[strongSwan] [KNL] received netlink error: Protocol not supported (93)

Francesco Frassinelli fraph24 at gmail.com
Sat Aug 17 14:12:02 CEST 2013


Hi all,
this is my first setup with strongSwan. I really would like to use it, it's
so interensting, and I'm trying to get it working since last week, but I
never succeeded.

I'm trying to connect 2 hosts together: one is a VPS server (CentOS 6.4,
x86_64, 2.6.32), the other one is a laptop behind NAT (Fedora 19, x86_64,
3.10.6). They are both using strongSwan 5.0.4 (epel and Fedora
repositories).

My keys are generated with this command:
# strongswan pki --gen --type rsa --size 4096 --out pem >
ipsec.d/private/$key.key.pem

My certs are generated withi this command:
# strongswan pki --self --type rsa --digest sha512 --in
ipsec.d/private/$key.key.pem --outform pem --dn "C=IT, O=frafra.ch" --san
"$key" > ipsec.d/certs/$key.pem

Here below you can find: logs (default logging level), configuration,
directory listing, and some checks regarding kernel configuration (default
VPS kernel).


Thanks in advance,
Francesco Frassinelli


# strongswan start --nofork # gateway/server
strongswan start --nofork
Starting strongSwan 5.0.4 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux
2.6.32-042stab076.8, x86_64)
00[LIB] plugin 'sqlite' failed to load:
/usr/lib64/strongswan/plugins/libstrongswan-sqlite.so: cannot open shared
object file: No such file or directory
00[LIB] openssl FIPS mode(0) - disabled
00[LIB] plugin 'eap-radius' failed to load:
/usr/lib64/strongswan/plugins/libstrongswan-eap-radius.so: cannot open
shared object file: No such file or directory
00[LIB] plugin 'eap-tnc' failed to load:
/usr/lib64/strongswan/plugins/libstrongswan-eap-tnc.so: cannot open shared
object file: No such file or directory
00[LIB] plugin 'tnc-imc' failed to load:
/usr/lib64/strongswan/plugins/libstrongswan-tnc-imc.so: cannot open shared
object file: No such file or directory
00[LIB] plugin 'tnc-imv' failed to load:
/usr/lib64/strongswan/plugins/libstrongswan-tnc-imv.so: cannot open shared
object file: No such file or directory
00[LIB] plugin 'tnc-tnccs' failed to load:
/usr/lib64/strongswan/plugins/libstrongswan-tnc-tnccs.so: cannot open
shared object file: No such file or directory
00[LIB] plugin 'tnccs-20' failed to load:
/usr/lib64/strongswan/plugins/libstrongswan-tnccs-20.so: cannot open shared
object file: No such file or directory
00[LIB] plugin 'tnccs-11' failed to load:
/usr/lib64/strongswan/plugins/libstrongswan-tnccs-11.so: cannot open shared
object file: No such file or directory
00[LIB] plugin 'tnccs-dynamic' failed to load:
/usr/lib64/strongswan/plugins/libstrongswan-tnccs-dynamic.so: cannot open
shared object file: No such file or directory
00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/etc/strongswan/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
00[CFG]   loaded RSA private key from
'/etc/strongswan/ipsec.d/private/frafra.ch.key.pem'
00[DMN] loaded plugins: charon curl aes des sha1 sha2 md4 md5 random nonce
x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp
stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls
eap-peap xauth-generic xauth-eap dhcp
00[JOB] spawning 16 worker threads
charon (826) started after 60 ms
14[CFG] received stroke: add connection 'franetwork'
14[CFG]   loaded certificate "C=IT, O=frafra.ch" from 'frafra.ch.pem'
14[CFG]   loaded certificate "C=IT, O=frafra.ch" from 'frafra at calimero.pem'
14[CFG] added configuration 'franetwork'
15[NET] received packet: from 93.147.151.147[500] to 37.247.55.126[500]
(744 bytes)
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
15[IKE] 93.147.151.147 is initiating an IKE_SA
15[IKE] remote host is behind NAT
15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) N(MULT_AUTH) ]
15[NET] sending packet: from 37.247.55.126[500] to 93.147.151.147[500] (440
bytes)
16[NET] received packet: from 93.147.151.147[4500] to 37.247.55.126[4500]
(892 bytes)
16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
16[CFG] looking for peer configs matching 37.247.55.126[frafra.ch
]...93.147.151.147[frafra at calimero]
16[CFG] selected peer config 'franetwork'
16[CFG]   using trusted certificate "C=IT, O=frafra.ch"
16[IKE] authentication of 'frafra at calimero' with RSA signature successful
16[IKE] peer supports MOBIKE
16[IKE] authentication of 'frafra.ch' (myself) with RSA signature successful
16[IKE] IKE_SA franetwork[1] established between 37.247.55.126[frafra.ch
]...93.147.151.147[frafra at calimero]
16[IKE] scheduling reauthentication in 9971s
16[IKE] maximum IKE_SA lifetime 10511s
16[KNL] received netlink error: Protocol not supported (93)
16[KNL] unable to add SAD entry with SPI cc8f7f2d
16[KNL] received netlink error: Protocol not supported (93)
16[KNL] unable to add SAD entry with SPI cf7be3c3
16[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
16[IKE] failed to establish CHILD_SA, keeping IKE_SA
16[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_6_ADDR) N(ADD_6_ADDR) N(NO_PROP) ]
16[NET] sending packet: from 37.247.55.126[4500] to 93.147.151.147[4500]
(684 bytes)

