[Openswan Users] [strongSwan] ERROR: netlink response for Add SA esp.383251e8 at 10.19.156.242 included errno 93: Protocol not supported

Martin Mokrejs mmokrejs at fold.natur.cuni.cz
Wed Dec 29 18:40:56 EST 2010 

Hi,
  I found this thread at https://lists.strongswan.org/pipermail/users/2010-April/004748.html
and I think it might be related to my issue with openswan-2.6.31.

[cut]
# ipsec whack --name cisco-client --xauthname mylogin --xauthpass mypass --initiate
003 "cisco-client" #1: multiple DH groups were set in aggressive mode. Only first one used.
003 "cisco-client" #1: transform (7,1,5,128) ignored.
003 "cisco-client" #1: transform (7,1,2,128) ignored.
003 "cisco-client" #1: transform (7,2,5,192) ignored.
003 "cisco-client" #1: transform (7,2,2,192) ignored.
002 "cisco-client" #1: initiating Aggressive Mode #1, connection "cisco-client"
003 "cisco-client" #1: multiple DH groups were set in aggressive mode. Only first one used.
003 "cisco-client" #1: transform (7,1,5,128) ignored.
003 "cisco-client" #1: transform (7,1,2,128) ignored.
003 "cisco-client" #1: transform (7,2,5,192) ignored.
003 "cisco-client" #1: transform (7,2,2,192) ignored.
112 "cisco-client" #1: STATE_AGGR_I1: initiate
003 "cisco-client" #1: received Vendor ID payload [Cisco-Unity]
003 "cisco-client" #1: received Vendor ID payload [XAUTH]
003 "cisco-client" #1: received Vendor ID payload [Dead Peer Detection]
003 "cisco-client" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
003 "cisco-client" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
003 "cisco-client" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
003 "cisco-client" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
002 "cisco-client" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
003 "cisco-client" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
002 "cisco-client" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
004 "cisco-client" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
041 "cisco-client" #1: cisco-client prompt for Username:
002 "cisco-client" #1: XAUTH: Answering XAUTH challenge with user='mylogin'
002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "cisco-client" #1: XAUTH: Successfully Authenticated
002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "cisco-client" #1: modecfg: Sending IP request (MODECFG_I1)
002 "cisco-client" #1: received mode cfg reply
002 "cisco-client" #1: setting client address to 172.16.3.90/32
002 "cisco-client" #1: setting ip source address to 172.16.3.90/32
002 "cisco-client" #1: Received IP4 NETMASK 255.255.255.0
002 "cisco-client" #1: transition from state STATE_MODE_CFG_I1 to state STATE_MAIN_I4
004 "cisco-client" #1: STATE_MAIN_I4: ISAKMP SA established
002 "cisco-client" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 msgid:e0e90c60 proposal=defaults pfsgroup=no-pfs}
117 "cisco-client" #2: STATE_QUICK_I1: initiate
003 "cisco-client" #2: ERROR: netlink response for Add SA esp.f964d92c at x.x.x.x included errno 93: Protocol not supported
032 "cisco-client" #2: STATE_QUICK_I1: internal error
003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
010 "cisco-client" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
010 "cisco-client" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "cisco-client" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "cisco-client" #2: starting keying attempt 2 of an unlimited number, but releasing whack


  Probably, the patch related to your issue went into 2.6.25 ...
http://lists.openwall.net/netdev/2008/04/03/35 . 
  Another user hitting this issue was http://lists.openswan.org/pipermail/users/2005-October/006742.html

My problem is that I am on 2.6.27.57 (which should contain the fix) and I do not think
I am missing anything in my kernel .config (attached). :(

Any clues? Thanks,
Martin

For completeness, here is part of my setup in /etc/ipsec.conf:

conn cisco-client
        ike=3des-md5-modp1024,3des-sha1-modp1024,aes128-md5,aes192-sha1
        aggrmode=yes # if no aggrmode is set I get no connection
        authby=secret
        left=%defaultroute
        leftmodecfgclient=yes
        leftxauthclient=yes
        leftid=@my-group-name
        right=x.x.x.x
        rightxauthserver=yes
        rightmodecfgserver=yes
        modecfgpull=yes
        pfs=no
        auto=add
        # XAUTH connections cannot rekey, set the next to `no'
        rekey=no

-------------- next part --------------
A non-text attachment was scrubbed...
Name: config.gz
Type: application/gzip
Size: 53151 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20101230/c6854d4e/attachment-0001.bin

More information about the Users mailing list