[strongSwan] Yet another: charon[1749]: 14[KNL] received netlink error: Protocol not supported (93)

Rodrigo Stuffs rbs at brasilia.br
Tue Apr 25 21:30:52 CEST 2017 

Ok, I found out and everything is working flawlessly.

The WD's GPL toolchain for the MyCloud device fooled me.

While the .config had CONFIG_INET_ESP=m, after LOTS of tinkering, I've
found that in the source code it has:

[rfreire at rf ipv4]$ grep esp Makefile
#obj-$(CONFIG_INET_ESP) += esp4.o

YES: The GPL source had it disabled in the Makefile level.

After uncommenting it (and from ipv6 too) and recompiling, everything
just.works(TM).

A hint for someone else hitting the very same problem:

1. Try to add a test connection using ip xfrm, like:

xfrm state add src 172.16.8.3 dst 172.16.8.158 proto esp spi 1234 reqid
16380  mode transport auth sha1 0x27b12f61fdc46b0f545256a405ac29fc8c137514
enc aes 0x5f5fb739d41eee7a5fe793917d18cadd

If it fails at this stage, it means that the kernel backend is flawed.

2. A working (considering that most of your ipsec stack is modular) lsmod
output:

root at MyCloud:~# lsmod
Module                  Size  Used by
xfrm4_mode_tunnel       1586  4
xfrm4_mode_transport     1136  0
pfe                   428717  0
xfrm_user              24068  2
xfrm4_tunnel            1443  0
tunnel4                 2043  1 xfrm4_tunnel
ipcomp                  1770  0
xfrm_ipcomp             4059  1 ipcomp
esp4                    6415  2
ah4                     4666  0
af_key                 30346  0
cryptosoft             13291  0
cryptodev              11075  0
ocf                    23776  2 cryptodev,cryptosoft

Hope that helps other users.


On Sun, Apr 23, 2017 at 8:38 PM, Rodrigo Stuffs <rbs at brasilia.br> wrote:

