[strongSwan] FW: Ubuntu 16: Received netlink error: Invalid Argument (22)

[Jeroen Landheer]

Hello everyone

I did some further investigation, it seems like the certificate isn’t the problem. I tried this with a certificate generated by the PKI tool, and the same messages are still in the log.

Apr 19 12:15:07 fwhq05 charon: 08[IKE] peer requested virtual IP %any
Apr 19 12:15:07 fwhq05 charon: 08[IKE] assigning virtual IP 192.168.8.1 to peer '…'
Apr 19 12:15:07 fwhq05 charon: 08[IKE] peer requested virtual IP %any6
Apr 19 12:15:07 fwhq05 charon: 08[IKE] no virtual IP found for %any6 requested by '…'
Apr 19 12:15:07 fwhq05 charon: 08[KNL] received netlink error: Invalid argument (22)
Apr 19 12:15:07 fwhq05 charon: 08[KNL] unable to add SAD entry with SPI c53c8641
Apr 19 12:15:07 fwhq05 charon: 08[KNL] received netlink error: Invalid argument (22)
Apr 19 12:15:07 fwhq05 charon: 08[KNL] unable to add SAD entry with SPI ab3a3b48
Apr 19 12:15:07 fwhq05 charon: 08[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel

So no old kernel, no certificate… what else can it be?

Kind regards,


Jeroen.



From: Users <users-bounces at lists.strongswan.org> On Behalf Of Jeroen Landheer
Sent: Friday, 19 April 2019 11:50
To: Thomas Egerer <hakke_007 at gmx.de>; users at lists.strongswan.org
Subject: Re: [strongSwan] Ubuntu 16: Received netlink error: Invalid Argument (22)

Thanks for the response Thomas

You’re right that this kernel is old, it’s Ubuntu 16.04 so I decided to replace that machine with the much newer Debian 9.8. I’m now on kernel version 4.9.0-8-amd64, but this hasn’t helped. I’m actually thinking this might have to do with the certificate I’m using, since the certificate was generated by a Microsoft Certificate Authority, not the internal PKI tools. I created the private key on the Debian machine using the ipsec pki tool, next I generated a certificate request using that same tool and used this request to let my CA issue a certificate.

Here’s some info about the certificate, using the certutil tool on Windows:

X509 Certificate:
Version: 3
Serial Number: 38000000bda7de55e826a360e20000000000bd
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Issuer:
    CN=…
  Name Hash(sha1): 02de19ec77e1b73e3ee81fbf33040929b61510af
  Name Hash(md5): 2507479912498e5c82c4d715d6f2b36f

NotBefore: 18/04/2019 17:11
NotAfter: 17/04/2021 17:11

Subject:
    CN=Company Firewall
    O=Company
  Name Hash(sha1): c1ecb37bbdab3a3e5fd38af556ea105228b463f1
  Name Hash(md5): bc0ce29929023983b116aef799b85701

Public Key Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
    Algorithm Parameters:
    05 00
Public Key Length: 4096 bits
Public Key: UnusedBits = 0
    0000  30 82 02 0a 02 82 02 01  00 a1 ea 0d 54 16 07 92
    0010  d9 57 cc 5f 64 1e 6e 03  45 98 ce 23 83 7d 38 a2
…
    01f0  cb 03 95 87 f5 05 f3 09  58 b4 37 52 69 0d 75 e2
    0200  59 c7 55 53 8c bc 31 0f  55 02 03 01 00 01
Certificate Extensions: 9
    2.5.29.17: Flags = 0, Length = 3e
    Subject Alternative Name
        DNS Name=…
        DNS Name=…
        DNS Name=…

    2.5.29.14: Flags = 0, Length = 16
    Subject Key Identifier
        18ac7e7d52238f02579e8190ea68f3ce283d9d77

    2.5.29.35: Flags = 0, Length = 18
    Authority Key Identifier
        KeyID=82785767ff34df9161f00a37dc4df7a9d387732b

    2.5.29.31: Flags = 0, Length = 59
    CRL Distribution Points
        [1]CRL Distribution Point
             Distribution Point Name:
                  Full Name:
                       URL=…..

    1.3.6.1.5.5.7.1.1: Flags = 0, Length = 91
    Authority Information Access
        [1]Authority Info Access
             Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
             Alternative Name:
                  URL=…
        [2]Authority Info Access
             Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
             Alternative Name:
                  URL=…

    2.5.29.15: Flags = 1(Critical), Length = 4
    Key Usage
        Digital Signature, Key Encipherment (a0)

    1.3.6.1.4.1.311.21.7: Flags = 0, Length = 30
    Certificate Template Information
        Template=VPN Server(1.3.6.1.4.1.311.21.8.7409278.1580920.3752321.8005686.9414170.164.2713793.11843046)
        Major Version Number=100
        Minor Version Number=5

    2.5.29.37: Flags = 0, Length = 20
    Enhanced Key Usage
        Server Authentication (1.3.6.1.5.5.7.3.1)
        IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
        Client Authentication (1.3.6.1.5.5.7.3.2)

    1.3.6.1.4.1.311.21.10: Flags = 0, Length = 26
    Application Policies
        [1]Application Certificate Policy:
             Policy Identifier=Server Authentication
        [2]Application Certificate Policy:
             Policy Identifier=IP security IKE intermediate
        [3]Application Certificate Policy:
             Policy Identifier=Client Authentication

Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Signature: UnusedBits=0
    0000  53 a4 15 5f fa 88 1e 76  7f af e3 d9 94 bb 0f 05
    0010  5e 55 fa b8 c1 58 78 bf  78 71 1f 8c aa 89 83 14
…
    00e0  fb 7f 80 fd aa cf 5f 7d  ba c6 e8 05 93 0c 76 78
    00f0  9b da 12 bd 49 43 33 00  fe 97 c0 e9 c5 b7 20 18
Non-root Certificate
Key Id Hash(rfc-sha1): 18ac7e7d52238f02579e8190ea68f3ce283d9d77
Key Id Hash(sha1): 0dd4d49ae7cb0a17cba19871b82a0e90a86ce5f7
Key Id Hash(bcrypt-sha1): df7f493937a1b175d83b27935f7ea1528bfd73ff
Key Id Hash(bcrypt-sha256): ed3bcef6c9c725b72a26a658ee8037533b1046724a75772ce10ee83b80ed547f
Key Id Hash(md5): 89d062523ffb9998f9617e1c58d51bfc
Key Id Hash(sha256): f4a7bd1e71d1c6422eca8fdcdfb3c8c184e72cb8bbbe242de97a2c3c68698d1b
Key Id Hash(pin-sha256): nO3Yrqy2aZhe9UfSwzGkWGWOF9GhThXmWaBjUGU/y3s=
Key Id Hash(pin-sha256-hex): 9cedd8aeacb669985ef547d2c331a458658e17d1a14e15e659a06350653fcb7b
Cert Hash(md5): ac80ead487d9100456004dfb8bf63a4d
Cert Hash(sha1): 421247d634be3256c9a2112eee82dc85bfc63b95
Cert Hash(sha256): c4c563b0b0a76f59ddfdee044c75f0550b9b02e24065cb2b0bddd755641fb8ee
Signature Hash: 5384636758d9dffcc8bdc722c0deafa0e573ce7f51e5b3f87439f21a2f2d9af1

Using openssl x509 -in certfile.crt -text -noout yields the same results.

When I generate a CA certificate + a server certificate simply using the PKI tools, this yields a certificate with SHA384RSA instead of a SHA256RSA cert.
Could this be part of the issue, or am I missing something else?

Kind regards,


Jeroen.


From: Thomas Egerer <hakke_007 at gmx.de<mailto:hakke_007 at gmx.de>>
Sent: Wednesday, 17 April 2019 20:07
To: Jeroen Landheer <jlandheer at bintelligence.nl<mailto:jlandheer at bintelligence.nl>>; users at lists.strongswan.org<mailto:users at lists.strongswan.org>
Subject: Re: [strongSwan] Ubuntu 16: Received netlink error: Invalid Argument (22)

Hi Jeroen,

don't use that antique kernel unless you have to. Sounds like the IV generator issue from [1]:
<quote>
Note: For kernel versions 4.2-4.5 you will have to select Encrypted Chain IV Generator manually in order to use any encryption algorithm in CBC mode.
</quote>

Hth
Thomas

[1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
On April 17, 2019 7:07:10 PM GMT+02:00, Jeroen Landheer <jlandheer at bintelligence.nl<mailto:jlandheer at bintelligence.nl>> wrote:
This apears in my log file:

Apr 17 18:43:04 fwhq03 charon: 11[IKE] assigning virtual IP 192.168.8.1 to peer 'jlan--------------e.nl'
Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid argument (22)
Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI cf789c5c
Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid argument (22)
Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI b651e5ec
Apr 17 18:43:04 fwhq03 charon: 11[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel

It seems that somehow strongswan can't assign a virtual IP address to the peer.

Config:

config setup
        charondebug="all"
        uniqueids=no

conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftid=@vpn.-------------.---o<mailto:leftid=@vpn.-------------.---o>
    leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0,::/0
    right=%any
    rightid=%any
    rightdns=192.168.5.2,192.168.5.9,2001:980:aa14:5::2,2001:980:aa14:5::9
    rightsourceip=192.168.8.0/24,2001:980:aa14:8::/64
    rightsendcert=never
    rightauth=eap-mschapv2
    eap_identity=%identity

If I run the check script for the kernel modules, I get this: (this is basically a standard ubuntu setup)

CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m
# CONFIG_NET_KEY_MIGRATE is not set
CONFIG_INET=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_LRO=y
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_INET_UDP_DIAG=m
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_IPV6=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
# CONFIG_IPV6_OPTIMISTIC_DAD is not set
CONFIG_IPV6_MIP6=m
CONFIG_IPV6_ILA=m
CONFIG_IPV6_VTI=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_SIT_6RD=y
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=m
CONFIG_IPV6_GRE=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_IPV6_SUBTREES=y
CONFIG_IPV6_MROUTE=y
CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
CONFIG_IPV6_PIMSM_V2=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_INGRESS=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_GLUE_CT=y
CONFIG_NETFILTER_SYNPROXY=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_HMARK=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_NAT=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
# CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NETFILTER_XT_MATCH_CGROUP=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_CPU=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_IPVS=m
CONFIG_NETFILTER_XT_MATCH_L2TP=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_NFACCT=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m


Kernel version: 4.4.0-145-generic

Any idea how to diagnose this issue?

Kind regards,


Jeroen.


--
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190419/554d91e8/attachment-0001.html>