[strongSwan] Ubuntu 16: Received netlink error: Invalid Argument (22)

Thomas Egerer hakke_007 at gmx.de
Wed Apr 17 20:07:23 CEST 2019 

Hi Jeroen,

don't use that antique kernel unless you have to. Sounds like the IV generator issue from [1]:
<quote>
Note: For kernel versions 4.2-4.5 you will have to select Encrypted Chain IV Generator manually in order to use any encryption algorithm in CBC mode.
</quote>

Hth
Thomas

[1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules

On April 17, 2019 7:07:10 PM GMT+02:00, Jeroen Landheer <jlandheer at bintelligence.nl> wrote:
>This apears in my log file:
>
>Apr 17 18:43:04 fwhq03 charon: 11[IKE] assigning virtual IP 192.168.8.1
>to peer 'jlan--------------e.nl'
>Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid
>argument (22)
>Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI
>cf789c5c
>Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid
>argument (22)
>Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI
>b651e5ec
>Apr 17 18:43:04 fwhq03 charon: 11[IKE] unable to install inbound and
>outbound IPsec SA (SAD) in kernel
>
>It seems that somehow strongswan can't assign a virtual IP address to
>the peer.
>
>Config:
>
>config setup
>        charondebug="all"
>        uniqueids=no
>
>conn ikev2-vpn
>    auto=add
>    compress=no
>    type=tunnel
>    keyexchange=ikev2
>    fragmentation=yes
>    forceencaps=yes
>    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
>    esp=aes256-sha1,3des-sha1!
>    dpdaction=clear
>    dpddelay=300s
>    rekey=no
>    left=%any
>  leftid=@vpn.-------------.---o<mailto:leftid=@vpn.-------------.---o>
>    leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
>    leftsendcert=always
>    leftsubnet=0.0.0.0/0,::/0
>    right=%any
>    rightid=%any
> rightdns=192.168.5.2,192.168.5.9,2001:980:aa14:5::2,2001:980:aa14:5::9
>    rightsourceip=192.168.8.0/24,2001:980:aa14:8::/64
>    rightsendcert=never
>    rightauth=eap-mschapv2
>    eap_identity=%identity
>
>If I run the check script for the kernel modules, I get this: (this is
>basically a standard ubuntu setup)
>
>CONFIG_XFRM_USER=m
>CONFIG_NET_KEY=m
># CONFIG_NET_KEY_MIGRATE is not set
>CONFIG_INET=y
>CONFIG_INET_AH=m
>CONFIG_INET_ESP=m
>CONFIG_INET_IPCOMP=m
>CONFIG_INET_XFRM_TUNNEL=m
>CONFIG_INET_TUNNEL=m
>CONFIG_INET_XFRM_MODE_TRANSPORT=m
>CONFIG_INET_XFRM_MODE_TUNNEL=m
>CONFIG_INET_XFRM_MODE_BEET=m
>CONFIG_INET_LRO=y
>CONFIG_INET_DIAG=m
>CONFIG_INET_TCP_DIAG=m
>CONFIG_INET_UDP_DIAG=m
>CONFIG_INET6_AH=m
>CONFIG_INET6_ESP=m
>CONFIG_INET6_IPCOMP=m
>CONFIG_INET6_XFRM_TUNNEL=m
>CONFIG_INET6_TUNNEL=m
>CONFIG_INET6_XFRM_MODE_TRANSPORT=m
>CONFIG_INET6_XFRM_MODE_TUNNEL=m
>CONFIG_INET6_XFRM_MODE_BEET=m
>CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
>CONFIG_INET_DCCP_DIAG=m
>CONFIG_IP_ADVANCED_ROUTER=y
>CONFIG_IP_MULTIPLE_TABLES=y
>CONFIG_INET_AH=m
>CONFIG_INET_ESP=m
>CONFIG_INET_IPCOMP=m
>CONFIG_INET_XFRM_MODE_TRANSPORT=m
>CONFIG_INET_XFRM_MODE_TUNNEL=m
>CONFIG_INET_XFRM_MODE_BEET=m
>CONFIG_IPV6=y
>CONFIG_IPV6_ROUTER_PREF=y
>CONFIG_IPV6_ROUTE_INFO=y
># CONFIG_IPV6_OPTIMISTIC_DAD is not set
>CONFIG_IPV6_MIP6=m
>CONFIG_IPV6_ILA=m
>CONFIG_IPV6_VTI=m
>CONFIG_IPV6_SIT=m
>CONFIG_IPV6_SIT_6RD=y
>CONFIG_IPV6_NDISC_NODETYPE=y
>CONFIG_IPV6_TUNNEL=m
>CONFIG_IPV6_GRE=m
>CONFIG_IPV6_MULTIPLE_TABLES=y
>CONFIG_IPV6_SUBTREES=y
>CONFIG_IPV6_MROUTE=y
>CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
>CONFIG_IPV6_PIMSM_V2=y
>CONFIG_INET6_AH=m
>CONFIG_INET6_ESP=m
>CONFIG_INET6_IPCOMP=m
>CONFIG_INET6_XFRM_MODE_TRANSPORT=m
>CONFIG_INET6_XFRM_MODE_TUNNEL=m
>CONFIG_INET6_XFRM_MODE_BEET=m
>CONFIG_IPV6_MULTIPLE_TABLES=y
>CONFIG_NETFILTER=y
># CONFIG_NETFILTER_DEBUG is not set
>CONFIG_NETFILTER_ADVANCED=y
