[strongSwan] FW: Ubuntu 16: Received netlink error: Invalid Argument (22)
Jeroen Landheer
jlandheer at bintelligence.nl
Fri Apr 19 12:21:19 CEST 2019
Hello everyone
I did some further investigation, it seems like the certificate isn’t the problem. I tried this with a certificate generated by the PKI tool, and the same messages are still in the log.
Apr 19 12:15:07 fwhq05 charon: 08[IKE] peer requested virtual IP %any
Apr 19 12:15:07 fwhq05 charon: 08[IKE] assigning virtual IP 192.168.8.1 to peer '…'
Apr 19 12:15:07 fwhq05 charon: 08[IKE] peer requested virtual IP %any6
Apr 19 12:15:07 fwhq05 charon: 08[IKE] no virtual IP found for %any6 requested by '…'
Apr 19 12:15:07 fwhq05 charon: 08[KNL] received netlink error: Invalid argument (22)
Apr 19 12:15:07 fwhq05 charon: 08[KNL] unable to add SAD entry with SPI c53c8641
Apr 19 12:15:07 fwhq05 charon: 08[KNL] received netlink error: Invalid argument (22)
Apr 19 12:15:07 fwhq05 charon: 08[KNL] unable to add SAD entry with SPI ab3a3b48
Apr 19 12:15:07 fwhq05 charon: 08[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
So no old kernel, no certificate… what else can it be?
Kind regards,
Jeroen.
From: Users <users-bounces at lists.strongswan.org> On Behalf Of Jeroen Landheer
Sent: Friday, 19 April 2019 11:50
To: Thomas Egerer <hakke_007 at gmx.de>; users at lists.strongswan.org
Subject: Re: [strongSwan] Ubuntu 16: Received netlink error: Invalid Argument (22)
Thanks for the response Thomas
You’re right that this kernel is old, it’s Ubuntu 16.04 so I decided to replace that machine with the much newer Debian 9.8. I’m now on kernel version 4.9.0-8-amd64, but this hasn’t helped. I’m actually thinking this might have to do with the certificate I’m using, since the certificate was generated by a Microsoft Certificate Authority, not the internal PKI tools. I created the private key on the Debian machine using the ipsec pki tool, next I generated a certificate request using that same tool and used this request to let my CA issue a certificate.
Here’s some info about the certificate, using the certutil tool on Windows:
X509 Certificate:
Version: 3
Serial Number: 38000000bda7de55e826a360e20000000000bd
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm Parameters:
05 00
Issuer:
CN=…
Name Hash(sha1): 02de19ec77e1b73e3ee81fbf33040929b61510af
Name Hash(md5): 2507479912498e5c82c4d715d6f2b36f
NotBefore: 18/04/2019 17:11
NotAfter: 17/04/2021 17:11
Subject:
CN=Company Firewall
O=Company
Name Hash(sha1): c1ecb37bbdab3a3e5fd38af556ea105228b463f1
Name Hash(md5): bc0ce29929023983b116aef799b85701
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 4096 bits
Public Key: UnusedBits = 0
0000 30 82 02 0a 02 82 02 01 00 a1 ea 0d 54 16 07 92
0010 d9 57 cc 5f 64 1e 6e 03 45 98 ce 23 83 7d 38 a2
…
01f0 cb 03 95 87 f5 05 f3 09 58 b4 37 52 69 0d 75 e2
0200 59 c7 55 53 8c bc 31 0f 55 02 03 01 00 01
Certificate Extensions: 9
2.5.29.17: Flags = 0, Length = 3e
Subject Alternative Name
DNS Name=…
DNS Name=…
DNS Name=…
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
18ac7e7d52238f02579e8190ea68f3ce283d9d77
2.5.29.35: Flags = 0, Length = 18
Authority Key Identifier
KeyID=82785767ff34df9161f00a37dc4df7a9d387732b
2.5.29.31: Flags = 0, Length = 59
CRL Distribution Points
[1]CRL Distribution Point
Distribution Point Name:
Full Name:
URL=…..