> Hi there list,
>
> Yes, you have saw $SUBJECT. But I promise, no need to roll eyes: I *think*
> I did my homework properly.
>
> Here's the scenario; I have rebuilt a kernel of a WD My Cloud box in order
> to extend it.
>
> The Kernel config is available at https://pastebin.com/mYGiK3eN
>
> Prior to posting here I really tried to do my homework, doing extensive
> mailing list research. But it seems that the kernel build side is
> apparently OK.
>
> The Strongswan output is the following:
> ---
> Apr 23 23:28:36 MyCloud systemd[1]: Starting Cleanup of Temporary
> Directories...
> Apr 23 23:28:36 MyCloud systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2
> daemon using ipsec.conf...
> Apr 23 23:28:36 MyCloud systemd[1]: Started strongSwan IPsec IKEv1/IKEv2
> daemon using ipsec.conf.
> Apr 23 23:28:36 MyCloud ipsec[1734]: Starting strongSwan 5.2.1 IPsec
> [starter]...
> Apr 23 23:28:36 MyCloud ipsec_starter[1734]: Starting strongSwan 5.2.1
> IPsec [starter]...
> Apr 23 23:28:36 MyCloud systemd[1]: Started Cleanup of Temporary
> Directories.
> Apr 23 23:28:36 MyCloud charon[1749]: 00[DMN] Starting IKE charon daemon
> (strongSwan 5.2.1, Linux 3.2.26, armv7l)
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading ca certificates from
> '/etc/ipsec.d/cacerts'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading aa certificates from
> '/etc/ipsec.d/aacerts'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading ocsp signer
> certificates from '/etc/ipsec.d/ocspcerts'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading attribute
> certificates from '/etc/ipsec.d/acerts'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading crls from
> '/etc/ipsec.d/crls'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading secrets from
> '/etc/ipsec.d/mfrf.secrets'
> Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG]   loaded IKE secret for
> 172.16.8.3
> Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] loaded plugins: charon aes
> rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1
> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc
> hmac gcm attr kernel-netlink resolve socket-default stroke updown
> Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] unable to load 3 plugin
> features (3 due to unmet dependencies)
> Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] dropped capabilities,
> running as uid 0, gid 0
> Apr 23 23:28:36 MyCloud charon[1749]: 00[JOB] spawning 16 worker threads
> Apr 23 23:28:36 MyCloud ipsec_starter[1734]: charon (1749) started after
> 80 ms
> Apr 23 23:28:36 MyCloud charon[1749]: 15[CFG] received stroke: add
> connection 'teste'
> Apr 23 23:28:36 MyCloud charon[1749]: 15[CFG] added configuration 'teste'
> Apr 23 23:28:36 MyCloud charon[1749]: 09[CFG] received stroke: initiate
> 'teste'
> Apr 23 23:28:36 MyCloud charon[1749]: 09[IKE] initiating IKE_SA teste[1]
> to 172.16.8.3
> Apr 23 23:28:36 MyCloud charon[1749]: 09[IKE] initiating IKE_SA teste[1]
> to 172.16.8.3
> Apr 23 23:28:36 MyCloud ipsec[1734]: charon (1749) started after 80 ms
> Apr 23 23:28:37 MyCloud charon[1749]: 09[ENC] generating IKE_SA_INIT
> request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Apr 23 23:28:37 MyCloud charon[1749]: 09[NET] sending packet: from
> 172.16.8.158[500] to 172.16.8.3[500] (1108 bytes)
> Apr 23 23:28:37 MyCloud charon[1749]: 16[NET] received packet: from
> 172.16.8.3[500] to 172.16.8.158[500] (376 bytes)
> Apr 23 23:28:37 MyCloud charon[1749]: 16[ENC] parsed IKE_SA_INIT response
> 0 [ SA KE No V ]
> Apr 23 23:28:37 MyCloud charon[1749]: 16[ENC] received unknown vendor ID:
> 4f:45:75:5c:64:5c:6a:79:5c:5c:61:70
> Apr 23 23:28:37 MyCloud charon[1749]: 16[IKE] authentication of
> '172.16.8.158' (myself) with pre-shared key
> Apr 23 23:28:37 MyCloud charon[1749]: 16[IKE] establishing CHILD_SA teste
> Apr 23 23:28:37 MyCloud charon[1749]: 16[IKE] establishing CHILD_SA teste
> Apr 23 23:28:37 MyCloud charon[1749]: 16[ENC] generating IKE_AUTH request
> 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR)
> N(EAP_ONLY) ]
> Apr 23 23:28:37 MyCloud charon[1749]: 16[NET] sending packet: from
> 172.16.8.158[500] to 172.16.8.3[500] (380 bytes)
> Apr 23 23:28:37 MyCloud charon[1749]: 14[NET] received packet: from
> 172.16.8.3[500] to 172.16.8.158[500] (204 bytes)
> Apr 23 23:28:37 MyCloud charon[1749]: 14[ENC] parsed IKE_AUTH response 1 [
> IDr AUTH SA TSi TSr ]
> Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] authentication of
> '172.16.8.3' with pre-shared key successful
> Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] IKE_SA teste[1] established
> between 172.16.8.158[172.16.8.158]...172.16.8.3[172.16.8.3]
> Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] IKE_SA teste[1] established
> between 172.16.8.158[172.16.8.158]...172.16.8.3[172.16.8.3]
> Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] scheduling reauthentication
> in 3305s
> Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] maximum IKE_SA lifetime 3485s
> Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] received netlink error:
> Protocol not supported (93)
> Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] unable to add SAD entry with
> SPI c6781a65
> Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] received netlink error:
> Protocol not supported (93)
> Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] unable to add SAD entry with
> SPI a6ac1542
> Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] unable to install inbound
> and outbound IPsec SA (SAD) in kernel
> Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] failed to establish
> CHILD_SA, keeping IKE_SA
> Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] sending DELETE for ESP
> CHILD_SA with SPI c6781a65
> Apr 23 23:28:37 MyCloud charon[1749]: 14[ENC] generating INFORMATIONAL
> request 2 [ D ]
> Apr 23 23:28:37 MyCloud charon[1749]: 14[NET] sending packet: from
> 172.16.8.158[500] to 172.16.8.3[500] (76 bytes)
> Apr 23 23:28:41 MyCloud charon[1749]: 06[IKE] retransmit 1 of request with
> message ID 2
> Apr 23 23:28:41 MyCloud charon[1749]: 06[NET] sending packet: from
> 172.16.8.158[500] to 172.16.8.3[500] (76 bytes)
> Apr 23 23:28:48 MyCloud charon[1749]: 08[IKE] retransmit 2 of request with
> message ID 2
> Apr 23 23:28:48 MyCloud charon[1749]: 08[NET] sending packet: from
> 172.16.8.158[500] to 172.16.8.3[500] (76 bytes)
> ---
>
> It is a real simple ipsec setup, between two systems in the local network:
> 172.16.8.158 (the Strongswan box) and 172.16.8.3 (a openswan 2.6.37 box).
> The ipsec endpoints should use a PSK key.
>
> The configuration is pretty much standard and untouched. I have only added
> a include clause, see below:
> ---
> root at MyCloud:/dev/shm# grep -v \# /etc/ipsec.conf
> config setup
> include /etc/ipsec.d/*.conf
> ---
> root at MyCloud:/dev/shm# grep -v \# /etc/ipsec.secrets
> include /etc/ipsec.d/*.secrets
> ---
>
> And here are the relevant config files:
>
> root at MyCloud:/dev/shm# cat /etc/ipsec.d/mfrf.conf  (the only .conf file
> over there)
> conn teste
>     left=172.16.8.158
>     right=172.16.8.3
>     ikelifetime=60m
>     keylife=20m
>     rekeymargin=3m
>     keyingtries=1
>     authby=secret
>     auto=start
> ---
> root at MyCloud:/dev/shm# cat /etc/ipsec.d/mfrf.secrets  (the only .secrets
> file over here too)
> 172.16.8.3 : PSK "zomgsecretkeyhere"
> ---
>
> The Strongswan version:
> ---
> root at MyCloud:/dev/shm# dpkg -l | grep strongsw
> ii  libstrongswan                  5.2.1-6+deb8u2
> armhf        strongSwan utility and crypto library
> ii  libstrongswan-standard-plugins 5.2.1-6+deb8u2
> armhf        strongSwan utility and crypto library (standard plugins)
> ii  strongswan                     5.2.1-6+deb8u2
> all          IPsec VPN solution metapackage
> ii  strongswan-charon              5.2.1-6+deb8u2
> armhf        strongSwan Internet Key Exchange daemon
> ii  strongswan-libcharon           5.2.1-6+deb8u2
> armhf        strongSwan charon library
> ii  strongswan-starter             5.2.1-6+deb8u2
> armhf        strongSwan daemon starter and configuration file parser
>
>
> The loaded modules output:
>
> ---
> root at MyCloud:~# bash teste.sh
> CONFIG_XFRM_USER=m
> CONFIG_NET_KEY=m
> CONFIG_INET=y
> CONFIG_IP_ADVANCED_ROUTER=y
> CONFIG_IP_MULTIPLE_TABLES=y
> CONFIG_INET_AH=m
> CONFIG_INET_ESP=m
> CONFIG_INET_IPCOMP=m
> CONFIG_INET_XFRM_MODE_TRANSPORT=m
> CONFIG_INET_XFRM_MODE_TUNNEL=m
> CONFIG_INET_XFRM_MODE_BEET=m
> CONFIG_IPV6=m
> CONFIG_INET6_AH=m
> CONFIG_INET6_ESP=m
> CONFIG_INET6_IPCOMP=m
> CONFIG_INET6_XFRM_MODE_TRANSPORT=m
> CONFIG_INET6_XFRM_MODE_TUNNEL=m
> CONFIG_INET6_XFRM_MODE_BEET=m
> CONFIG_IPV6_MULTIPLE_TABLES=y
> CONFIG_NETFILTER=y
> CONFIG_NETFILTER_XTABLES=m
> CONFIG_NETFILTER_XT_MATCH_POLICY=m
> ---
> root at MyCloud:/dev/shm# grep -e XFRM -e IPCOMP -e DEFLATE
> /boot/config-3.2.26
> CONFIG_XFRM=y
> CONFIG_XFRM_USER=m
> CONFIG_XFRM_SUB_POLICY=y
> CONFIG_XFRM_MIGRATE=y
> CONFIG_XFRM_STATISTICS=y
> CONFIG_XFRM_IPCOMP=m
> CONFIG_INET_IPCOMP=m
> CONFIG_INET_XFRM_TUNNEL=m
> CONFIG_INET_XFRM_MODE_TRANSPORT=m
> CONFIG_INET_XFRM_MODE_TUNNEL=m
> CONFIG_INET_XFRM_MODE_BEET=m
> CONFIG_INET6_IPCOMP=m
> CONFIG_INET6_XFRM_TUNNEL=m
> CONFIG_INET6_XFRM_MODE_TRANSPORT=m
> CONFIG_INET6_XFRM_MODE_TUNNEL=m
> CONFIG_INET6_XFRM_MODE_BEET=m
> CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
> CONFIG_CRYPTO_DEFLATE=y
> CONFIG_ZLIB_DEFLATE=y
> ---
> lsmod output:
> root at MyCloud:/dev/shm# lsmod
> Module                  Size  Used by
> xfrm6_mode_tunnel       1514  0
> xfrm4_mode_tunnel       1586  0
> xfrm_user              24068  2
> xfrm4_tunnel            1443  0
> tunnel4                 2043  1 xfrm4_tunnel
> pfe                   428717  0
> ipcomp                  1770  0
> xfrm_ipcomp             4059  1 ipcomp
> ah4                     4666  0
> af_key                 30346  0
> cryptosoft             13291  0
> cryptodev              11075  0
> ocf                    23776  2 cryptodev,cryptosoft
> ipv6                  262883  20 xfrm6_mode_tunnel
> ---
>
> Any hints? /o\
>
> Thanks for stopping by! \o
>
> - Rodrigo.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170425/9741897b/attachment-0001.html>

More information about the Users mailing list