[strongSwan] Yet another: charon[1749]: 14[KNL] received netlink error: Protocol not supported (93)
Rodrigo Stuffs
rbs at brasilia.br
Mon Apr 24 01:38:47 CEST 2017
Hi there list,
Yes, you have saw $SUBJECT. But I promise, no need to roll eyes: I *think*
I did my homework properly.
Here's the scenario; I have rebuilt a kernel of a WD My Cloud box in order
to extend it.
The Kernel config is available at https://pastebin.com/mYGiK3eN
Prior to posting here I really tried to do my homework, doing extensive
mailing list research. But it seems that the kernel build side is
apparently OK.
The Strongswan output is the following:
---
Apr 23 23:28:36 MyCloud systemd[1]: Starting Cleanup of Temporary
Directories...
Apr 23 23:28:36 MyCloud systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2
daemon using ipsec.conf...
Apr 23 23:28:36 MyCloud systemd[1]: Started strongSwan IPsec IKEv1/IKEv2
daemon using ipsec.conf.
Apr 23 23:28:36 MyCloud ipsec[1734]: Starting strongSwan 5.2.1 IPsec
[starter]...
Apr 23 23:28:36 MyCloud ipsec_starter[1734]: Starting strongSwan 5.2.1
IPsec [starter]...
Apr 23 23:28:36 MyCloud systemd[1]: Started Cleanup of Temporary
Directories.
Apr 23 23:28:36 MyCloud charon[1749]: 00[DMN] Starting IKE charon daemon
(strongSwan 5.2.1, Linux 3.2.26, armv7l)
Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading secrets from
'/etc/ipsec.d/mfrf.secrets'
Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loaded IKE secret for
172.16.8.3
Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] loaded plugins: charon aes
rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1
pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc
hmac gcm attr kernel-netlink resolve socket-default stroke updown
Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] unable to load 3 plugin
features (3 due to unmet dependencies)
Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] dropped capabilities, running
as uid 0, gid 0
Apr 23 23:28:36 MyCloud charon[1749]: 00[JOB] spawning 16 worker threads
Apr 23 23:28:36 MyCloud ipsec_starter[1734]: charon (1749) started after 80
ms
Apr 23 23:28:36 MyCloud charon[1749]: 15[CFG] received stroke: add
connection 'teste'
Apr 23 23:28:36 MyCloud charon[1749]: 15[CFG] added configuration 'teste'
Apr 23 23:28:36 MyCloud charon[1749]: 09[CFG] received stroke: initiate
'teste'
Apr 23 23:28:36 MyCloud charon[1749]: 09[IKE] initiating IKE_SA teste[1] to
172.16.8.3
Apr 23 23:28:36 MyCloud charon[1749]: 09[IKE] initiating IKE_SA teste[1] to
172.16.8.3
Apr 23 23:28:36 MyCloud ipsec[1734]: charon (1749) started after 80 ms
Apr 23 23:28:37 MyCloud charon[1749]: 09[ENC] generating IKE_SA_INIT
request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 23 23:28:37 MyCloud charon[1749]: 09[NET] sending packet: from
172.16.8.158[500] to 172.16.8.3[500] (1108 bytes)
Apr 23 23:28:37 MyCloud charon[1749]: 16[NET] received packet: from
172.16.8.3[500] to 172.16.8.158[500] (376 bytes)
Apr 23 23:28:37 MyCloud charon[1749]: 16[ENC] parsed IKE_SA_INIT response 0
[ SA KE No V ]
Apr 23 23:28:37 MyCloud charon[1749]: 16[ENC] received unknown vendor ID:
4f:45:75:5c:64:5c:6a:79:5c:5c:61:70
Apr 23 23:28:37 MyCloud charon[1749]: 16[IKE] authentication of
'172.16.8.158' (myself) with pre-shared key
Apr 23 23:28:37 MyCloud charon[1749]: 16[IKE] establishing CHILD_SA teste
Apr 23 23:28:37 MyCloud charon[1749]: 16[IKE] establishing CHILD_SA teste
Apr 23 23:28:37 MyCloud charon[1749]: 16[ENC] generating IKE_AUTH request 1
[ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
N(EAP_ONLY) ]
Apr 23 23:28:37 MyCloud charon[1749]: 16[NET] sending packet: from
172.16.8.158[500] to 172.16.8.3[500] (380 bytes)
Apr 23 23:28:37 MyCloud charon[1749]: 14[NET] received packet: from
172.16.8.3[500] to 172.16.8.158[500] (204 bytes)
Apr 23 23:28:37 MyCloud charon[1749]: 14[ENC] parsed IKE_AUTH response 1 [
IDr AUTH SA TSi TSr ]
Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] authentication of
'172.16.8.3' with pre-shared key successful
Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] IKE_SA teste[1] established
between 172.16.8.158[172.16.8.158]...172.16.8.3[172.16.8.3]
Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] IKE_SA teste[1] established
between 172.16.8.158[172.16.8.158]...172.16.8.3[172.16.8.3]
Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] scheduling reauthentication
in 3305s
Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] maximum IKE_SA lifetime 3485s
Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] received netlink error:
Protocol not supported (93)
Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] unable to add SAD entry with
SPI c6781a65
Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] received netlink error:
Protocol not supported (93)
Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] unable to add SAD entry with
SPI a6ac1542
Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] unable to install inbound and
outbound IPsec SA (SAD) in kernel
Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] failed to establish CHILD_SA,
keeping IKE_SA
Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] sending DELETE for ESP
CHILD_SA with SPI c6781a65
Apr 23 23:28:37 MyCloud charon[1749]: 14[ENC] generating INFORMATIONAL
request 2 [ D ]
Apr 23 23:28:37 MyCloud charon[1749]: 14[NET] sending packet: from
172.16.8.158[500] to 172.16.8.3[500] (76 bytes)
Apr 23 23:28:41 MyCloud charon[1749]: 06[IKE] retransmit 1 of request with
message ID 2
Apr 23 23:28:41 MyCloud charon[1749]: 06[NET] sending packet: from
172.16.8.158[500] to 172.16.8.3[500] (76 bytes)
Apr 23 23:28:48 MyCloud charon[1749]: 08[IKE] retransmit 2 of request with
message ID 2
Apr 23 23:28:48 MyCloud charon[1749]: 08[NET] sending packet: from
172.16.8.158[500] to 172.16.8.3[500] (76 bytes)
---
It is a real simple ipsec setup, between two systems in the local network:
172.16.8.158 (the Strongswan box) and 172.16.8.3 (a openswan 2.6.37 box).
The ipsec endpoints should use a PSK key.
The configuration is pretty much standard and untouched. I have only added
a include clause, see below:
---
root at MyCloud:/dev/shm# grep -v \# /etc/ipsec.conf
config setup
include /etc/ipsec.d/*.conf
---
root at MyCloud:/dev/shm# grep -v \# /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
---
And here are the relevant config files:
root at MyCloud:/dev/shm# cat /etc/ipsec.d/mfrf.conf (the only .conf file
over there)
conn teste
left=172.16.8.158
right=172.16.8.3
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
auto=start
---
root at MyCloud:/dev/shm# cat /etc/ipsec.d/mfrf.secrets (the only .secrets
file over here too)
172.16.8.3 : PSK "zomgsecretkeyhere"
---
The Strongswan version:
---
root at MyCloud:/dev/shm# dpkg -l | grep strongsw
ii libstrongswan 5.2.1-6+deb8u2
armhf strongSwan utility and crypto library
ii libstrongswan-standard-plugins 5.2.1-6+deb8u2
armhf strongSwan utility and crypto library (standard plugins)
ii strongswan 5.2.1-6+deb8u2
all IPsec VPN solution metapackage
ii strongswan-charon 5.2.1-6+deb8u2
armhf strongSwan Internet Key Exchange daemon
ii strongswan-libcharon 5.2.1-6+deb8u2
armhf strongSwan charon library
ii strongswan-starter 5.2.1-6+deb8u2
armhf strongSwan daemon starter and configuration file parser
The loaded modules output:
---
root at MyCloud:~# bash teste.sh
CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_IPV6=m
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
---
root at MyCloud:/dev/shm# grep -e XFRM -e IPCOMP -e DEFLATE
/boot/config-3.2.26
CONFIG_XFRM=y
CONFIG_XFRM_USER=m
CONFIG_XFRM_SUB_POLICY=y
CONFIG_XFRM_MIGRATE=y
CONFIG_XFRM_STATISTICS=y
CONFIG_XFRM_IPCOMP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_CRYPTO_DEFLATE=y
CONFIG_ZLIB_DEFLATE=y
---
lsmod output:
root at MyCloud:/dev/shm# lsmod
Module Size Used by
xfrm6_mode_tunnel 1514 0
xfrm4_mode_tunnel 1586 0
xfrm_user 24068 2
xfrm4_tunnel 1443 0
tunnel4 2043 1 xfrm4_tunnel
pfe 428717 0
ipcomp 1770 0
xfrm_ipcomp 4059 1 ipcomp
ah4 4666 0
af_key 30346 0
cryptosoft 13291 0
cryptodev 11075 0
ocf 23776 2 cryptodev,cryptosoft
ipv6 262883 20 xfrm6_mode_tunnel
---
Any hints? /o\
Thanks for stopping by! \o
- Rodrigo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170423/bd643eda/attachment-0001.html>
More information about the Users
mailing list