[strongSwan] FW: Ubuntu 16: Received netlink error: Invalid Argument (22)

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Apr 19 15:29:39 CEST 2019


Hi,

You're going in circles. The certificate has nothing to do with this problem. It's not even remotely relevant, because the kernel never gets to see it and it's not supposed to anyway.

Please check if you have all relevant modules loaded (NOT built at buildtime. Those are two different things.) and please provide the complete log, as shown on the HelpRequests page.

Kind regards

Noel

Am 19.04.19 um 12:21 schrieb Jeroen Landheer:
>
> Hello everyone
>
>  
>
> I did some further investigation, it seems like the certificate isn’t the problem. I tried this with a certificate generated by the PKI tool, and the same messages are still in the log.
>
>  
>
> Apr 19 12:15:07 fwhq05 charon: 08[IKE] peer requested virtual IP %any
>
> Apr 19 12:15:07 fwhq05 charon: 08[IKE] assigning virtual IP 192.168.8.1 to peer '…'
>
> Apr 19 12:15:07 fwhq05 charon: 08[IKE] peer requested virtual IP %any6
>
> Apr 19 12:15:07 fwhq05 charon: 08[IKE] no virtual IP found for %any6 requested by '…'
>
> Apr 19 12:15:07 fwhq05 charon: 08[KNL] received netlink error: Invalid argument (22)
>
> Apr 19 12:15:07 fwhq05 charon: 08[KNL] unable to add SAD entry with SPI c53c8641
>
> Apr 19 12:15:07 fwhq05 charon: 08[KNL] received netlink error: Invalid argument (22)
>
> Apr 19 12:15:07 fwhq05 charon: 08[KNL] unable to add SAD entry with SPI ab3a3b48
>
> Apr 19 12:15:07 fwhq05 charon: 08[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
>
>  
>
> So no old kernel, no certificate… what else can it be?
>
>  
>
> Kind regards,
>
>  
>
>  
>
> Jeroen.
>
>  
>
>  
>
>  
>
> *From:*Users <users-bounces at lists.strongswan.org> *On Behalf Of *Jeroen Landheer
> *Sent:* Friday, 19 April 2019 11:50
> *To:* Thomas Egerer <hakke_007 at gmx.de>; users at lists.strongswan.org
> *Subject:* Re: [strongSwan] Ubuntu 16: Received netlink error: Invalid Argument (22)
>
>  
>
> Thanks for the response Thomas
>
>  
>
> You’re right that this kernel is old, it’s Ubuntu 16.04 so I decided to replace that machine with the much newer Debian 9.8. I’m now on kernel version 4.9.0-8-amd64, but this hasn’t helped. I’m actually thinking this might have to do with the certificate I’m using, since the certificate was generated by a Microsoft Certificate Authority, not the internal PKI tools. I created the private key on the Debian machine using the ipsec pki tool, next I generated a certificate request using that same tool and used this request to let my CA issue a certificate.
>
>  
>
> Here’s some info about the certificate, using the certutil tool on Windows:
>
>  
>
> X509 Certificate:
>
> Version: 3
>
> Serial Number: 38000000bda7de55e826a360e20000000000bd
>
> Signature Algorithm:
>
>     Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
>
>     Algorithm Parameters:
>
>     05 00
>
> Issuer:
>
>     CN=…
>
>   Name Hash(sha1): 02de19ec77e1b73e3ee81fbf33040929b61510af
>
>   Name Hash(md5): 2507479912498e5c82c4d715d6f2b36f
>
>  
>
> NotBefore: 18/04/2019 17:11
>
> NotAfter: 17/04/2021 17:11
>
>  
>
> Subject:
>
>     CN=Company Firewall
>
>     O=Company
>
>   Name Hash(sha1): c1ecb37bbdab3a3e5fd38af556ea105228b463f1
>
>   Name Hash(md5): bc0ce29929023983b116aef799b85701
>
>  
>
> Public Key Algorithm:
>
>     Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
>
>     Algorithm Parameters:
>
>     05 00
>
> Public Key Length: 4096 bits
>
> Public Key: UnusedBits = 0
>
>     0000  30 82 02 0a 02 82 02 01  00 a1 ea 0d 54 16 07 92
>
>     0010  d9 57 cc 5f 64 1e 6e 03  45 98 ce 23 83 7d 38 a2
>
>>
>     01f0  cb 03 95 87 f5 05 f3 09  58 b4 37 52 69 0d 75 e2
>
>     0200  59 c7 55 53 8c bc 31 0f  55 02 03 01 00 01
>
> Certificate Extensions: 9
>
>     2.5.29.17: Flags = 0, Length = 3e
>
>     Subject Alternative Name
>
>         DNS Name=…
>
>         DNS Name=…
>
>         DNS Name=…
>
>  
>
>     2.5.29.14: Flags = 0, Length = 16
>
>     Subject Key Identifier
>
>         18ac7e7d52238f02579e8190ea68f3ce283d9d77
>
>  
>
>     2.5.29.35: Flags = 0, Length = 18
>
>     Authority Key Identifier
>
>         KeyID=82785767ff34df9161f00a37dc4df7a9d387732b
>
>  
>
>     2.5.29.31: Flags = 0, Length = 59
>
>     CRL Distribution Points
>
>         [1]CRL Distribution Point
>
>              Distribution Point Name:
>
>                   Full Name:
>
>                        URL=…..
