[strongSwan] FW: Ubuntu 16: Received netlink error: Invalid Argument (22)
Thomas Egerer
hakke_007 at gmx.de
Fri Apr 19 20:43:24 CEST 2019
Hi Jeroen,
On 4/19/19 12:21 PM, Jeroen Landheer wrote:
> Hello everyone
>
>
>
> I did some further investigation, it seems like the certificate isn’t the problem. I tried this with a certificate generated by the PKI tool, and the same messages are still in the log.
Yes, the cert can't be the problem. It's used to authenticate your peer,
whereas the area in which the error occurs is when charon tries to insert
the IPsec states into the kernel.
In the next step you should try to identify the negotiated algorithms.
Set the loglevel for facility 'knl' to 3, see [1] for advice on how to
do that. Also take a close look at your log, check for possible messages
issued by the kernel (trying to load modules etc).
Once we know what fails we can try to use iproute2 to mimic the state
insertion in the kernel and check whether it succeeds.
HTH
Thomas
[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>
>
>
> Apr 19 12:15:07 fwhq05 charon: 08[IKE] peer requested virtual IP %any
>
> Apr 19 12:15:07 fwhq05 charon: 08[IKE] assigning virtual IP 192.168.8.1 to peer '…'
>
> Apr 19 12:15:07 fwhq05 charon: 08[IKE] peer requested virtual IP %any6
>
> Apr 19 12:15:07 fwhq05 charon: 08[IKE] no virtual IP found for %any6 requested by '…'
>
> Apr 19 12:15:07 fwhq05 charon: 08[KNL] received netlink error: Invalid argument (22)
>
> Apr 19 12:15:07 fwhq05 charon: 08[KNL] unable to add SAD entry with SPI c53c8641
>
> Apr 19 12:15:07 fwhq05 charon: 08[KNL] received netlink error: Invalid argument (22)
>
> Apr 19 12:15:07 fwhq05 charon: 08[KNL] unable to add SAD entry with SPI ab3a3b48
>
> Apr 19 12:15:07 fwhq05 charon: 08[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
>
>
>
> So no old kernel, no certificate… what else can it be?
>
>
>
> Kind regards,
>
>
>
>
>
> Jeroen.
>
>
>
>
>
>
>
> *From:*Users <users-bounces at lists.strongswan.org> *On Behalf Of *Jeroen Landheer
> *Sent:* Friday, 19 April 2019 11:50
> *To:* Thomas Egerer <hakke_007 at gmx.de>; users at lists.strongswan.org
> *Subject:* Re: [strongSwan] Ubuntu 16: Received netlink error: Invalid Argument (22)
>
>
>
> Thanks for the response Thomas
>
>
>
> You’re right that this kernel is old, it’s Ubuntu 16.04 so I decided to replace that machine with the much newer Debian 9.8. I’m now on kernel version 4.9.0-8-amd64, but this hasn’t helped. I’m actually thinking this might have to do with the certificate I’m using, since the certificate was generated by a Microsoft Certificate Authority, not the internal PKI tools. I created the private key on the Debian machine using the ipsec pki tool, next I generated a certificate request using that same tool and used this request to let my CA issue a certificate.