# strongswan start --nofork # roadwarrior/client
Starting strongSwan 5.0.4 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux
3.10.6-200.fc19.x86_64, x86_64)
00[LIB] openssl FIPS mode(0) - disabled
00[CFG] loaded 0 RADIUS server configurations
00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from
'/etc/strongswan/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
00[CFG]   loaded RSA private key from
'/etc/strongswan/ipsec.d/private/frafra at calimero.key.pem'
00[TNC] loading IMCs from '/etc/tnc_config'
00[TNC] opening configuration file '/etc/tnc_config' failed: No such file
or directory
00[TNC] TNC recommendation policy is 'default'
00[TNC] loading IMVs from '/etc/tnc_config'
00[TNC] opening configuration file '/etc/tnc_config' failed: No such file
or directory
00[DMN] loaded plugins: charon curl sqlite aes des sha1 sha2 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl
fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp
stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls
eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-imc tnc-imv tnc-tnccs
tnccs-20 tnccs-11 tnccs-dynamic dhcp
00[JOB] spawning 16 worker threads
charon (2956) started after 120 ms
05[CFG] received stroke: add connection 'franetwork'
05[CFG]   loaded certificate "C=IT, O=frafra.ch" from 'frafra at calimero.pem'
05[CFG]   loaded certificate "C=IT, O=frafra.ch" from 'frafra.ch.pem'
05[CFG] added configuration 'franetwork'
10[CFG] received stroke: initiate 'franetwork'
03[IKE] initiating IKE_SA franetwork[1] to 37.247.55.126
03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
03[NET] sending packet: from 192.168.0.25[500] to 37.247.55.126[500] (744
bytes)
02[NET] received packet: from 37.247.55.126[500] to 192.168.0.25[500] (440
bytes)
02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
02[IKE] local host is behind NAT, sending keep alives
02[IKE] authentication of 'frafra at calimero' (myself) with RSA signature
successful
02[IKE] establishing CHILD_SA franetwork
02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi
TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
02[NET] sending packet: from 192.168.0.25[4500] to 37.247.55.126[4500] (892
bytes)
01[NET] received packet: from 37.247.55.126[4500] to 192.168.0.25[4500]
(684 bytes)
01[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_6_ADDR) N(ADD_6_ADDR) N(NO_PROP) ]
01[CFG]   using trusted certificate "C=IT, O=frafra.ch"
01[IKE] authentication of 'frafra.ch' with RSA signature successful
01[IKE] IKE_SA franetwork[1] established between
192.168.0.25[frafra at calimero]...37.247.55.126[frafra.ch]
01[IKE] scheduling reauthentication in 10154s
01[IKE] maximum IKE_SA lifetime 10694s
01[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
01[IKE] failed to establish CHILD_SA, keeping IKE_SA
01[IKE] received AUTH_LIFETIME of 9971s, scheduling reauthentication in
9431s
01[IKE] peer supports MOBIKE
03[IKE] sending keep alive to 37.247.55.126[4500]