>
>  
>
>     1.3.6.1.5.5.7.1.1: Flags = 0, Length = 91
>
>     Authority Information Access
>
>         [1]Authority Info Access
>
>              Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
>
>              Alternative Name:
>
>                   URL=…
>
>         [2]Authority Info Access
>
>              Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
>
>              Alternative Name:
>
>                   URL=…
>
>  
>
>     2.5.29.15: Flags = 1(Critical), Length = 4
>
>     Key Usage
>
>         Digital Signature, Key Encipherment (a0)
>
>  
>
>     1.3.6.1.4.1.311.21.7: Flags = 0, Length = 30
>
>     Certificate Template Information
>
>         Template=VPN Server(1.3.6.1.4.1.311.21.8.7409278.1580920.3752321.8005686.9414170.164.2713793.11843046)
>
>         Major Version Number=100
>
>         Minor Version Number=5
>
>  
>
>     2.5.29.37: Flags = 0, Length = 20
>
>     Enhanced Key Usage
>
>         Server Authentication (1.3.6.1.5.5.7.3.1)
>
>         IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
>
>         Client Authentication (1.3.6.1.5.5.7.3.2)
>
>  
>
>     1.3.6.1.4.1.311.21.10: Flags = 0, Length = 26
>
>     Application Policies
>
>         [1]Application Certificate Policy:
>
>              Policy Identifier=Server Authentication
>
>         [2]Application Certificate Policy:
>
>              Policy Identifier=IP security IKE intermediate
>
>         [3]Application Certificate Policy:
>
>              Policy Identifier=Client Authentication
>
>  
>
> Signature Algorithm:
>
>     Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
>
>     Algorithm Parameters:
>
>     05 00
>
> Signature: UnusedBits=0
>
>     0000  53 a4 15 5f fa 88 1e 76  7f af e3 d9 94 bb 0f 05
>
>     0010  5e 55 fa b8 c1 58 78 bf  78 71 1f 8c aa 89 83 14
>
>>
>     00e0  fb 7f 80 fd aa cf 5f 7d  ba c6 e8 05 93 0c 76 78
>
>     00f0  9b da 12 bd 49 43 33 00  fe 97 c0 e9 c5 b7 20 18
>
> Non-root Certificate
>
> Key Id Hash(rfc-sha1): 18ac7e7d52238f02579e8190ea68f3ce283d9d77
>
> Key Id Hash(sha1): 0dd4d49ae7cb0a17cba19871b82a0e90a86ce5f7
>
> Key Id Hash(bcrypt-sha1): df7f493937a1b175d83b27935f7ea1528bfd73ff
>
> Key Id Hash(bcrypt-sha256): ed3bcef6c9c725b72a26a658ee8037533b1046724a75772ce10ee83b80ed547f
>
> Key Id Hash(md5): 89d062523ffb9998f9617e1c58d51bfc
>
> Key Id Hash(sha256): f4a7bd1e71d1c6422eca8fdcdfb3c8c184e72cb8bbbe242de97a2c3c68698d1b
>
> Key Id Hash(pin-sha256): nO3Yrqy2aZhe9UfSwzGkWGWOF9GhThXmWaBjUGU/y3s=
>
> Key Id Hash(pin-sha256-hex): 9cedd8aeacb669985ef547d2c331a458658e17d1a14e15e659a06350653fcb7b
>
> Cert Hash(md5): ac80ead487d9100456004dfb8bf63a4d
>
> Cert Hash(sha1): 421247d634be3256c9a2112eee82dc85bfc63b95
>
> Cert Hash(sha256): c4c563b0b0a76f59ddfdee044c75f0550b9b02e24065cb2b0bddd755641fb8ee
>
> Signature Hash: 5384636758d9dffcc8bdc722c0deafa0e573ce7f51e5b3f87439f21a2f2d9af1
>
>  
>
> Using openssl x509 -in certfile.crt -text -noout yields the same results.