>
>
>
> Here’s some info about the certificate, using the certutil tool on Windows:
>
>
>
> X509 Certificate:
>
> Version: 3
>
> Serial Number: 38000000bda7de55e826a360e20000000000bd
>
> Signature Algorithm:
>
> Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
>
> Algorithm Parameters:
>
> 05 00
>
> Issuer:
>
> CN=…
>
> Name Hash(sha1): 02de19ec77e1b73e3ee81fbf33040929b61510af
>
> Name Hash(md5): 2507479912498e5c82c4d715d6f2b36f
>
>
>
> NotBefore: 18/04/2019 17:11
>
> NotAfter: 17/04/2021 17:11
>
>
>
> Subject:
>
> CN=Company Firewall
>
> O=Company
>
> Name Hash(sha1): c1ecb37bbdab3a3e5fd38af556ea105228b463f1
>
> Name Hash(md5): bc0ce29929023983b116aef799b85701
>
>
>
> Public Key Algorithm:
>
> Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
>
> Algorithm Parameters:
>
> 05 00
>
> Public Key Length: 4096 bits
>
> Public Key: UnusedBits = 0
>
> 0000 30 82 02 0a 02 82 02 01 00 a1 ea 0d 54 16 07 92
>
> 0010 d9 57 cc 5f 64 1e 6e 03 45 98 ce 23 83 7d 38 a2
>
> …
>
> 01f0 cb 03 95 87 f5 05 f3 09 58 b4 37 52 69 0d 75 e2
>
> 0200 59 c7 55 53 8c bc 31 0f 55 02 03 01 00 01
>
> Certificate Extensions: 9
>
> 2.5.29.17: Flags = 0, Length = 3e
>
> Subject Alternative Name
>
> DNS Name=…
>
> DNS Name=…
>
> DNS Name=…
>
>
>
> 2.5.29.14: Flags = 0, Length = 16
>
> Subject Key Identifier
>
> 18ac7e7d52238f02579e8190ea68f3ce283d9d77
>
>
>
> 2.5.29.35: Flags = 0, Length = 18
>
> Authority Key Identifier
>
> KeyID=82785767ff34df9161f00a37dc4df7a9d387732b
>
>
>
> 2.5.29.31: Flags = 0, Length = 59
>
> CRL Distribution Points
>
> [1]CRL Distribution Point
>
> Distribution Point Name:
>
> Full Name:
>
> URL=…..
>
>
>
> 1.3.6.1.5.5.7.1.1: Flags = 0, Length = 91
>
> Authority Information Access
>
> [1]Authority Info Access
>
> Access Method=On-line Certificate Status Protocol (1.3.6.1.5.5.7.48.1)
>
> Alternative Name:
>
> URL=…
>
> [2]Authority Info Access
>
> Access Method=Certification Authority Issuer (1.3.6.1.5.5.7.48.2)
>
> Alternative Name:
>
> URL=…
>
>
>
> 2.5.29.15: Flags = 1(Critical), Length = 4
>
> Key Usage
>
> Digital Signature, Key Encipherment (a0)
>
>
>
> 1.3.6.1.4.1.311.21.7: Flags = 0, Length = 30
>
> Certificate Template Information
>
> Template=VPN Server(1.3.6.1.4.1.311.21.8.7409278.1580920.3752321.8005686.9414170.164.2713793.11843046)
>
> Major Version Number=100
>
> Minor Version Number=5
>
>
>
> 2.5.29.37: Flags = 0, Length = 20
>
> Enhanced Key Usage
>
> Server Authentication (1.3.6.1.5.5.7.3.1)
>
> IP security IKE intermediate (1.3.6.1.5.5.8.2.2)
>
> Client Authentication (1.3.6.1.5.5.7.3.2)
>
>
>
> 1.3.6.1.4.1.311.21.10: Flags = 0, Length = 26
>
> Application Policies
>
> [1]Application Certificate Policy:
>
> Policy Identifier=Server Authentication
>
> [2]Application Certificate Policy:
>
> Policy Identifier=IP security IKE intermediate
>
> [3]Application Certificate Policy:
>
> Policy Identifier=Client Authentication
>
>
>
> Signature Algorithm:
>
> Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
>
> Algorithm Parameters:
>
> 05 00
>
> Signature: UnusedBits=0
>
> 0000 53 a4 15 5f fa 88 1e 76 7f af e3 d9 94 bb 0f 05
>
> 0010 5e 55 fa b8 c1 58 78 bf 78 71 1f 8c aa 89 83 14
>
> …
>
> 00e0 fb 7f 80 fd aa cf 5f 7d ba c6 e8 05 93 0c 76 78
>
> 00f0 9b da 12 bd 49 43 33 00 fe 97 c0 e9 c5 b7 20 18
>
> Non-root Certificate
>
> Key Id Hash(rfc-sha1): 18ac7e7d52238f02579e8190ea68f3ce283d9d77
>
> Key Id Hash(sha1): 0dd4d49ae7cb0a17cba19871b82a0e90a86ce5f7
>
> Key Id Hash(bcrypt-sha1): df7f493937a1b175d83b27935f7ea1528bfd73ff
>
> Key Id Hash(bcrypt-sha256): ed3bcef6c9c725b72a26a658ee8037533b1046724a75772ce10ee83b80ed547f
>
> Key Id Hash(md5): 89d062523ffb9998f9617e1c58d51bfc
>
> Key Id Hash(sha256): f4a7bd1e71d1c6422eca8fdcdfb3c8c184e72cb8bbbe242de97a2c3c68698d1b
>
> Key Id Hash(pin-sha256): nO3Yrqy2aZhe9UfSwzGkWGWOF9GhThXmWaBjUGU/y3s=
>
> Key Id Hash(pin-sha256-hex): 9cedd8aeacb669985ef547d2c331a458658e17d1a14e15e659a06350653fcb7b
>
> Cert Hash(md5): ac80ead487d9100456004dfb8bf63a4d
>
> Cert Hash(sha1): 421247d634be3256c9a2112eee82dc85bfc63b95
>
> Cert Hash(sha256): c4c563b0b0a76f59ddfdee044c75f0550b9b02e24065cb2b0bddd755641fb8ee
>
> Signature Hash: 5384636758d9dffcc8bdc722c0deafa0e573ce7f51e5b3f87439f21a2f2d9af1
>
>
>
> Using openssl x509 -in certfile.crt -text -noout yields the same results.