>CONFIG_NETFILTER_INGRESS=y
>CONFIG_NETFILTER_NETLINK=m
>CONFIG_NETFILTER_NETLINK_ACCT=m
>CONFIG_NETFILTER_NETLINK_QUEUE=m
>CONFIG_NETFILTER_NETLINK_LOG=m
>CONFIG_NETFILTER_NETLINK_GLUE_CT=y
>CONFIG_NETFILTER_SYNPROXY=m
>CONFIG_NETFILTER_XTABLES=m
>CONFIG_NETFILTER_XT_MARK=m
>CONFIG_NETFILTER_XT_CONNMARK=m
>CONFIG_NETFILTER_XT_SET=m
>CONFIG_NETFILTER_XT_TARGET_AUDIT=m
>CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
>CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
>CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
>CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
>CONFIG_NETFILTER_XT_TARGET_CT=m
>CONFIG_NETFILTER_XT_TARGET_DSCP=m
>CONFIG_NETFILTER_XT_TARGET_HL=m
>CONFIG_NETFILTER_XT_TARGET_HMARK=m
>CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
>CONFIG_NETFILTER_XT_TARGET_LED=m
>CONFIG_NETFILTER_XT_TARGET_LOG=m
>CONFIG_NETFILTER_XT_TARGET_MARK=m
>CONFIG_NETFILTER_XT_NAT=m
>CONFIG_NETFILTER_XT_TARGET_NETMAP=m
>CONFIG_NETFILTER_XT_TARGET_NFLOG=m
>CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
># CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
>CONFIG_NETFILTER_XT_TARGET_RATEEST=m
>CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
>CONFIG_NETFILTER_XT_TARGET_TEE=m
>CONFIG_NETFILTER_XT_TARGET_TPROXY=m
>CONFIG_NETFILTER_XT_TARGET_TRACE=m
>CONFIG_NETFILTER_XT_TARGET_SECMARK=m
>CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
>CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
>CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
>CONFIG_NETFILTER_XT_MATCH_BPF=m
>CONFIG_NETFILTER_XT_MATCH_CGROUP=m
>CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
>CONFIG_NETFILTER_XT_MATCH_COMMENT=m
>CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
>CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
>CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
>CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
>CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
>CONFIG_NETFILTER_XT_MATCH_CPU=m
>CONFIG_NETFILTER_XT_MATCH_DCCP=m
>CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
>CONFIG_NETFILTER_XT_MATCH_DSCP=m
>CONFIG_NETFILTER_XT_MATCH_ECN=m
>CONFIG_NETFILTER_XT_MATCH_ESP=m
>CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
>CONFIG_NETFILTER_XT_MATCH_HELPER=m
>CONFIG_NETFILTER_XT_MATCH_HL=m
>CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
>CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
>CONFIG_NETFILTER_XT_MATCH_IPVS=m
>CONFIG_NETFILTER_XT_MATCH_L2TP=m
>CONFIG_NETFILTER_XT_MATCH_LENGTH=m
>CONFIG_NETFILTER_XT_MATCH_LIMIT=m
>CONFIG_NETFILTER_XT_MATCH_MAC=m
>CONFIG_NETFILTER_XT_MATCH_MARK=m
>CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
>CONFIG_NETFILTER_XT_MATCH_NFACCT=m
>CONFIG_NETFILTER_XT_MATCH_OSF=m
>CONFIG_NETFILTER_XT_MATCH_OWNER=m
>CONFIG_NETFILTER_XT_MATCH_POLICY=m
>CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
>CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
>CONFIG_NETFILTER_XT_MATCH_QUOTA=m
>CONFIG_NETFILTER_XT_MATCH_RATEEST=m
>CONFIG_NETFILTER_XT_MATCH_REALM=m
>CONFIG_NETFILTER_XT_MATCH_RECENT=m
>CONFIG_NETFILTER_XT_MATCH_SCTP=m
>CONFIG_NETFILTER_XT_MATCH_SOCKET=m
>CONFIG_NETFILTER_XT_MATCH_STATE=m
>CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
>CONFIG_NETFILTER_XT_MATCH_STRING=m
>CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
>CONFIG_NETFILTER_XT_MATCH_TIME=m
>CONFIG_NETFILTER_XT_MATCH_U32=m
>CONFIG_NETFILTER_XTABLES=m
>CONFIG_NETFILTER_XT_MATCH_POLICY=m
>
>
>Kernel version: 4.4.0-145-generic
>
>Any idea how to diagnose this issue?
>
>Kind regards,
>
>
>Jeroen.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190417/97682fe9/attachment-0001.html>

More information about the Users mailing list