[strongSwan] received netlink error: No such file or directory

Barry G mr.scada at gmail.com
Tue Feb 15 21:56:53 CET 2011 

Hello,

In November of 2008 I had an issue with Strongswan
being unable to add SAD entries in my IPv4 only kernel.
Martin made me a snazzy patch that fixed all my woes:
(https://lists.strongswan.org/pipermail/users/2008-November/002925.html)

I just upgraded from Strongswan 4.3.4 to 4.5.1 and my issue
is back.  I did not upgrade the kernel (We are running 2.6.29.3).

When I try to bring the connections up I get the output at the end
of this email.

I have everything we need to do IPsec connections in the kernel
(since it worked great with Strongswan 4.3.4).  I do not have IPv6 turned
on in the kernel since we are trying to keep things small and limit
our attack surface.

I modified the patch Martin gave me in 2008 to be as follows:
diff -Nauwr strongswan.orig/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
--- strongswan.orig/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c	2011-02-14
14:43:24.000000000 -0800
+++ strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c	2011-02-15
11:00:10.000000000 -0800
@@ -916,9 +916,6 @@
 	sa->mode = mode2kernel(mode);
 	switch (mode)
 	{
-		case MODE_TUNNEL:
-			sa->flags |= XFRM_STATE_AF_UNSPEC;
-			break;
 		case MODE_BEET:
 		case MODE_TRANSPORT:
 			if(src_ts && dst_ts)

I applied this patch, recompiled, and I get the same output.

Is IPv6 now required?  If not, thoughts on what I can do to fix this?

Thanks!