>
>
>
> When I generate a CA certificate + a server certificate simply using the PKI tools, this yields a certificate with SHA384RSA instead of a SHA256RSA cert.
>
> Could this be part of the issue, or am I missing something else?
>
>
>
> Kind regards,
>
>
>
>
>
> Jeroen.
>
>
>
>
>
> *From:*Thomas Egerer <hakke_007 at gmx.de <mailto:hakke_007 at gmx.de>>
> *Sent:* Wednesday, 17 April 2019 20:07
> *To:* Jeroen Landheer <jlandheer at bintelligence.nl <mailto:jlandheer at bintelligence.nl>>; users at lists.strongswan.org <mailto:users at lists.strongswan.org>
> *Subject:* Re: [strongSwan] Ubuntu 16: Received netlink error: Invalid Argument (22)
>
>
>
> Hi Jeroen,
>
> don't use that antique kernel unless you have to. Sounds like the IV generator issue from [1]:
> <quote>
> Note: For kernel versions 4.2-4.5 you will have to select Encrypted Chain IV Generator manually in order to use any encryption algorithm in CBC mode.
> </quote>
>
> Hth
> Thomas
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
>
> On April 17, 2019 7:07:10 PM GMT+02:00, Jeroen Landheer <jlandheer at bintelligence.nl <mailto:jlandheer at bintelligence.nl>> wrote:
>
> This apears in my log file:
>
>
>
> Apr 17 18:43:04 fwhq03 charon: 11[IKE] assigning virtual IP 192.168.8.1 to peer 'jlan--------------e.nl'
>
> Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid argument (22)
>
> Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI cf789c5c
>
> Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid argument (22)
>
> Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI b651e5ec
>
> Apr 17 18:43:04 fwhq03 charon: 11[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
>
>
>
> It seems that somehow strongswan can't assign a virtual IP address to the peer.
>
>
>
> Config:
>
>
>
> config setup
>
> charondebug="all"
>
> uniqueids=no
>
>
>
> conn ikev2-vpn
>
> auto=add
>
> compress=no
>
> type=tunnel
>
> keyexchange=ikev2
>
> fragmentation=yes
>
> forceencaps=yes
>
> ike=aes256-sha1-modp1024,3des-sha1-modp1024!
>
> esp=aes256-sha1,3des-sha1!
