[strongSwan] unable to set IPSEC_POLICY on socket: Operation not supported

Rolf Schöpfer rolf at samplezone.ch
Wed May 14 16:13:21 CEST 2014 

Hi Noel

You are right, I need a newer Version for libipsec. I did compile now newest strongSwan:

./configure --prefix=/usr/strongswan-5.1.3 --sysconfdir=/etc/config/strongswan --enable-kernel-libipsec
make
make install

Some output:
...
...
  strongSwan will be built with the following plugins
-----------------------------------------------------
libstrongswan: aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac
libcharon:     kernel-libipsec socket-default stroke updown xauth-generic
libhydra:      attr kernel-netlink resolve
libtnccs:
...
...

I use the same configuration. And get following output:

<<< Development SZ 16:01:11 >>> root:/usr/strongswan-5.1.3
# sbin/ipsec start
Starting strongSwan 5.1.3 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
# deprecated keyword 'plutostart' in config setup
### 1 parsing error (0 fatal) ###

<<< Development SZ 16:01:17 >>> root:/usr/strongswan-5.1.3
# tail /var/log/syslog
May 14 16:01:17 development charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.3, Linux 2.6.32-26-pve, i686)
May 14 16:01:17 development charon: 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN
May 14 16:01:17 development charon: 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: CUSTOM:socket
May 14 16:01:17 development charon: 00[CFG] loading ca certificates from '/etc/config/strongswan/ipsec.d/cacerts'
May 14 16:01:17 development charon: 00[CFG] loading aa certificates from '/etc/config/strongswan/ipsec.d/aacerts'
May 14 16:01:17 development charon: 00[CFG] loading ocsp signer certificates from '/etc/config/strongswan/ipsec.d/ocspcerts'
May 14 16:01:17 development charon: 00[CFG] loading attribute certificates from '/etc/config/strongswan/ipsec.d/acerts'
May 14 16:01:17 development charon: 00[CFG] loading crls from '/etc/config/strongswan/ipsec.d/crls'
May 14 16:01:17 development charon: 00[CFG] loading secrets from '/etc/config/strongswan/ipsec.secrets'
May 14 16:01:17 development charon: 00[CFG]   loaded IKE secret for @development @office
May 14 16:01:17 development charon: 00[LIB] failed to load 2 critical plugin features
May 14 16:01:17 development charon: 00[DMN] initialization failed - aborting charon


You see I'm lost - strongSwan is to new for me to understand where to tweak things (compile or config?)

Thanks for your help.



Am 09.05.2014 19:33, schrieb Noel Kuntze:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Rolf,
>
> OpenVZ virtualised guests do not have their own kernel and are not allowed to access the XFRM policies of the host kernel.
> That's why that doesn't work. Use libipsec as a backend, instead of netlink. libipsec works in userspace.
> You probably have to upgrade to a newer version of strongSwan, that supports libipsec, because it's one of the newer things.
>
> Regards,
> Noel Kuntze
>
> Am 09.05.2014 19:31, schrieb Rolf Schöpfer:
>> Hi
>>
>> Today I didn't succed to configure site2site VPN with strongSwan. Details:
>>
>> - Server Debian 7.3 32-bit,  OpenVZ VM (Host is Proxmox)
>> - I did configure 'Gateway moon' of http://www.strongswan.org/uml/testresults4/ikev2/rw-psk-ipv4/
>>
>> # ipsec start
>> Starting strongSwan 4.5.2 IPsec [starter]...
>> !! Your strongswan.conf contains manual plugin load options for
>> !! pluto and/or charon. This is recommended for experts only, see
>> !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
>>
>> # tail /var/log/daemon.log
>> May  9 19:22:49 development charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
>> May  9 19:22:49 development charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>> May  9 19:22:49 development charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>> May  9 19:22:49 development charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
>> May  9 19:22:49 development charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>> May  9 19:22:49 development charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
>> May  9 19:22:49 development charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
>> May  9 19:22:49 development charon: 00[CFG]   loaded IKE secret for @development.test @office.test
>> May  9 19:22:49 development charon: 00[KNL] listening on interfaces:
>> May  9 19:22:49 development charon: 00[KNL]   venet0
>> May  9 19:22:49 development charon: 00[KNL]     127.0.0.2
>> May  9 19:22:49 development charon: 00[KNL]     [Public IP not shown in this E-Mail]
>> May  9 19:22:49 development charon: 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported
>> May  9 19:22:49 development charon: 00[NET] installing bypass policy on receive socket failed
>> May  9 19:22:49 development charon: 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported
>> May  9 19:22:49 development charon: 00[NET] installing bypass policy on send socket failed
>> May  9 19:22:49 development charon: 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported
>> May  9 19:22:49 development charon: 00[NET] installing bypass policy on send socket failed
>> May  9 19:22:49 development charon: 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted
>> May  9 19:22:49 development charon: 00[NET] installing bypass policy on receive socket failed
>> May  9 19:22:49 development charon: 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted
>> May  9 19:22:49 development charon: 00[NET] installing bypass policy on send socket failed
>> May  9 19:22:49 development charon: 00[KNL] unable to set IPSEC_POLICY on socket: Operation not permitted
>> May  9 19:22:49 development charon: 00[NET] installing bypass policy on send socket failed
>> May  9 19:22:49 development charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-raw updown
>> May  9 19:22:49 development charon: 00[DMN] unable to drop daemon capabilities
>> May  9 19:22:49 development charon: 00[DMN] capability dropping failed - aborting charon
>>
>>
>> I did check Kernel stuff: http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
>>
>> I did load some Modules on the Host manually:
>>
>> # modprobe ah4
>> #  modprobe esp4
>> #  modprobe ipcomp
>> #  modprobe xfrm4_tunnel
>>
>> But still the same Error.
>>
>> Is there another missing Module?
>>
>> Any help is appreciated.
>>
>> Flink
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTbRGHAAoJEDg5KY9j7GZYH4sQAICgw/yn7VELzVrSTd8EFZS4
> JOI9Tl4FsaWsp7ainQB2Gypa+4/J4pVt8Q/TaZrNWjsJIatbMmu8i+fpVdzXvt5Z
> kKxYt+C1FYUTiiBRMGv8fWbvyPz4VRjC0axD3LSw5QxykhJ7v4YXa2hCGHfmG+uY
> LdlZ9EUJHaQvN1P//OtfsfZb5v6KDTjH9X/onOrI36wXcNJnuvKBpW7oBeyGJ12i
> 4e4qC2fAJ+GahCwJE4Sy2qln+S3uIrHvoKSjKu/teBlttyQaVo4lrEIeou+FI9eA
> hkSzWt4bOGffBiu1efTeRwASYguF7bCsOHkdsFJ7TT4d10VF0Kkag8fU7NbH27Cc
> OD7CQ+VR7oEipYnEu01f5qUZoMN8Qs+eZ9NsP2lySS2QGA+aCVoj6nXmvLdmqW+t
> wYBhN9aVgat+nKIg2ie/eVFIjtZT8ksy9kd0r5qk6zDJK0J3p/cyB2WF1/nS8irN
> s2M1+NKQmbr1f3y0stwW35OYf3XCINBx83uQHiLBuogBz3f50sfnBJs+lqlqS2wq
> P4WzUU43GZb/GPdui47O3OesNu8GLMOkRU1MoaV2/mRELNdjIVUrDz0Beni4XFKQ
> FEg9/5MLb39LYLlwYV1q4/y1nlMHFujQrFW94Wo7O536vaCllLp4AKbbxTVVpE1F
> yx41j9w+QRX4cG6qg+gO
> =5Y/t
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list