentication
> algorithm DES_MAC with key size 160
> Apr 12 02:23:23 localhost pluto[25980]: | configured esp encryption
> algorithm AES_CBC with key size 128
> Apr 12 02:23:23 localhost pluto[25980]: | req.p.mode = 1;
> req.p.family = 2;         req.p.flags = 32;             req.p.id.spi =
> 942821864;             req.p.id.proto = 50;         req.p.sel.family =
> 0;         req.p.sel.proto = 0
> Apr 12 02:23:23 localhost pluto[25980]: "host-host" #2: ERROR: netlink
> response for Add SA esp.383251e8 at 10.19.156.242 included errno 93: Protocol
> not supported
> Apr 12 02:23:23 localhost pluto[25980]: | state transition function for
> STATE_QUICK_R0 had internal error
> Apr 12 02:23:23 localhost pluto[25980]: | next event EVENT_SO_DISCARD in 0
> seconds for #2
> Apr 12 02:23:23 localhost pluto[25980]: |
> Apr 12 02:23:23 localhost pluto[25980]: | *time to handle event
> Apr 12 02:23:23 localhost pluto[25980]: | event after this is
> EVENT_REINIT_SECRET in 3476 seconds
> Apr 12 02:23:23 localhost pluto[25980]: | ICOOKIE:  63 de a2 6a  57 3b ff
> bb
> Apr 12 02:23:23 localhost pluto[25980]: | RCOOKIE:  2d cb 1f a4  81 d6 ec
> 1e
> Apr 12 02:23:23 localhost pluto[25980]: | peer:  0a 13 9c c2
> Apr 12 02:23:23 localhost pluto[25980]: | state hash entry 8
> Apr 12 02:23:23 localhost pluto[25980]: | next event EVENT_REINIT_SECRET in
> 3476 seconds
> Apr 12 02:23:33 localhost pluto[25980]: |
> ...
>
> "Apr 12 02:23:23 localhost pluto[25980]: | req.p.mode = 1;
> req.p.family = 2;         req.p.flags = 32;             req.p.id.spi =
> 942821864;             req.p.id.proto = 50;         req.p.sel.family =
> 0;         req.p.sel.proto = 0" is something I print out before
> netlink_add_sa() try to  send_netlink_msg "add SA" to Kernel, the prarameter
> looks fine.
>
> I have no idea whether there are some different kernel modules requirement
> between "Racoon" and "strongswan", but I'm sure "Racoon" works well with
> "tunnel mode" on those machines.
> Kernel configuration(network related):
> CONFIG_PACKET    y
> CONFIG_PACKET_MMAP    y
> CONFIG_UNIX    y
> CONFIG_XFRM    y
> CONFIG_XFRM_USER    y
> CONFIG_XFRM_SUB_POLICY    not set
> CONFIG_XFRM_MIGRATE    y
> CONFIG_XFRM_STATISTICS    not set
> CONFIG_XFRM_IPCOMP    y
> CONFIG_NET_KEY    y
> CONFIG_NET_KEY_MIGRATE    not set
> CONFIG_INTERPEAK    not set
> CONFIG_INET    y
> CONFIG_IP_MULTICAST    not set
> CONFIG_IP_ADVANCED_ROUTER    not set
> CONFIG_IP_FIB_HASH    y
> CONFIG_IP_PNP    y
> CONFIG_IP_PNP_DHCP    not set
> CONFIG_IP_PNP_BOOTP    not set
> CONFIG_IP_PNP_RARP    not set
> CONFIG_NET_IPIP    not set
> CONFIG_NET_IPGRE    y
> CONFIG_ARPD    not set
> CONFIG_SYN_COOKIES    y
> CONFIG_INET_AH    y
> CONFIG_INET_ESP    y
> CONFIG_INET_IPCOMP    y
> CONFIG_INET_XFRM_TUNNEL    y
> CONFIG_INET_TUNNEL    y
> CONFIG_IPSEC_NAT_TRAVERSAL    not set
> CONFIG_INET_XFRM_MODE_TRANSPORT    y
> CONFIG_INET_XFRM_MODE_TUNNEL    y
> CONFIG_INET_XFRM_MODE_BEET    y
> CONFIG_INET_LRO    not set
> CONFIG_INET_DIAG    not set
> CONFIG_TCP_CONG_ADVANCED    not set
> CONFIG_TCP_CONG_CUBIC    y
> CONFIG_DEFAULT_TCP_CONG    cubic
> CONFIG_TCP_MD5SIG    not set
> CONFIG_IP_VS    not set
> CONFIG_IPV6    not set
> CONFIG_NETLABEL    not set
> CONFIG_NETWORK_SECMARK    y
> CONFIG_NETFILTER    y
> CONFIG_NETFILTER_DEBUG    not set
> CONFIG_NETFILTER_ADVANCED    y
>
>
> "Racoon" works well with "tunnel mode" on those machines.
>
> root at hapWibbSc2:/etc# racoon -f racoon.conf.eric
> root at hapWibbSc2:/etc# setkey -f setkey.conf.eric
> root at hapWibbSc2:/etc# ping 10.19.156.194
> PING 10.19.156.194 (10.19.156.194) 56(84) bytes of data.
> 64 bytes from 10.19.156.194: icmp_seq=2 ttl=64 time=0.615 ms
> 64 bytes from 10.19.156.194: icmp_seq=3 ttl=64 time=0.457 ms
>
> --- 10.19.156.194 ping statistics ---
> 3 packets transmitted, 2 received, 33% packet loss, time 2956ms
> rtt min/avg/max/mdev = 0.457/0.536/0.615/0.079 ms
> root at hapWibbSc2:/etc#
> root at hapWibbSc2:/etc# setkey -D
> 10.19.156.194 10.19.156.242
>         esp mode=tunnel spi=136801471(0x08276cbf) reqid=0(0x00000000)
>         E: aes-cbc  c5e0faea b1073d16 d6d12bdb 193e7cd2
>         A: hmac-sha1  d3025a94 b3e1dee2 9b6db08d d6136242 4f4cbf77
>         seq=0x00000000 replay=4 flags=0x00000000 state=mature
>         created: Mar  1 18:50:20 2000   current: Mar  1 18:50:30 2000
>         diff: 10(s)     hard: 28800(s)  soft: 23040(s)
>         last: Mar  1 18:50:21 2000      hard: 0(s)      soft: 0(s)
>         current: 168(bytes)     hard: 0(bytes)  soft: 0(bytes)
>         allocated: 2    hard: 0 soft: 0
>         sadb_seq=1 pid=25939 refcnt=0
> 10.19.156.242 10.19.156.194
>         esp mode=tunnel spi=240066640(0x0e4f2050) reqid=0(0x00000000)
>         E: aes-cbc  7336dbd0 ff041a4d c339915f 27f29a75
>         A: hmac-sha1  d24d61d1 3ae183a4 01bfc0c4 4310534f 93bbb833
>         seq=0x00000000 replay=4 flags=0x00000000 state=mature
>         created: Mar  1 18:50:20 2000   current: Mar  1 18:50:30 2000
>         diff: 10(s)     hard: 28800(s)  soft: 23040(s)
>         last: Mar  1 18:50:20 2000      hard: 0(s)      soft: 0(s)
>         current: 252(bytes)     hard: 0(bytes)  soft: 0(bytes)
>         allocated: 3    hard: 0 soft: 0
>         sadb_seq=0 pid=25939 refcnt=0
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100414/b687e853/attachment.html>

More information about the Users mailing list