>
>  
>
> When I generate a CA certificate + a server certificate simply using the PKI tools, this yields a certificate with SHA384RSA instead of a SHA256RSA cert.
>
> Could this be part of the issue, or am I missing something else?
>
>  
>
> Kind regards,
>
>  
>
>  
>
> Jeroen.
>
>  
>
>  
>
> *From:*Thomas Egerer <hakke_007 at gmx.de <mailto:hakke_007 at gmx.de>>
> *Sent:* Wednesday, 17 April 2019 20:07
> *To:* Jeroen Landheer <jlandheer at bintelligence.nl <mailto:jlandheer at bintelligence.nl>>; users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> *Subject:* Re: [strongSwan] Ubuntu 16: Received netlink error: Invalid Argument (22)
>
>  
>
> Hi Jeroen,
>
> don't use that antique kernel unless you have to. Sounds like the IV generator issue from [1]:
> <quote>
> Note: For kernel versions 4.2-4.5 you will have to select Encrypted Chain IV Generator manually in order to use any encryption algorithm in CBC mode.
> </quote>
>
> Hth
> Thomas
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
>
> On April 17, 2019 7:07:10 PM GMT+02:00, Jeroen Landheer <jlandheer at bintelligence.nl <mailto:jlandheer at bintelligence.nl>> wrote:
>
>     This apears in my log file:
>
>      
>
>     Apr 17 18:43:04 fwhq03 charon: 11[IKE] assigning virtual IP 192.168.8.1 to peer 'jlan--------------e.nl'
>
>     Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid argument (22)
>
>     Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI cf789c5c
>
>     Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid argument (22)
>
>     Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI b651e5ec
>
>     Apr 17 18:43:04 fwhq03 charon: 11[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
>
>      
>
>     It seems that somehow strongswan can't assign a virtual IP address to the peer. 
>
>      
>
>     Config:
>
>      
>
>     config setup
>
>             charondebug="all"
>
>             uniqueids=no
>
>      
>
>     conn ikev2-vpn
>
>         auto=add
>
>         compress=no
>
>         type=tunnel
>
>         keyexchange=ikev2
>
>         fragmentation=yes
>
>         forceencaps=yes
>
>         ike=aes256-sha1-modp1024,3des-sha1-modp1024!
>
>         esp=aes256-sha1,3des-sha1!
>
>         dpdaction=clear
>
>         dpddelay=300s
>
>         rekey=no
>
>         left=%any
>
>         leftid=@vpn.-------------.---o <mailto:leftid=@vpn.-------------.---o>
>
>         leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
>
>         leftsendcert=always
>
>         leftsubnet=0.0.0.0/0,::/0
>
>         right=%any
>
>         rightid=%any
>
>         rightdns=192.168.5.2,192.168.5.9,2001:980:aa14:5::2,2001:980:aa14:5::9
>
>         rightsourceip=192.168.8.0/24,2001:980:aa14:8::/64
>
>         rightsendcert=never
>
>         rightauth=eap-mschapv2
>
>         eap_identity=%identity
>
>      
>
>     If I run the check script for the kernel modules, I get this: (this is basically a standard ubuntu setup)
>
>      
>
>     CONFIG_XFRM_USER=m
>
>     CONFIG_NET_KEY=m
>
>     # CONFIG_NET_KEY_MIGRATE is not set
>
>     CONFIG_INET=y
>
>     CONFIG_INET_AH=m
>
>     CONFIG_INET_ESP=m
