[strongSwan] received netlink error: No such file or directory
Andreas Steffen
andreas.steffen at strongswan.org
Thu Feb 17 22:47:46 CET 2011
Hello Barry,
if you have an old Linux kernel then just define
esp=aes128-sha256_96
and everything will be fine.
Regards
Andreas
On 02/17/2011 10:41 PM, Barry G wrote:
> Martin,
>
>> From whatever source this digest_null comes from, it is completely
>> wrong. I'm in doubt that it comes from the IKE daemon.
>
> Correct
>
>> I'd suggest to check if the algorithm negotiation works as expected, and
>> if so, if the algorithms arrive in kernel XFRM with the correct strings
>> before the aead wrapper gets constructed.
>
> Thanks for your help. I checked into the algorithm selection thing
> but it hasn't
> changed.
>
> I did some playing and found the following on both client
> and server with the broken (4.5.1) strongswan build:
> 07[KNL] Adding SAD entry with SPI c6fd223a and reqid {1}
> 07[KNL] using encryption algorithm AES_CBC with key size 128
> 07[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
> 07[KNL] sending XFRM_MSG_UPDSA: => 436 bytes @ 0x4b82f43c
> 07[KNL] 0: 00 00 01 B4 00 1A 00 05 00 00 00 CA 00 00 05 B6 ................
> 07[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 64: 00 00 00 00 00 00 00 00 C0 A8 01 01 00 00 00 00 ................
> 07[KNL] 80: 00 00 00 00 00 00 00 00 C6 FD 22 3A 32 00 00 00 ..........":2...
> 07[KNL] 96: C0 A8 01 02 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> 07[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> 07[KNL] 144: 00 00 00 00 00 00 0B 95 00 00 00 00 00 00 0E 10 ................
> 07[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 224: 00 00 00 01 00 02 01 20 00 00 00 00 00 00 00 00 ....... ........
> 07[KNL] 240: 00 58 00 02 61 65 73 00 00 00 00 00 00 00 00 00 .X..aes.........
> 07[KNL] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 304: 00 00 00 00 00 00 00 80 2B F2 32 E7 FD 3E F7 C7 ........+.2..>..
> 07[KNL] 320: 4B 28 E9 8B D3 76 70 D4 00 6C 00 14 68 6D 61 63 K(...vp..l..hmac
> 07[KNL] 336: 28 73 68 61 32 35 36 29 00 00 00 00 00 00 00 00 (sha256)........
> 07[KNL] 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 07[KNL] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 ................
> 07[KNL] 400: 00 00 00 80 6B E7 E3 7B C0 00 41 34 F1 97 BB 22 ....k..{..A4..."
> 07[KNL] 416: AF BA 85 C3 DF 44 6B D8 ED C6 EC 39 9B 44 7D C8 .....Dk....9.D}.
> 07[KNL] 432: D3 04 C4 84 ....
> 07[KNL] received netlink error: No such file or directory (2)
>
> I tracked the problem down to the 0x14 (byte 331 (rta_type for the int_alg))
> of the packet.
>
> When strongSwan sends the struct nlmsghdr into the kernel via
> the netlink socket, it either has an auth payload of xfrm_algo_auth
> or xfrm_algo based on changes to kernel_netlink_ipsec.c. Unfortunately,
> my old kernel doesn't know about the XFRMA_ALG_AUTH_TRUNC type. As
> such, when my kernel looked up that dude it didn't find it. This
> resulted in the struct nlattrs **attrs parameter to xfrm_add_sa
> having a NULL value in attrs[XFRMA_ALG_AUTH]. This NULL value results
> in digest_null in esp_init_authenc. Applying the following
> patch "fixed" it for me:
> --- strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c@@/main/LATEST
> 2011-02-14 13:27:11.000000000 -0800
> +++ strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
> 2011-02-17 12:59:22.000000000 -0800
> @@ -1036,29 +1036,6 @@
> DBG2(DBG_KNL, " using integrity algorithm %N with key size %d",
> integrity_algorithm_names, int_alg, int_key.len * 8);
>
> - if (int_alg == AUTH_HMAC_SHA2_256_128)
> - {
> - struct xfrm_algo_auth* algo;
> -
> - /* the kernel uses SHA256 with 96 bit
> truncation by default,
> - * use specified truncation size supported by
> newer kernels */
> - rthdr->rta_type = XFRMA_ALG_AUTH_TRUNC;
> - rthdr->rta_len = RTA_LENGTH(sizeof(struct
> xfrm_algo_auth) + int_key.len);
> -
> - hdr->nlmsg_len += rthdr->rta_len;
> - if (hdr->nlmsg_len > sizeof(request))
> - {
> - return FAILED;
> - }
> -
> - algo = (struct xfrm_algo_auth*)RTA_DATA(rthdr);
> - algo->alg_key_len = int_key.len * 8;
> - algo->alg_trunc_len = 128;
> - strcpy(algo->alg_name, alg_name);
> - memcpy(algo->alg_key, int_key.ptr, int_key.len);
> - }
> - else
> - {
> struct xfrm_algo* algo;
>
> rthdr->rta_type = XFRMA_ALG_AUTH;
> @@ -1074,7 +1051,7 @@
> algo->alg_key_len = int_key.len * 8;
> strcpy(algo->alg_name, alg_name);
> memcpy(algo->alg_key, int_key.ptr, int_key.len);
> - }
> +
> rthdr = XFRM_RTA_NEXT(rthdr);
> }
>
>
> Obviously this isn't a good fix, as new kernels will be upset. For those of us
> running older kernels this is an issue. This patch allowed me to find
> root cause.
>
> Any ideas how to fix this properly?
>
> Thanks for your help and guidance,
>
> Barry
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list