[strongSwan] Failure to install IPsec SAs in kernel for IPv6 peer

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sat Aug 12 18:31:19 CEST 2017 

Hi,

You need 4in6 support for ESP in the kernel.

Kind regards

Noel

On 11.08.2017 07:07, Sandesh Sawant wrote:
> I am using Strongswan-5.5.2 with 4.4 Linux Kernel on two Debian systems. ESP tunnel establishment works as expected between two IPv4 endpoints. But ESP tunnel establishment between two IPv6 endpoints and observed following errors in strongswan logs during Quick Mode:
>
> --------------------------------------
>
> charon:  [authpriv.info <http://authpriv.info>] 14[NET] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> received packet: from 2020::20[500] to 2020::10[500] (444 bytes)
>
> charon:  [authpriv.info <http://authpriv.info>] 14[ENC] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> parsed QUICK_MODE response 1674824392 [ HASH SA No KE ID ID ]
>
> charon:  [authpriv.info <http://authpriv.info>] 14[KNL] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> received netlink error: Protocol not supported (93)
>
> charon:  [authpriv.info <http://authpriv.info>] 14[KNL] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> unable to add SAD entry with SPI cb0cdfda
>
> charon:  [authpriv.info <http://authpriv.info>] 14[KNL] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> received netlink error: Protocol not supported (93)
>
> charon:  [authpriv.info <http://authpriv.info>] 14[KNL] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> unable to add SAD entry with SPI c1205b7d
>
> charon:  [authpriv.info <http://authpriv.info>] 14[IKE] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> unable to install inbound and outbound IPsec SA (SAD) in kernel
>
> --------------------------------------
>
> here is the output of ipsec statusall:
>
> Status of IKE charon daemon (strongSwan 5.5.2, Linux 4.4.57, x86_64):
>
>   uptime: 20 minutes, since Aug 10 12:01:39 2017
>
>   malloc: sbrk 1480032, mmap 0, used 345280, free 1134752
>
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
>
>   loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
>
> Listening IP addresses:
>
>   2020::10
>
> Connections:
>
> 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24:  2020::10...2020::20  IKEv1, dpddelay=30s
>
> 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24:   local:  [2020::10] uses pre-shared key authentication
>
> 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24:   remote: [2020::20] uses pre-shared key authentication
>
> 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24:   child:  4.4.4.0/24 <http://4.4.4.0/24> === 3.3.3.0/24 <http://3.3.3.0/24> TUNNEL, dpdaction=restart
>
> Routed Connections:
>
> 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24{1}:  ROUTED, TUNNEL, reqid 1
>
> 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24{1}:   4.4.4.0/24 <http://4.4.4.0/24> === 3.3.3.0/24 <http://3.3.3.0/24>
>
> Security Associations (1 up, 0 connecting):
>
> 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24[1]: ESTABLISHED 20 minutes ago, 2020::10[2020::10]...2020::20[2020::20]
>
> 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24[1]: IKEv1 SPIs: 23b31ae851f9bddb_i* bd1fcbc1681eb3ca_r, pre-shared key reauthentication in 7 hours
>
> 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>
> --------------------------------------
>
> ipsec.conf contents (peer contents are matching):
>
> conn %default
>         ikelifetime = 28800s
>         type = tunnel
>         lifetime = 3600s
>         dpddelay = 30
>         dpdaction = restart
>
> conn 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24
>         left=2020::10
>         leftid=2020::10
>         rightid=2020::20
>         leftsubnet=4.4.4.0/24 <http://4.4.4.0/24>
>         right=2020::20
>         rightsubnet=3.3.3.0/24 <http://3.3.3.0/24>
>         authby=secret
>         keyexchange = ikev1
>         auto = start
>         fragmentation = yes
>         esp=aes128-sha1-modp2048
>         ike=aes128-sha1-modp2048!
>
> --------------------------------------
>
> From the logs it looks like the required XFRM modules related to IPv6 support are not pre-loaded by strongSwan.
> Therefore I manually loaded the missing kernel modules related to XFRM6 viz. ah6, esp6, ipcomp6, xfrm6_tunnel, xfrm6_mode_tunnel, xfrm6_mode_transport, ip6_tunnel. However it didn't result in success of IPv6 SA download.
>
> Finally I built all the features recommended at https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules as statically-linked in kernel instead of as modules, and then the IPv6 SA download was successful with the new kernel.
>
> This makes me think auto-loading of Ipv6 related xfrm modules is missing in strongSwan. I found the following lines in it's source file src/starter/netkey.c
> ...
>
>     /* make sure that all required IPsec modules are loaded */
>     if (stat(PROC_MODULES, &stb) == 0)
>     {
>         ignore_result(system("modprobe -qv ah4"));
>         ignore_result(system("modprobe -qv esp4"));
>         ignore_result(system("modprobe -qv ipcomp"));
>         ignore_result(system("modprobe -qv xfrm4_tunnel"));
>         ignore_result(system("modprobe -qv xfrm_user"));
>      } 
> ...
> Shouldn't it be doing modprobe for ipv6 related xfrm modules? 
>
> Can someone point out the exact modules required to be loaded so that IPv6 SA download by charon succeeds. 
>
> Thanks & regards,
> Sandesh Sawant

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170812/6d92fa36/attachment.sig>

More information about the Users mailing list