[strongSwan] Failure to install IPsec SAs in kernel for IPv6 peer

Sandesh Sawant sandesh.sawant at gmail.com
Fri Aug 11 07:07:37 CEST 2017 

I am using Strongswan-5.5.2 with 4.4 Linux Kernel on two Debian systems.
ESP tunnel establishment works as expected between two IPv4 endpoints. But
ESP tunnel establishment between two IPv6 endpoints and observed following
errors in strongswan logs during Quick Mode:

--------------------------------------

charon:  [authpriv.info] 14[NET]
<2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> received packet: from
2020::20[500] to 2020::10[500] (444 bytes)

charon:  [authpriv.info] 14[ENC]
<2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> parsed QUICK_MODE response
1674824392 [ HASH SA No KE ID ID ]

charon:  [authpriv.info] 14[KNL]
<2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> received netlink error:
Protocol not supported (93)

charon:  [authpriv.info] 14[KNL]
<2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> unable to add SAD entry with
SPI cb0cdfda

charon:  [authpriv.info] 14[KNL]
<2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> received netlink error:
Protocol not supported (93)

charon:  [authpriv.info] 14[KNL]
<2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> unable to add SAD entry with
SPI c1205b7d

charon:  [authpriv.info] 14[IKE]
<2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> unable to install inbound and
outbound IPsec SA (SAD) in kernel
--------------------------------------

here is the output of ipsec statusall:

Status of IKE charon daemon (strongSwan 5.5.2, Linux 4.4.57, x86_64):

  uptime: 20 minutes, since Aug 10 12:01:39 2017

  malloc: sbrk 1480032, mmap 0, used 345280, free 1134752

  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 3

  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf xcbc cmac hmac attr kernel-netlink resolve
socket-default stroke vici updown xauth-generic

Listening IP addresses:

  2020::10

Connections:

2020::10_4.4.4.0/24-2020::20_3.3.3.0/24:  2020::10...2020::20  IKEv1,
dpddelay=30s

2020::10_4.4.4.0/24-2020::20_3.3.3.0/24:   local:  [2020::10] uses
pre-shared key authentication

2020::10_4.4.4.0/24-2020::20_3.3.3.0/24:   remote: [2020::20] uses
pre-shared key authentication

2020::10_4.4.4.0/24-2020::20_3.3.3.0/24:   child:  4.4.4.0/24 === 3.3.3.0/24
TUNNEL, dpdaction=restart

Routed Connections:

2020::10_4.4.4.0/24-2020::20_3.3.3.0/24{1}:  ROUTED, TUNNEL, reqid 1

2020::10_4.4.4.0/24-2020::20_3.3.3.0/24{1}:   4.4.4.0/24 === 3.3.3.0/24

Security Associations (1 up, 0 connecting):

2020::10_4.4.4.0/24-2020::20_3.3.3.0/24[1]: ESTABLISHED 20 minutes ago,
2020::10[2020::10]...2020::20[2020::20]

2020::10_4.4.4.0/24-2020::20_3.3.3.0/24[1]: IKEv1 SPIs: 23b31ae851f9bddb_i*
bd1fcbc1681eb3ca_r, pre-shared key reauthentication in 7 hours

2020::10_4.4.4.0/24-2020::20_3.3.3.0/24[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
--------------------------------------

ipsec.conf contents (peer contents are matching):

conn %default
        ikelifetime = 28800s
        type = tunnel
        lifetime = 3600s
        dpddelay = 30
        dpdaction = restart

conn 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24
        left=2020::10
        leftid=2020::10
        rightid=2020::20
        leftsubnet=4.4.4.0/24
        right=2020::20
        rightsubnet=3.3.3.0/24
        authby=secret
        keyexchange = ikev1
        auto = start
        fragmentation = yes
        esp=aes128-sha1-modp2048
        ike=aes128-sha1-modp2048!

--------------------------------------

>From the logs it looks like the required XFRM modules related to IPv6
support are not pre-loaded by strongSwan.
Therefore I manually loaded the missing kernel modules related to XFRM6
viz. ah6, esp6, ipcomp6, xfrm6_tunnel, xfrm6_mode_tunnel,
xfrm6_mode_transport, ip6_tunnel. However it didn't result in success of
IPv6 SA download.

Finally I built all the features recommended at
https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules as
statically-linked in kernel instead of as modules, and then the IPv6 SA
download was successful with the new kernel.

This makes me think auto-loading of Ipv6 related xfrm modules is missing in
strongSwan. I found the following lines in it's source
file src/starter/netkey.c
...

    /* make sure that all required IPsec modules are loaded */
    if (stat(PROC_MODULES, &stb) == 0)
    {
        ignore_result(system("modprobe -qv ah4"));
        ignore_result(system("modprobe -qv esp4"));
        ignore_result(system("modprobe -qv ipcomp"));
        ignore_result(system("modprobe -qv xfrm4_tunnel"));
        ignore_result(system("modprobe -qv xfrm_user"));
     }
...
Shouldn't it be doing modprobe for ipv6 related xfrm modules?

Can someone point out the exact modules required to be loaded so that IPv6
SA download by charon succeeds.

Thanks & regards,
Sandesh Sawant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170811/b8bfcdba/attachment-0001.html>

More information about the Users mailing list