[strongSwan] [KNL] received netlink error: Protocol not supported (93)
Paton, Andy
andy.paton at hp.com
Sat Aug 17 17:24:47 CEST 2013
Can you post your strongswan.conf file please?
--
Andrew Paton
On 17 Aug 2013, at 13:12, "Francesco Frassinelli" <fraph24 at gmail.com<mailto:fraph24 at gmail.com>> wrote:
Hi all,
this is my first setup with strongSwan. I really would like to use it, it's so interensting, and I'm trying to get it working since last week, but I never succeeded.
I'm trying to connect 2 hosts together: one is a VPS server (CentOS 6.4, x86_64, 2.6.32), the other one is a laptop behind NAT (Fedora 19, x86_64, 3.10.6). They are both using strongSwan 5.0.4 (epel and Fedora repositories).
My keys are generated with this command:
# strongswan pki --gen --type rsa --size 4096 --out pem > ipsec.d/private/$key.key.pem
My certs are generated withi this command:
# strongswan pki --self --type rsa --digest sha512 --in ipsec.d/private/$key.key.pem --outform pem --dn "C=IT, O=frafra.ch<http://frafra.ch>" --san "$key" > ipsec.d/certs/$key.pem
Here below you can find: logs (default logging level), configuration, directory listing, and some checks regarding kernel configuration (default VPS kernel).
Thanks in advance,
Francesco Frassinelli
# strongswan start --nofork # gateway/server
strongswan start --nofork
Starting strongSwan 5.0.4 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 2.6.32-042stab076.8, x86_64)
00[LIB] plugin 'sqlite' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-sqlite.so: cannot open shared object file: No such file or directory
00[LIB] openssl FIPS mode(0) - disabled
00[LIB] plugin 'eap-radius' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-eap-radius.so: cannot open shared object file: No such file or directory
00[LIB] plugin 'eap-tnc' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-eap-tnc.so: cannot open shared object file: No such file or directory
00[LIB] plugin 'tnc-imc' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnc-imc.so: cannot open shared object file: No such file or directory
00[LIB] plugin 'tnc-imv' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnc-imv.so: cannot open shared object file: No such file or directory
00[LIB] plugin 'tnc-tnccs' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnc-tnccs.so: cannot open shared object file: No such file or directory
00[LIB] plugin 'tnccs-20' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnccs-20.so: cannot open shared object file: No such file or directory
00[LIB] plugin 'tnccs-11' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnccs-11.so: cannot open shared object file: No such file or directory
00[LIB] plugin 'tnccs-dynamic' failed to load: /usr/lib64/strongswan/plugins/libstrongswan-tnccs-dynamic.so: cannot open shared object file: No such file or directory
00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/frafra.ch.key.pem'
00[DMN] loaded plugins: charon curl aes des sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap dhcp
00[JOB] spawning 16 worker threads
charon (826) started after 60 ms
14[CFG] received stroke: add connection 'franetwork'
14[CFG] loaded certificate "C=IT, O=frafra.ch<http://frafra.ch>" from 'frafra.ch.pem'
14[CFG] loaded certificate "C=IT, O=frafra.ch<http://frafra.ch>" from 'frafra at calimero.pem<mailto:frafra at calimero.pem>'
14[CFG] added configuration 'franetwork'
15[NET] received packet: from 93.147.151.147[500] to 37.247.55.126[500] (744 bytes)
15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
15[IKE] 93.147.151.147 is initiating an IKE_SA
15[IKE] remote host is behind NAT
15[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
15[NET] sending packet: from 37.247.55.126[500] to 93.147.151.147[500] (440 bytes)
16[NET] received packet: from 93.147.151.147[4500] to 37.247.55.126[4500] (892 bytes)
16[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
