[strongSwan] unable to set IPSEC_POLICY on socket: Operation not supported

Fri May 9 19:33:59 CEST 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Rolf,

OpenVZ virtualised guests do not have their own kernel and are not allowed to access the XFRM policies of the host kernel.
That's why that doesn't work. Use libipsec as a backend, instead of netlink. libipsec works in userspace.
You probably have to upgrade to a newer version of strongSwan, that supports libipsec, because it's one of the newer things.

Regards,
Noel Kuntze

Am 09.05.2014 19:31, schrieb Rolf Schöpfer:
> Hi
>
> Today I didn't succed to configure site2site VPN with strongSwan. Details:
>
> - Server Debian 7.3 32-bit,  OpenVZ VM (Host is Proxmox)
> - I did configure 'Gateway moon' of http://www.strongswan.org/uml/testresults4/ikev2/rw-psk-ipv4/
>
> # ipsec start
> Starting strongSwan 4.5.2 IPsec [starter]...
> !! Your strongswan.conf contains manual plugin load options for
> !! pluto and/or charon. This is recommended for experts only, see
> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>
> # tail /var/log/daemon.log
> May  9 19:22:49 development charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
> May  9 19:22:49 development charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> May  9 19:22:49 development charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> May  9 19:22:49 development charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> May  9 19:22:49 development charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> May  9 19:22:49 development charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
> May  9 19:22:49 development charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
> May  9 19:22:49 development charon: 00[CFG]   loaded IKE secret for @development.test @office.test
> May  9 19:22:49 development charon: 00[KNL] listening on interfaces:
> May  9 19:22:49 development charon: 00[KNL]   venet0
> May  9 19:22:49 development charon: 00[KNL]     127.0.0.2
> May  9 19:22:49 development charon: 00[KNL]     [Public IP not shown in this E-Mail]
> May  9 19:22:49 development charon: 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported
> May  9 19:22:49 development charon: 00[NET] installing bypass policy on receive socket failed
> May  9 19:22:49 development charon: 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported
> May  9 19:22:49 development charon: 00[NET] installing bypass policy on send socket failed
> May  9 19:22:49 development charon: 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported
> May  9 19:22:49 development charon: 00[NET] installing bypass policy on send socket failed
> May  9 19:22:49 development charon: 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted
> May  9 19:22:49 development charon: 00[NET] installing bypass policy on receive socket failed
> May  9 19:22:49 development charon: 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted
> May  9 19:22:49 development charon: 00[NET] installing bypass policy on send socket failed
> May  9 19:22:49 development charon: 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted
> May  9 19:22:49 development charon: 00[NET] installing bypass policy on send socket failed
> May  9 19:22:49 development charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-raw updown
> May  9 19:22:49 development charon: 00[DMN] unable to drop daemon capabilities
> May  9 19:22:49 development charon: 00[DMN] capability dropping failed - aborting charon
>
>
> I did check Kernel stuff: http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
>
> I did load some Modules on the Host manually:
>
> # modprobe ah4
> #  modprobe esp4
> #  modprobe ipcomp
> #  modprobe xfrm4_tunnel
>
> But still the same Error.
>
> Is there another missing Module?
>
> Any help is appreciated.
>
> Flink
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTbRGHAAoJEDg5KY9j7GZYH4sQAICgw/yn7VELzVrSTd8EFZS4
JOI9Tl4FsaWsp7ainQB2Gypa+4/J4pVt8Q/TaZrNWjsJIatbMmu8i+fpVdzXvt5Z
kKxYt+C1FYUTiiBRMGv8fWbvyPz4VRjC0axD3LSw5QxykhJ7v4YXa2hCGHfmG+uY
LdlZ9EUJHaQvN1P//OtfsfZb5v6KDTjH9X/onOrI36wXcNJnuvKBpW7oBeyGJ12i
4e4qC2fAJ+GahCwJE4Sy2qln+S3uIrHvoKSjKu/teBlttyQaVo4lrEIeou+FI9eA
hkSzWt4bOGffBiu1efTeRwASYguF7bCsOHkdsFJ7TT4d10VF0Kkag8fU7NbH27Cc
OD7CQ+VR7oEipYnEu01f5qUZoMN8Qs+eZ9NsP2lySS2QGA+aCVoj6nXmvLdmqW+t
wYBhN9aVgat+nKIg2ie/eVFIjtZT8ksy9kd0r5qk6zDJK0J3p/cyB2WF1/nS8irN
s2M1+NKQmbr1f3y0stwW35OYf3XCINBx83uQHiLBuogBz3f50sfnBJs+lqlqS2wq
P4WzUU43GZb/GPdui47O3OesNu8GLMOkRU1MoaV2/mRELNdjIVUrDz0Beni4XFKQ
FEg9/5MLb39LYLlwYV1q4/y1nlMHFujQrFW94Wo7O536vaCllLp4AKbbxTVVpE1F
yx41j9w+QRX4cG6qg+gO
=5Y/t
-----END PGP SIGNATURE-----