>
> dpdaction=clear
>
> dpddelay=300s
>
> rekey=no
>
> left=%any
>
> leftid=@vpn.-------------.---o <mailto:leftid=@vpn.-------------.---o>
>
> leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem
>
> leftsendcert=always
>
> leftsubnet=0.0.0.0/0,::/0
>
> right=%any
>
> rightid=%any
>
> rightdns=192.168.5.2,192.168.5.9,2001:980:aa14:5::2,2001:980:aa14:5::9
>
> rightsourceip=192.168.8.0/24,2001:980:aa14:8::/64
>
> rightsendcert=never
>
> rightauth=eap-mschapv2
>
> eap_identity=%identity
>
>
>
> If I run the check script for the kernel modules, I get this: (this is basically a standard ubuntu setup)
>
>
>
> CONFIG_XFRM_USER=m
>
> CONFIG_NET_KEY=m
>
> # CONFIG_NET_KEY_MIGRATE is not set
>
> CONFIG_INET=y
>
> CONFIG_INET_AH=m
>
> CONFIG_INET_ESP=m
>
> CONFIG_INET_IPCOMP=m
>
> CONFIG_INET_XFRM_TUNNEL=m
>
> CONFIG_INET_TUNNEL=m
>
> CONFIG_INET_XFRM_MODE_TRANSPORT=m
>
> CONFIG_INET_XFRM_MODE_TUNNEL=m
>
> CONFIG_INET_XFRM_MODE_BEET=m
>
> CONFIG_INET_LRO=y
>
> CONFIG_INET_DIAG=m
>
> CONFIG_INET_TCP_DIAG=m
>
> CONFIG_INET_UDP_DIAG=m
>
> CONFIG_INET6_AH=m
>
> CONFIG_INET6_ESP=m
>
> CONFIG_INET6_IPCOMP=m
>
> CONFIG_INET6_XFRM_TUNNEL=m
>
> CONFIG_INET6_TUNNEL=m
>
> CONFIG_INET6_XFRM_MODE_TRANSPORT=m
>
> CONFIG_INET6_XFRM_MODE_TUNNEL=m
>
> CONFIG_INET6_XFRM_MODE_BEET=m
>
> CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
>
> CONFIG_INET_DCCP_DIAG=m
>
> CONFIG_IP_ADVANCED_ROUTER=y
>
> CONFIG_IP_MULTIPLE_TABLES=y
>
> CONFIG_INET_AH=m
>
> CONFIG_INET_ESP=m
>
> CONFIG_INET_IPCOMP=m
>
> CONFIG_INET_XFRM_MODE_TRANSPORT=m
>
> CONFIG_INET_XFRM_MODE_TUNNEL=m
>
> CONFIG_INET_XFRM_MODE_BEET=m
>
> CONFIG_IPV6=y
>
> CONFIG_IPV6_ROUTER_PREF=y
>
> CONFIG_IPV6_ROUTE_INFO=y
>
> # CONFIG_IPV6_OPTIMISTIC_DAD is not set
>
> CONFIG_IPV6_MIP6=m
>
> CONFIG_IPV6_ILA=m
>
> CONFIG_IPV6_VTI=m
>
> CONFIG_IPV6_SIT=m
>
> CONFIG_IPV6_SIT_6RD=y
>
> CONFIG_IPV6_NDISC_NODETYPE=y
>
> CONFIG_IPV6_TUNNEL=m
>
> CONFIG_IPV6_GRE=m
>
> CONFIG_IPV6_MULTIPLE_TABLES=y
>
> CONFIG_IPV6_SUBTREES=y
>
> CONFIG_IPV6_MROUTE=y
>
> CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
>
> CONFIG_IPV6_PIMSM_V2=y
>
> CONFIG_INET6_AH=m
>
> CONFIG_INET6_ESP=m
>
> CONFIG_INET6_IPCOMP=m
>
> CONFIG_INET6_XFRM_MODE_TRANSPORT=m
>
> CONFIG_INET6_XFRM_MODE_TUNNEL=m
>
> CONFIG_INET6_XFRM_MODE_BEET=m
>
> CONFIG_IPV6_MULTIPLE_TABLES=y
>
> CONFIG_NETFILTER=y
>
> # CONFIG_NETFILTER_DEBUG is not set
>
> CONFIG_NETFILTER_ADVANCED=y
>
> CONFIG_NETFILTER_INGRESS=y
>
> CONFIG_NETFILTER_NETLINK=m
>
> CONFIG_NETFILTER_NETLINK_ACCT=m
>
> CONFIG_NETFILTER_NETLINK_QUEUE=m
>
> CONFIG_NETFILTER_NETLINK_LOG=m
>
> CONFIG_NETFILTER_NETLINK_GLUE_CT=y
>
> CONFIG_NETFILTER_SYNPROXY=m
>
> CONFIG_NETFILTER_XTABLES=m
>
> CONFIG_NETFILTER_XT_MARK=m
>
> CONFIG_NETFILTER_XT_CONNMARK=m
>
> CONFIG_NETFILTER_XT_SET=m
>
> CONFIG_NETFILTER_XT_TARGET_AUDIT=m
>
> CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
>
> CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
>
> CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
>
> CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
>
> CONFIG_NETFILTER_XT_TARGET_CT=m
>
> CONFIG_NETFILTER_XT_TARGET_DSCP=m
>
> CONFIG_NETFILTER_XT_TARGET_HL=m
>