# strongswan up franetwork # roadwarrior/client
initiating IKE_SA franetwork[1] to 37.247.55.126
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.25[500] to 37.247.55.126[500] (744 bytes)
received packet: from 37.247.55.126[500] to 192.168.0.25[500] (440 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
authentication of 'frafra at calimero' (myself) with RSA signature successful
establishing CHILD_SA franetwork
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr
N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.25[4500] to 37.247.55.126[4500] (892 bytes)
received packet: from 37.247.55.126[4500] to 192.168.0.25[4500] (684 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_6_ADDR) N(ADD_6_ADDR) N(NO_PROP) ]
  using trusted certificate "C=IT, O=frafra.ch"
authentication of 'frafra.ch' with RSA signature successful
IKE_SA franetwork[1] established between 192.168.0.25[frafra at calimero
]...37.247.55.126[frafra.ch]
scheduling reauthentication in 10154s
maximum IKE_SA lifetime 10694s
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'franetwork' failed

# grep -Pv '^\W*#' ipsec.conf # gateway/server
config setup

conn franetwork
    keyingtries=1
    keyexchange=ikev2
    left=frafra.ch
    leftsubnet=37.247.55.126/32
    leftcert=frafra.ch.pem
    leftid=@frafra.ch
    right=%any
    rightsubnet=192.168.0.25/16
    rightcert=frafra at calimero.pem
    rightid=frafra at calimero
    auto=add

# grep -Pv '^\W*#' ipsec.conf # roadwarrior/client
config setup

conn franetwork
    keyingtries=1
    keyexchange=ikev2
    left=192.168.0.25
    leftsubnet=192.168.0.25/16
    leftcert=frafra at calimero.pem
    leftid=frafra at calimero
    leftfirewall=yes
    right=frafra.ch
    rightsubnet=37.247.55.126/32
    rightcert=frafra.ch.pem
    rightid=@frafra.ch
    auto=add

# ls -R /etc/strongswan/ | grep -v ^$ # gateway/server
/etc/strongswan/:
ipsec.conf
ipsec.d
ipsec.secrets
strongswan.conf
/etc/strongswan/ipsec.d:
aacerts
acerts
cacerts
certs
crls
ocspcerts
private
reqs
/etc/strongswan/ipsec.d/aacerts:
/etc/strongswan/ipsec.d/acerts:
/etc/strongswan/ipsec.d/cacerts:
/etc/strongswan/ipsec.d/certs:
frafra at calimero.pem
frafra.ch.pem
/etc/strongswan/ipsec.d/crls:
/etc/strongswan/ipsec.d/ocspcerts:
/etc/strongswan/ipsec.d/private:
frafra.ch.key.pem
/etc/strongswan/ipsec.d/reqs:

# ls -R /etc/strongswan/ | grep -v ^$ # roadwarriow/client
/etc/strongswan/:
ipsec.conf
ipsec.d
ipsec.secrets
strongswan.conf
/etc/strongswan/ipsec.d:
aacerts
acerts
cacerts
certs
crls
ocspcerts
private
reqs
/etc/strongswan/ipsec.d/aacerts:
/etc/strongswan/ipsec.d/acerts:
/etc/strongswan/ipsec.d/cacerts:
/etc/strongswan/ipsec.d/certs:
frafra at calimero.pem
frafra.ch.pem
/etc/strongswan/ipsec.d/crls:
/etc/strongswan/ipsec.d/ocspcerts:
/etc/strongswan/ipsec.d/private:
frafra at calimero.key.pem
/etc/strongswan/ipsec.d/reqs:

# bash test.sh /boot/config-2.6.32-358.14.1.el6.x86_64 # script derived
from http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
CONFIG_XFRM_USER=y
CONFIG_NET_KEY=m
CONFIG_NET_KEY_MIGRATE=y
CONFIG_INET=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_LRO=y
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_IPV6_MIP6=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=m
CONFIG_IPV6_MULTIPLE_TABLES=y
# CONFIG_IPV6_SUBTREES is not set
CONFIG_IPV6_MROUTE=y
CONFIG_IPV6_PIMSM_V2=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
# CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT is not set
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MATCH_POLICY=m
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130817/d6a99811/attachment.html>


More information about the Users mailing list