16[CFG] looking for peer configs matching 37.247.55.126[frafra.ch<http://frafra.ch>]...93.147.151.147[frafra at calimero]
16[CFG] selected peer config 'franetwork'
16[CFG] using trusted certificate "C=IT, O=frafra.ch<http://frafra.ch>"
16[IKE] authentication of 'frafra at calimero' with RSA signature successful
16[IKE] peer supports MOBIKE
16[IKE] authentication of 'frafra.ch<http://frafra.ch>' (myself) with RSA signature successful
16[IKE] IKE_SA franetwork[1] established between 37.247.55.126[frafra.ch<http://frafra.ch>]...93.147.151.147[frafra at calimero]
16[IKE] scheduling reauthentication in 9971s
16[IKE] maximum IKE_SA lifetime 10511s
16[KNL] received netlink error: Protocol not supported (93)
16[KNL] unable to add SAD entry with SPI cc8f7f2d
16[KNL] received netlink error: Protocol not supported (93)
16[KNL] unable to add SAD entry with SPI cf7be3c3
16[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
16[IKE] failed to establish CHILD_SA, keeping IKE_SA
16[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(NO_PROP) ]
16[NET] sending packet: from 37.247.55.126[4500] to 93.147.151.147[4500] (684 bytes)
# strongswan start --nofork # roadwarrior/client
Starting strongSwan 5.0.4 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.0.4, Linux 3.10.6-200.fc19.x86_64, x86_64)
00[LIB] openssl FIPS mode(0) - disabled
00[CFG] loaded 0 RADIUS server configurations
00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/strongswan/ipsec.d/private/frafra at calimero.key.pem<mailto:etc/strongswan/ipsec.d/private/frafra at calimero.key.pem>'
00[TNC] loading IMCs from '/etc/tnc_config'
00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
00[TNC] TNC recommendation policy is 'default'
00[TNC] loading IMVs from '/etc/tnc_config'
00[TNC] opening configuration file '/etc/tnc_config' failed: No such file or directory
00[DMN] loaded plugins: charon curl sqlite aes des sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default farp stroke updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp
00[JOB] spawning 16 worker threads
charon (2956) started after 120 ms
05[CFG] received stroke: add connection 'franetwork'
05[CFG] loaded certificate "C=IT, O=frafra.ch<http://frafra.ch>" from 'frafra at calimero.pem<mailto:frafra at calimero.pem>'
05[CFG] loaded certificate "C=IT, O=frafra.ch<http://frafra.ch>" from 'frafra.ch.pem'
05[CFG] added configuration 'franetwork'
10[CFG] received stroke: initiate 'franetwork'
03[IKE] initiating IKE_SA franetwork[1] to 37.247.55.126
03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
03[NET] sending packet: from 192.168.0.25[500] to 37.247.55.126[500] (744 bytes)
02[NET] received packet: from 37.247.55.126[500] to 192.168.0.25[500] (440 bytes)
02[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
02[IKE] local host is behind NAT, sending keep alives
02[IKE] authentication of 'frafra at calimero' (myself) with RSA signature successful
02[IKE] establishing CHILD_SA franetwork
02[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
02[NET] sending packet: from 192.168.0.25[4500] to 37.247.55.126[4500] (892 bytes)
01[NET] received packet: from 37.247.55.126[4500] to 192.168.0.25[4500] (684 bytes)
01[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(NO_PROP) ]
01[CFG] using trusted certificate "C=IT, O=frafra.ch<http://frafra.ch>"
01[IKE] authentication of 'frafra.ch<http://frafra.ch>' with RSA signature successful
01[IKE] IKE_SA franetwork[1] established between 192.168.0.25[frafra at calimero]...37.247.55.126[frafra.ch<http://frafra.ch>]
01[IKE] scheduling reauthentication in 10154s
01[IKE] maximum IKE_SA lifetime 10694s
01[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
01[IKE] failed to establish CHILD_SA, keeping IKE_SA
01[IKE] received AUTH_LIFETIME of 9971s, scheduling reauthentication in 9431s
01[IKE] peer supports MOBIKE
03[IKE] sending keep alive to 37.247.55.126[4500]
# strongswan up franetwork # roadwarrior/client
initiating IKE_SA franetwork[1] to 37.247.55.126