> CONFIG_NETFILTER_XT_TARGET_HMARK=m
>
> CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
>
> CONFIG_NETFILTER_XT_TARGET_LED=m
>
> CONFIG_NETFILTER_XT_TARGET_LOG=m
>
> CONFIG_NETFILTER_XT_TARGET_MARK=m
>
> CONFIG_NETFILTER_XT_NAT=m
>
> CONFIG_NETFILTER_XT_TARGET_NETMAP=m
>
> CONFIG_NETFILTER_XT_TARGET_NFLOG=m
>
> CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
>
> # CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set
>
> CONFIG_NETFILTER_XT_TARGET_RATEEST=m
>
> CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
>
> CONFIG_NETFILTER_XT_TARGET_TEE=m
>
> CONFIG_NETFILTER_XT_TARGET_TPROXY=m
>
> CONFIG_NETFILTER_XT_TARGET_TRACE=m
>
> CONFIG_NETFILTER_XT_TARGET_SECMARK=m
>
> CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
>
> CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
>
> CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
>
> CONFIG_NETFILTER_XT_MATCH_BPF=m
>
> CONFIG_NETFILTER_XT_MATCH_CGROUP=m
>
> CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
>
> CONFIG_NETFILTER_XT_MATCH_COMMENT=m
>
> CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
>
> CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
>
> CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
>
> CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
>
> CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
>
> CONFIG_NETFILTER_XT_MATCH_CPU=m
>
> CONFIG_NETFILTER_XT_MATCH_DCCP=m
>
> CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
>
> CONFIG_NETFILTER_XT_MATCH_DSCP=m
>
> CONFIG_NETFILTER_XT_MATCH_ECN=m
>
> CONFIG_NETFILTER_XT_MATCH_ESP=m
>
> CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
>
> CONFIG_NETFILTER_XT_MATCH_HELPER=m
>
> CONFIG_NETFILTER_XT_MATCH_HL=m
>
> CONFIG_NETFILTER_XT_MATCH_IPCOMP=m
>
> CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
>
> CONFIG_NETFILTER_XT_MATCH_IPVS=m
>
> CONFIG_NETFILTER_XT_MATCH_L2TP=m
>
> CONFIG_NETFILTER_XT_MATCH_LENGTH=m
>
> CONFIG_NETFILTER_XT_MATCH_LIMIT=m
>
> CONFIG_NETFILTER_XT_MATCH_MAC=m
>
> CONFIG_NETFILTER_XT_MATCH_MARK=m
>
> CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
>
> CONFIG_NETFILTER_XT_MATCH_NFACCT=m
>
> CONFIG_NETFILTER_XT_MATCH_OSF=m
>
> CONFIG_NETFILTER_XT_MATCH_OWNER=m
>
> CONFIG_NETFILTER_XT_MATCH_POLICY=m
>
> CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
>
> CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
>
> CONFIG_NETFILTER_XT_MATCH_QUOTA=m
>
> CONFIG_NETFILTER_XT_MATCH_RATEEST=m
>
> CONFIG_NETFILTER_XT_MATCH_REALM=m
>
> CONFIG_NETFILTER_XT_MATCH_RECENT=m
>
> CONFIG_NETFILTER_XT_MATCH_SCTP=m
>
> CONFIG_NETFILTER_XT_MATCH_SOCKET=m
>
> CONFIG_NETFILTER_XT_MATCH_STATE=m
>
> CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
>
> CONFIG_NETFILTER_XT_MATCH_STRING=m
>
> CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
>
> CONFIG_NETFILTER_XT_MATCH_TIME=m
>
> CONFIG_NETFILTER_XT_MATCH_U32=m
>
> CONFIG_NETFILTER_XTABLES=m
>
> CONFIG_NETFILTER_XT_MATCH_POLICY=m
>
>
>
>
>
> Kernel version: 4.4.0-145-generic
>
>
>
> Any idea how to diagnose this issue?
>
>
>
> Kind regards,
>
>
>
>
>
> Jeroen.
>
>
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>
More information about the Users
mailing list