[strongSwan] Netlink and SAD entry error
G. B.
gawd0wns at hotmail.com
Thu Nov 7 19:04:32 CET 2013
My strongswan server is failing following a kernel upgrade. What is the issue?
My config in ipsec.conf:
config setup
strictcrlpolicy=no
uniqueids=yes
charondebug="cfg 4"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
leftfirewall=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
conn bb10
mobike=yes
ike=aes256-sha1-sha1-modp1024!
esp=aes256-modp1024-sha1!
left=%defaultroute
leftid="C=CA, O=none, CN=192.168.1.100"
leftcert=serverCert.pem
right=%any
rightsourceip=10.11.12.1
rightid="C=CA, O=none, CN=bb10"
rightauth=pubkey
leftauth=pubkey
auto=add
Errors logged in daemon.log:
Nov 7 13:21:52 nas charon: 09[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Nov 7 13:21:52 nas charon: 09[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Nov 7 13:21:52 nas charon: 09[CFG] selecting traffic selectors for us:
Nov 7 13:21:52 nas charon: 09[CFG] config: 192.168.1.100/32, received: 0.0.0.0/0 => match: 192.168.1.100/32
Nov 7 13:21:52 nas charon: 09[CFG] selecting traffic selectors for other:
Nov 7 13:21:52 nas charon: 09[CFG] config: 10.11.12.1/32, received: 0.0.0.0/0 => match: 10.11.12.1/32
Nov 7 13:21:52 nas charon: 09[KNL] received netlink error: No such file or directory (2)
Nov 7 13:21:52 nas charon: 09[KNL] unable to add SAD entry with SPI ca55d1a0
Nov 7 13:21:52 nas charon: 09[KNL] received netlink error: No such file or directory (2)
Nov 7 13:21:52 nas charon: 09[KNL] unable to add SAD entry with SPI aaeff1d8
Nov 7 13:21:52 nas charon: 09[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Nov 7 13:21:52 nas charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov 7 13:21:52 nas charon: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR) N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Nov 7 13:21:52 nas charon: 09[NET] sending packet: from 192.168.1.100[4500] to 24.114.73.80[45231] (1276 bytes)
Nov 7 13:22:02 nas charon: 10[NET] received packet: from 24.114.73.80[45231] to 192.168.1.100[4500] (1436 bytes)
I thought the new kernel was a missing module, though check.sh doesn't report any errors and lsmod seems to have everything that I need already loaded:
lsmod output:
Module Size Used by
authenc 5858 0
xfrm6_mode_tunnel 1552 0
xfrm4_mode_tunnel 2184 0
xfrm_user 20613 2
xfrm4_tunnel 1478 0
tunnel4 2047 1 xfrm4_tunnel
ipcomp 1665 0
xfrm_ipcomp 3257 1 ipcomp
esp4 5593 0
ah4 4797 0
ctr 3433 0
twofish_generic 7239 0
twofish_common 12858 1 twofish_generic
camellia_generic 19582 0
serpent_generic 19827 0
blowfish_generic 3625 0
blowfish_common 6513 1 blowfish_generic
cast5_generic 11096 0
cast_common 4605 1 cast5_generic
des_generic 16820 0
cbc 2267 0
cmac 2492 0
xcbc 2202 0
rmd160 7244 0
sha512_generic 7457 0
sha256_generic 8589 0
crypto_null 2089 0
af_key 32934 0
xfrm_algo 4401 5 ah4,esp4,af_key,xfrm_user,xfrm_ipcomp
xt_tcpudp 1976 2
ipv6 282327 28 xfrm6_mode_tunnel
iptable_filter 1143 1
ip_tables 9770 1 iptable_filter
x_tables 11279 3 ip_tables,xt_tcpudp,iptable_filter
orion_wdt 2869 0
hmac 2433 0
sha1_generic 1752 0
sha1_arm 3389 0
mv_cesa 10557 0
ext2 57351 2
mbcache 5128 1 ext2
netconsole 6138 0
configfs 21555 2 netconsole
sg 20167 0
sd_mod 33934 5
crc_t10dif 1110 1 sd_mod
sata_mv 24313 1
usb_storage 36513 2
libata 143640 1 sata_mv
marvell 7083 0
mvmdio 3128 0
scsi_mod 150844 4 sg,usb_storage,libata,sd_mod
mv643xx_eth 22129 0
libphy 16687 3 marvell,mvmdio,mv643xx_eth
Module check with check.sh:
CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m
CONFIG_NET_KEY_MIGRATE=y
CONFIG_INET=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_LRO=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_INET_UDP_DIAG=m
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_IPV6_MIP6=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_SIT_6RD=y
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=m
# CONFIG_IPV6_GRE is not set
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_IPV6_SUBTREES=y
CONFIG_IPV6_MROUTE=y
CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
CONFIG_IPV6_PIMSM_V2=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_QUEUE_CT=y
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_HMARK=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_CPU=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_IPVS=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_NFACCT=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
root at nas:/home/nas#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20131107/0e6a6c22/attachment.html>
More information about the Users
mailing list