[Openswan Users] Still server crash

Dennis van der Meer dennisvandermeer at greenchem-adblue.com
Thu Apr 8 17:18:45 EDT 2010


# ipsec --version
Linux Openswan 2.6.master-201014.git-gcfb97bc7 (klips)
See 'ipsec --copyright' for copyright information.

So I use KLIPS.

I don't know how I could have missed it but here is a relevant portion
of my dmesg output:

Klips_info:ipsec_init: KLIPS startup, Openswan KLIPS IPsec stack
version: 2.6.master-201014.git-gcfb97bc7
NET: Registered protocol family 15
Registered KLIPS /proc/sys/net
klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255,
AALG_MAX=251)
klips_info:ipsec_alg_init: calling ipsec_alg_static_init()
KLIPS: lookup for ciphername=cbs(aes): not found
KLIPS: lookup for ciphername=cbs(twofish): not found
KLIPS: lookup for ciphername=cbs(serpent): not found
KLIPS: lookup for ciphername=cbs(cast5): not found
KLIPS: lookup for ciphername=cbs(blowfish): not found
KLIPS: lookup for ciphername=cbs(des3_ede): not found
NET: Registered protocol family 1
.......
SELinux:  Registering netfilter hooks
alg: No test for cipher_null (cipher_null-generic)
alg: No test for ecb(cipher_null) (ecb-cipher_null)
alg: No test for digest_null (digest_null-generic)
alg: No test for compress_null (compress_null-generic)
cryptomgr_test used greatest stack depth: 7088 bytes left
cryptomgr_test used greatest stack depth: 6744 bytes left
alg: No test for fcrypt (fcrypt-generic)
cryptomgr_test used greatest stack depth: 6732 bytes left
alg: No test for stdrng (krng)
alg: No test for stdrng (ansi_cprng)
.......
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (7991 buckets, 31964 max)
CONFIG_NF_CT_ACCT is deprecated and will be removed soon, Please use
nf_conntrack.acct=1 kernel parameter, acct=1 nf_conntrack module option
or
sysctl net.netfilter.nf_conntrack_acct=1 to enable it.
ctnetlink v0.93: registering with nfnetlink.
NF_TPROXY: Transparent proxy support initialized, version 4.1.0
NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
xt_time: kernel timezone is -0000
ip ah init: can't add protocol
ip esp init: can't add protocol
ip_tables: (C) 2000-2006 Netfilter Core Team

I checked my kernel config and found out some of the options were
enabled so I changed the following:

# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
# CONFIG_INET_XFRM_TUNNEL is not set
CONFIG_INET_TUNNEL=y
# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
# CONFIG_INET_XFRM_MODE_TUNNEL is not set
# CONFIG_INET_XFRM_MODE_BEET is not set

KLIPS options are set as recommended in an earlier email. I recompiled
the kernel, restarted the system
and checked the logs. No messages anymore about esp and ah but ipsec
still crashes as soon as I start the vpn
connection. Still the same protocol error.
Are there any kernel options that I forgot to set/unset ???


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: donderdag 8 april 2010 21:16
To: Dennis van der Meer
Cc: users at openswan.org
Subject: Re: [Openswan Users] Still server crash

On Thu, 8 Apr 2010, Dennis van der Meer wrote:

> Apr  8 16:38:07 telemetry pluto[1575]: "RoadWarrior"[4] 192.168.2.60
#4:
> them: 192.168.2.60[@mylaptop.mydomain.local,+S=C]:17/1701
> Apr  8 16:38:07 telemetry pluto[1575]: | NAT-OA: 4 tunnel: 1
> Apr  8 16:38:07 telemetry pluto[1575]: ERROR: "RoadWarrior"[4]
> 192.168.2.60 #4: pfkey write() of K_SADB_ADD message 6 for Add SA
> esp.90613265 at 192.168.2.60 failed. Errno 71: Protocol error

Is this klips or netkey? Do the startup messages show you have esp
support?

Paul


More information about the Users mailing list