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.25[500] to 37.247.55.126[500] (744 bytes)
received packet: from 37.247.55.126[500] to 192.168.0.25[500] (440 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
local host is behind NAT, sending keep alives
authentication of 'frafra at calimero' (myself) with RSA signature successful
establishing CHILD_SA franetwork
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.25[4500] to 37.247.55.126[4500] (892 bytes)
received packet: from 37.247.55.126[4500] to 192.168.0.25[4500] (684 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(NO_PROP) ]
using trusted certificate "C=IT, O=frafra.ch<http://frafra.ch>"
authentication of 'frafra.ch<http://frafra.ch>' with RSA signature successful
IKE_SA franetwork[1] established between 192.168.0.25[frafra at calimero]...37.247.55.126[frafra.ch<http://frafra.ch>]
scheduling reauthentication in 10154s
maximum IKE_SA lifetime 10694s
received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'franetwork' failed
# grep -Pv '^\W*#' ipsec.conf # gateway/server
config setup
conn franetwork
keyingtries=1
keyexchange=ikev2
left=frafra.ch<http://frafra.ch>
leftsubnet=37.247.55.126/32<http://37.247.55.126/32>
leftcert=frafra.ch.pem
leftid=@frafra.ch<http://frafra.ch>
right=%any
rightsubnet=192.168.0.25/16<http://192.168.0.25/16>
rightcert=frafra at calimero.pem<mailto:rightcert=frafra at calimero.pem>
rightid=frafra at calimero
auto=add
# grep -Pv '^\W*#' ipsec.conf # roadwarrior/client
config setup
conn franetwork
keyingtries=1
keyexchange=ikev2
left=192.168.0.25
leftsubnet=192.168.0.25/16<http://192.168.0.25/16>
leftcert=frafra at calimero.pem<mailto:leftcert=frafra at calimero.pem>
leftid=frafra at calimero
leftfirewall=yes
right=frafra.ch<http://frafra.ch>
rightsubnet=37.247.55.126/32<http://37.247.55.126/32>
rightcert=frafra.ch.pem
rightid=@frafra.ch<http://frafra.ch>
auto=add
# ls -R /etc/strongswan/ | grep -v ^$ # gateway/server
/etc/strongswan/:
ipsec.conf
ipsec.d
ipsec.secrets
strongswan.conf
/etc/strongswan/ipsec.d:
aacerts
acerts
cacerts
certs
crls
ocspcerts
private
reqs
/etc/strongswan/ipsec.d/aacerts:
/etc/strongswan/ipsec.d/acerts:
/etc/strongswan/ipsec.d/cacerts:
/etc/strongswan/ipsec.d/certs:
frafra at calimero.pem<mailto:frafra at calimero.pem>
frafra.ch.pem
/etc/strongswan/ipsec.d/crls:
/etc/strongswan/ipsec.d/ocspcerts:
/etc/strongswan/ipsec.d/private:
frafra.ch.key.pem
/etc/strongswan/ipsec.d/reqs:
# ls -R /etc/strongswan/ | grep -v ^$ # roadwarriow/client
/etc/strongswan/:
ipsec.conf
ipsec.d
ipsec.secrets
strongswan.conf
/etc/strongswan/ipsec.d:
aacerts
acerts
cacerts
certs
crls
ocspcerts
private
reqs
/etc/strongswan/ipsec.d/aacerts:
/etc/strongswan/ipsec.d/acerts:
/etc/strongswan/ipsec.d/cacerts:
/etc/strongswan/ipsec.d/certs:
frafra at calimero.pem<mailto:frafra at calimero.pem>
frafra.ch.pem
/etc/strongswan/ipsec.d/crls:
/etc/strongswan/ipsec.d/ocspcerts:
/etc/strongswan/ipsec.d/private:
frafra at calimero.key.pem<mailto:frafra at calimero.key.pem>
/etc/strongswan/ipsec.d/reqs:
# bash test.sh /boot/config-2.6.32-358.14.1.el6.x86_64 # script derived from http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
CONFIG_XFRM_USER=y
CONFIG_NET_KEY=m
CONFIG_NET_KEY_MIGRATE=y
CONFIG_INET=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_LRO=y
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_IPV6_MIP6=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=m
CONFIG_IPV6_MULTIPLE_TABLES=y
# CONFIG_IPV6_SUBTREES is not set
CONFIG_IPV6_MROUTE=y
CONFIG_IPV6_PIMSM_V2=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
# CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT is not set
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_MATCH_POLICY=m
_______________________________________________
Users mailing list
Users at lists.strongswan.org<mailto:Users at lists.strongswan.org>
https://lists.strongswan.org/mailman/listinfo/users
More information about the Users
mailing list