>
>     CONFIG_INET_IPCOMP=m
>
>     CONFIG_INET_XFRM_TUNNEL=m
>
>     CONFIG_INET_TUNNEL=m
>
>     CONFIG_INET_XFRM_MODE_TRANSPORT=m
>
>     CONFIG_INET_XFRM_MODE_TUNNEL=m
>
>     CONFIG_INET_XFRM_MODE_BEET=m
>
>     CONFIG_INET_LRO=y
>
>     CONFIG_INET_DIAG=m
>
>     CONFIG_INET_TCP_DIAG=m
>
>     CONFIG_INET_UDP_DIAG=m
>
>     CONFIG_INET6_AH=m
>
>     CONFIG_INET6_ESP=m
>
>     CONFIG_INET6_IPCOMP=m
>
>     CONFIG_INET6_XFRM_TUNNEL=m
>
>     CONFIG_INET6_TUNNEL=m
>
>     CONFIG_INET6_XFRM_MODE_TRANSPORT=m
>
>     CONFIG_INET6_XFRM_MODE_TUNNEL=m
>
>     CONFIG_INET6_XFRM_MODE_BEET=m
>
>     CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
>
>     CONFIG_INET_DCCP_DIAG=m
>
>     CONFIG_IP_ADVANCED_ROUTER=y
>
>     CONFIG_IP_MULTIPLE_TABLES=y
>
>     CONFIG_INET_AH=m
>
>     CONFIG_INET_ESP=m
>
>     CONFIG_INET_IPCOMP=m
>
>     CONFIG_INET_XFRM_MODE_TRANSPORT=m
>
>     CONFIG_INET_XFRM_MODE_TUNNEL=m
>
>     CONFIG_INET_XFRM_MODE_BEET=m
>
>     CONFIG_IPV6=y
>
>     CONFIG_IPV6_ROUTER_PREF=y
>
>     CONFIG_IPV6_ROUTE_INFO=y
>
>     # CONFIG_IPV6_OPTIMISTIC_DAD is not set
>
>     CONFIG_IPV6_MIP6=m
>
>     CONFIG_IPV6_ILA=m
>
>     CONFIG_IPV6_VTI=m
>
>     CONFIG_IPV6_SIT=m
>
>     CONFIG_IPV6_SIT_6RD=y
>
>     CONFIG_IPV6_NDISC_NODETYPE=y
>
>     CONFIG_IPV6_TUNNEL=m
>
>     CONFIG_IPV6_GRE=m
>
>     CONFIG_IPV6_MULTIPLE_TABLES=y
>
>     CONFIG_IPV6_SUBTREES=y
>
>     CONFIG_IPV6_MROUTE=y
>
>     CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
>
>     CONFIG_IPV6_PIMSM_V2=y
>
>     CONFIG_INET6_AH=m
>
>     CONFIG_INET6_ESP=m
>
>     CONFIG_INET6_IPCOMP=m
>
>     CONFIG_INET6_XFRM_MODE_TRANSPORT=m
>
>     CONFIG_INET6_XFRM_MODE_TUNNEL=m
>
>     CONFIG_INET6_XFRM_MODE_BEET=m
>
>     CONFIG_IPV6_MULTIPLE_TABLES=y
>
>     CONFIG_NETFILTER=y
>
>     # CONFIG_NETFILTER_DEBUG is not set
>
>     CONFIG_NETFILTER_ADVANCED=y
>
>     CONFIG_NETFILTER_INGRESS=y
>
>     CONFIG_NETFILTER_NETLINK=m
>
>     CONFIG_NETFILTER_NETLINK_ACCT=m
>
>     CONFIG_NETFILTER_NETLINK_QUEUE=m
>
>     CONFIG_NETFILTER_NETLINK_LOG=m
>
>     CONFIG_NETFILTER_NETLINK_GLUE_CT=y
>
>     CONFIG_NETFILTER_SYNPROXY=m
>
>     CONFIG_NETFILTER_XTABLES=m
>
>     CONFIG_NETFILTER_XT_MARK=m
>
>     CONFIG_NETFILTER_XT_CONNMARK=m
>
>     CONFIG_NETFILTER_XT_SET=m
>
>     CONFIG_NETFILTER_XT_TARGET_AUDIT=m
>
>     CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
>
>     CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
>
>     CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
>
>     CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
>
>     CONFIG_NETFILTER_XT_TARGET_CT=m
>
>     CONFIG_NETFILTER_XT_TARGET_DSCP=m
>
>     CONFIG_NETFILTER_XT_TARGET_HL=m
>
>     CONFIG_NETFILTER_XT_TARGET_HMARK=m
>
>     CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
>
>     CONFIG_NETFILTER_XT_TARGET_LED=m
>
>     CONFIG_NETFILTER_XT_TARGET_LOG=m
>
>     CONFIG_NETFILTER_XT_TARGET_MARK=m
>
>     CONFIG_NETFILTER_XT_NAT=m
>
>     CONFIG_NETFILTER_XT_TARGET_NETMAP=m
>
>     CONFIG_NETFILTER_XT_TARGET_NFLOG=m
>
>     CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
>