Barry



Output follows (charon KNL debug of 2):
# ipsec start --nofork
Starting strongSwan 4.5.1 IPsec [starter]...
00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.1)
00[KNL] listening on interfaces:
00[KNL]   eth0
00[KNL]     10.201.98.1
00[KNL]   eth1
00[KNL]     192.168.1.1
00[KNL]   eth2
00[KNL]     10.203.42.1
00[KNL] received netlink error: Address family not supported by
protocol (97)
00[KNL] unable to create IPv6 routing table rule
00[NET] unable to create raw socket: Address family not supported by
protocol
00[NET] could not open IPv6 receive socket, IPv6 disabled
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for 192.168.1.1 192.168.1.2
00[DMN] loaded plugins: curl aes des sha1 sha2 md5 random x509
revocation constraints pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac
attr kernel-netlink resolve socket-raw stroke updow
00[JOB] spawning 16 worker threads
charon (2273) started after 40 ms
04[CFG] received stroke: add connection 'host-host-1'
04[KNL] getting interface name for 192.168.1.2
04[KNL] 192.168.1.2 is not a local address
04[KNL] getting interface name for 192.168.1.1
04[KNL] 192.168.1.1 is on interface eth1
04[CFG] added configuration 'host-host-1'
04[CFG] received stroke: add connection 'net-net-1-2-1'
04[KNL] getting interface name for 192.168.1.2
04[KNL] 192.168.1.2 is not a local address
04[KNL] getting interface name for 192.168.1.1
04[KNL] 192.168.1.1 is on interface eth1
04[CFG] added child to existing configuration 'host-host-1'
07[CFG] received stroke: add connection 'net-host-1-2'
07[KNL] getting interface name for 192.168.1.2
07[KNL] 192.168.1.2 is not a local address
07[KNL] getting interface name for 192.168.1.1
07[KNL] 192.168.1.1 is on interface eth1
07[CFG] added child to existing configuration 'host-host-1'
08[CFG] received stroke: add connection 'host-net-1-1'
08[KNL] getting interface name for 192.168.1.2
08[KNL] 192.168.1.2 is not a local address
08[KNL] getting interface name for 192.168.1.1
08[KNL] 192.168.1.1 is on interface eth1
08[CFG] added child to existing configuration 'host-host-1'
11[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
11[IKE] 192.168.1.2 is initiating an IKE_SA
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
11[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
12[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
12[ENC] parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr
N(MULT_AUTH) ]
12[CFG] looking for peer configs matching
192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2]
12[CFG] selected peer config 'host-host-1'
12[IKE] authentication of '192.168.1.2' with pre-shared key successful
12[IKE] authentication of '192.168.1.1' (myself) with pre-shared key
12[IKE] IKE_SA host-host-1[1] established between
192.168.1.1[192.168.1.1]...192.168.1.2[192.168.1.2]
12[IKE] scheduling reauthentication in 10063s
12[IKE] maximum IKE_SA lifetime 10603s
12[KNL] getting SPI for reqid {1}
12[KNL] got SPI cd1262dd for reqid {1}
12[KNL] adding SAD entry with SPI cd1262dd and reqid {1}
12[KNL]   using encryption algorithm AES_CBC with key size 256
12[KNL]   using integrity algorithm HMAC_SHA2_256_128 with key size
256
12[KNL] received netlink error: No such file or directory (2)
12[KNL] unable to add SAD entry with SPI cd1262dd
12[KNL] adding SAD entry with SPI c645dde3 and reqid {1}
12[KNL]   using encryption algorithm AES_CBC with key size 256
12[KNL]   using integrity algorithm HMAC_SHA2_256_128 with key size
256
12[KNL] received netlink error: No such file or directory (2)
12[KNL] unable to add SAD entry with SPI c645dde3
12[IKE] unable to install inbound and outbound IPsec SA (SAD) in
kernel
12[KNL] deleting SAD entry with SPI cd1262dd
12[KNL] deleted SAD entry with SPI cd1262dd
12[KNL] deleting SAD entry with SPI c645dde3
12[KNL] received netlink error: No such process (3)
12[KNL] unable to delete SAD entry with SPI c645dde3
12[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT)
N(NO_PROP) ]
12[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
13[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
13[ENC] parsed CREATE_CHILD_SA request 2 [ SA No KE TSi TSr ]
13[KNL] getting SPI for reqid {2}
13[KNL] got SPI ca6f5702 for reqid {2}
13[KNL] adding SAD entry with SPI ca6f5702 and reqid {2}
13[KNL]   using encryption algorithm AES_CBC with key size 256
13[KNL]   using integrity algorithm HMAC_SHA2_256_128 with key size
256
13[KNL] received netlink error: No such file or directory (2)
13[KNL] unable to add SAD entry with SPI ca6f5702
13[KNL] adding SAD entry with SPI c6739de2 and reqid {2}
13[KNL]   using encryption algorithm AES_CBC with key size 256
13[KNL]   using integrity algorithm HMAC_SHA2_256_128 with key size
256
13[KNL] received netlink error: No such file or directory (2)
13[KNL] unable to add SAD entry with SPI c6739de2
13[IKE] unable to install inbound and outbound IPsec SA (SAD) in
kernel
13[KNL] deleting SAD entry with SPI ca6f5702
13[KNL] deleted SAD entry with SPI ca6f5702
13[KNL] deleting SAD entry with SPI c6739de2
13[KNL] received netlink error: No such process (3)
13[KNL] unable to delete SAD entry with SPI c6739de2
13[ENC] generating CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
13[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
14[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]
14[ENC] parsed CREATE_CHILD_SA request 3 [ SA No KE TSi TSr ]
14[KNL] getting SPI for reqid {3}
14[KNL] got SPI c54a2cc9 for reqid {3}
14[KNL] adding SAD entry with SPI c54a2cc9 and reqid {3}
14[KNL]   using encryption algorithm AES_CBC with key size 256
14[KNL]   using integrity algorithm HMAC_SHA2_256_128 with key size
256
14[KNL] received netlink error: No such file or directory (2)
14[KNL] unable to add SAD entry with SPI c54a2cc9
14[KNL] adding SAD entry with SPI c4323ca4 and reqid {3}
14[KNL]   using encryption algorithm AES_CBC with key size 256
14[KNL]   using integrity algorithm HMAC_SHA2_256_128 with key size
256
14[KNL] received netlink error: No such file or directory (2)
14[KNL] unable to add SAD entry with SPI c4323ca4
14[IKE] unable to install inbound and outbound IPsec SA (SAD) in
kernel
14[KNL] deleting SAD entry with SPI c54a2cc9
14[KNL] deleted SAD entry with SPI c54a2cc9
14[KNL] deleting SAD entry with SPI c4323ca4
14[KNL] received netlink error: No such process (3)
14[KNL] unable to delete SAD entry with SPI c4323ca4
14[ENC] generating CREATE_CHILD_SA response 3 [ N(NO_PROP) ]
14[NET] sending packet: from 192.168.1.1[500] to 192.168.1.2[500]
15[NET] received packet: from 192.168.1.2[500] to 192.168.1.1[500]

More information about the Users mailing list