1.3.6.1.5.5.7.1.1: Flags = 0, Length = 91
Authority Information Access
[1]Authority Info Access
Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
Alternative Name:
URL=…
[2]Authority Info Access
Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
Alternative Name:
URL=…
2.5.29.15: Flags = 1(Critical), Length = 4
Key Usage
Digital Signature, Key Encipherment (a0)
1.3.6.1.4.1.311.21.7: Flags = 0, Length = 30
Certificate Template Information
Template=VPN Server(1.3.6.1.4.1.311.21.8.7409278.1580920.3752321.8005686.9414170.164.2713793.11843046)
Major Version Number=100
Minor Version Number=5
2.5.29.37: Flags = 0, Length = 20
Enhanced Key Usage
Server Authentication (1.3.6.1.5.5.7.3.1)
IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
Client Authentication (1.3.6.1.5.5.7.3.2)
1.3.6.1.4.1.311.21.10: Flags = 0, Length = 26
Application Policies
[1]Application Certificate Policy:
Policy Identifier=Server Authentication
[2]Application Certificate Policy:
Policy Identifier=IP security IKE intermediate
[3]Application Certificate Policy:
Policy Identifier=Client Authentication
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 53 a4 15 5f fa 88 1e 76 7f af e3 d9 94 bb 0f 05
0010 5e 55 fa b8 c1 58 78 bf 78 71 1f 8c aa 89 83 14
…
00e0 fb 7f 80 fd aa cf 5f 7d ba c6 e8 05 93 0c 76 78
00f0 9b da 12 bd 49 43 33 00 fe 97 c0 e9 c5 b7 20 18
Non-root Certificate
Key Id Hash(rfc-sha1): 18ac7e7d52238f02579e8190ea68f3ce283d9d77
Key Id Hash(sha1): 0dd4d49ae7cb0a17cba19871b82a0e90a86ce5f7
Key Id Hash(bcrypt-sha1): df7f493937a1b175d83b27935f7ea1528bfd73ff
Key Id Hash(bcrypt-sha256): ed3bcef6c9c725b72a26a658ee8037533b1046724a75772ce10ee83b80ed547f
Key Id Hash(md5): 89d062523ffb9998f9617e1c58d51bfc
Key Id Hash(sha256): f4a7bd1e71d1c6422eca8fdcdfb3c8c184e72cb8bbbe242de97a2c3c68698d1b
Key Id Hash(pin-sha256): nO3Yrqy2aZhe9UfSwzGkWGWOF9GhThXmWaBjUGU/y3s=
Key Id Hash(pin-sha256-hex): 9cedd8aeacb669985ef547d2c331a458658e17d1a14e15e659a06350653fcb7b
Cert Hash(md5): ac80ead487d9100456004dfb8bf63a4d
Cert Hash(sha1): 421247d634be3256c9a2112eee82dc85bfc63b95
Cert Hash(sha256): c4c563b0b0a76f59ddfdee044c75f0550b9b02e24065cb2b0bddd755641fb8ee
Signature Hash: 5384636758d9dffcc8bdc722c0deafa0e573ce7f51e5b3f87439f21a2f2d9af1
Using openssl x509 -in certfile.crt -text -noout yields the same results.
When I generate a CA certificate + a server certificate simply using the PKI tools, this yields a certificate with SHA384RSA instead of a SHA256RSA cert.
Could this be part of the issue, or am I missing something else?
Kind regards,
Jeroen.
From: Thomas Egerer <hakke_007 at gmx.de<mailto:hakke_007 at gmx.de>>
Sent: Wednesday, 17 April 2019 20:07
To: Jeroen Landheer <jlandheer at bintelligence.nl<mailto:jlandheer at bintelligence.nl>>; users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Ubuntu 16: Received netlink error: Invalid Argument (22)
Hi Jeroen,
don't use that antique kernel unless you have to. Sounds like the IV generator issue from [1]:
<quote>
Note: For kernel versions 4.2-4.5 you will have to select Encrypted Chain IV Generator manually in order to use any encryption algorithm in CBC mode.
</quote>
Hth
Thomas
[1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
On April 17, 2019 7:07:10 PM GMT+02:00, Jeroen Landheer <jlandheer at bintelligence.nl<mailto:jlandheer at bintelligence.nl>> wrote:
This apears in my log file:
Apr 17 18:43:04 fwhq03 charon: 11[IKE] assigning virtual IP 192.168.8.1 to peer 'jlan--------------e.nl'
Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid argument (22)
Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI cf789c5c
Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid argument (22)
Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI b651e5ec
Apr 17 18:43:04 fwhq03 charon: 11[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
It seems that somehow strongswan can't assign a virtual IP address to the peer.
Config:
config setup
charondebug="all"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@vpn.-------------.---o<mailto:leftid=@vpn.-------------.---o>
leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0,::/0
right=%any
rightid=%any
rightdns=192.168.5.2,192.168.5.9,2001:980:aa14:5::2,2001:980:aa14:5::9
rightsourceip=192.168.8.0/24,2001:980:aa14:8::/64
rightsendcert=never
rightauth=eap-mschapv2
eap_identity=%identity
If I run the check script for the kernel modules, I get this: (this is basically a standard ubuntu setup)
CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m
# CONFIG_NET_KEY_MIGRATE is not set
CONFIG_INET=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_LRO=y
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_INET_UDP_DIAG=m
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_IPV6=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
# CONFIG_IPV6_OPTIMISTIC_DAD is not set
CONFIG_IPV6_MIP6=m
CONFIG_IPV6_ILA=m
CONFIG_IPV6_VTI=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_SIT_6RD=y
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=m
CONFIG_IPV6_GRE=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_IPV6_SUBTREES=y
CONFIG_IPV6_MROUTE=y
CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
CONFIG_IPV6_PIMSM_V2=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_HMARK=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_CPU=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_IPVS=m
CONFIG_NETFILTER_XT_MATCH_L2TP=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_NFACCT=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
Kernel version: 4.4.0-145-generic
Any idea how to diagnose this issue?
Kind regards,
Jeroen.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190419/554d91e8/attachment-0001.html>
More information about the Users
mailing list