>     # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
>
>     CONFIG_NETFILTER_XT_TARGET_RATEEST=m
>
>     CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
>
>     CONFIG_NETFILTER_XT_TARGET_TEE=m
>
>     CONFIG_NETFILTER_XT_TARGET_TPROXY=m
>
>     CONFIG_NETFILTER_XT_TARGET_TRACE=m
>
>     CONFIG_NETFILTER_XT_TARGET_SECMARK=m
>
>     CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
>
>     CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
>
>     CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
>
>     CONFIG_NETFILTER_XT_MATCH_BPF=m
>
>     CONFIG_NETFILTER_XT_MATCH_CGROUP=m
>
>     CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
>
>     CONFIG_NETFILTER_XT_MATCH_COMMENT=m
>
>     CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
>
>     CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
>
>     CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
>
>     CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
>
>     CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
>
>     CONFIG_NETFILTER_XT_MATCH_CPU=m
>
>     CONFIG_NETFILTER_XT_MATCH_DCCP=m
>
>     CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
>
>     CONFIG_NETFILTER_XT_MATCH_DSCP=m
>
>     CONFIG_NETFILTER_XT_MATCH_ECN=m
>
>     CONFIG_NETFILTER_XT_MATCH_ESP=m
>
>     CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
>
>     CONFIG_NETFILTER_XT_MATCH_HELPER=m
>
>     CONFIG_NETFILTER_XT_MATCH_HL=m
>
>     CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
>
>     CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
>
>     CONFIG_NETFILTER_XT_MATCH_IPVS=m
>
>     CONFIG_NETFILTER_XT_MATCH_L2TP=m
>
>     CONFIG_NETFILTER_XT_MATCH_LENGTH=m
>
>     CONFIG_NETFILTER_XT_MATCH_LIMIT=m
>
>     CONFIG_NETFILTER_XT_MATCH_MAC=m
>
>     CONFIG_NETFILTER_XT_MATCH_MARK=m
>
>     CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
>
>     CONFIG_NETFILTER_XT_MATCH_NFACCT=m
>
>     CONFIG_NETFILTER_XT_MATCH_OSF=m
>
>     CONFIG_NETFILTER_XT_MATCH_OWNER=m
>
>     CONFIG_NETFILTER_XT_MATCH_POLICY=m
>
>     CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
>
>     CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
>
>     CONFIG_NETFILTER_XT_MATCH_QUOTA=m
>
>     CONFIG_NETFILTER_XT_MATCH_RATEEST=m
>
>     CONFIG_NETFILTER_XT_MATCH_REALM=m
>
>     CONFIG_NETFILTER_XT_MATCH_RECENT=m
>
>     CONFIG_NETFILTER_XT_MATCH_SCTP=m
>
>     CONFIG_NETFILTER_XT_MATCH_SOCKET=m
>
>     CONFIG_NETFILTER_XT_MATCH_STATE=m
>
>     CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
>
>     CONFIG_NETFILTER_XT_MATCH_STRING=m
>
>     CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
>
>     CONFIG_NETFILTER_XT_MATCH_TIME=m
>
>     CONFIG_NETFILTER_XT_MATCH_U32=m
>
>     CONFIG_NETFILTER_XTABLES=m
>
>     CONFIG_NETFILTER_XT_MATCH_POLICY=m
>
>      
>
>      
>
>     Kernel version: 4.4.0-145-generic
>
>      
>
>     Any idea how to diagnose this issue?
>
>      
>
>     Kind regards,
>
>      
>
>      
>
>     Jeroen. 
>
>      
>
>
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190419/eb4c4d0c/attachment.sig>


More information about the Users mailing list