[Openswan Users] [strongSwan] ERROR: netlink response for Add SA esp.383251e8 at 10.19.156.242 included errno 93: Protocol not supported

Michael H. Warfield mhw at WittsEnd.com
Wed Dec 29 18:40:53 EST 2010


Hello,

On Thu, 2010-12-30 at 00:40 +0100, Martin Mokrejs wrote:
> Hi,
>   I found this thread at https://lists.strongswan.org/pipermail/users/2010-April/004748.html
> and I think it might be related to my issue with openswan-2.6.31.

I'm having some problems with this message.  Is this your first post on
this subject to this list?  I don't recall having seen it before but I
could well have deleted it.  But I don't seen any "in response to"
header or "thread id" header either (but they're not required).  I'm
also not finding it by searching on your subject wrt Openswan.  If you
have posted on this subject before, forgive me for asking for what may
be redundant information but I just simply don't have the background
information on your problem.

The posting on the StrongSwan list was for the 2.6.31 Linux kernel, not
the 2.6.31 Openswan version.  Unfortunately, yes, these numbers are
confusingly similar right at the moment so I have to ask to be precise
in labeling what it is we are talking about.

> [cut]
> # ipsec whack --name cisco-client --xauthname mylogin --xauthpass mypass --initiate
> 003 "cisco-client" #1: multiple DH groups were set in aggressive mode. Only first one used.
> 003 "cisco-client" #1: transform (7,1,5,128) ignored.
> 003 "cisco-client" #1: transform (7,1,2,128) ignored.
> 003 "cisco-client" #1: transform (7,2,5,192) ignored.
> 003 "cisco-client" #1: transform (7,2,2,192) ignored.
> 002 "cisco-client" #1: initiating Aggressive Mode #1, connection "cisco-client"
> 003 "cisco-client" #1: multiple DH groups were set in aggressive mode. Only first one used.
> 003 "cisco-client" #1: transform (7,1,5,128) ignored.
> 003 "cisco-client" #1: transform (7,1,2,128) ignored.
> 003 "cisco-client" #1: transform (7,2,5,192) ignored.
> 003 "cisco-client" #1: transform (7,2,2,192) ignored.
> 112 "cisco-client" #1: STATE_AGGR_I1: initiate
> 003 "cisco-client" #1: received Vendor ID payload [Cisco-Unity]
> 003 "cisco-client" #1: received Vendor ID payload [XAUTH]
> 003 "cisco-client" #1: received Vendor ID payload [Dead Peer Detection]
> 003 "cisco-client" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
> 003 "cisco-client" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> 003 "cisco-client" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> 003 "cisco-client" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
> 002 "cisco-client" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
> 003 "cisco-client" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
> 002 "cisco-client" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
> 004 "cisco-client" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> 041 "cisco-client" #1: cisco-client prompt for Username:
> 002 "cisco-client" #1: XAUTH: Answering XAUTH challenge with user='mylogin'
> 002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
> 004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> 002 "cisco-client" #1: XAUTH: Successfully Authenticated
> 002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
> 004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> 002 "cisco-client" #1: modecfg: Sending IP request (MODECFG_I1)
> 002 "cisco-client" #1: received mode cfg reply
> 002 "cisco-client" #1: setting client address to 172.16.3.90/32
> 002 "cisco-client" #1: setting ip source address to 172.16.3.90/32
> 002 "cisco-client" #1: Received IP4 NETMASK 255.255.255.0
> 002 "cisco-client" #1: transition from state STATE_MODE_CFG_I1 to state STATE_MAIN_I4
> 004 "cisco-client" #1: STATE_MAIN_I4: ISAKMP SA established
> 002 "cisco-client" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 msgid:e0e90c60 proposal=defaults pfsgroup=no-pfs}
> 117 "cisco-client" #2: STATE_QUICK_I1: initiate
> 003 "cisco-client" #2: ERROR: netlink response for Add SA esp.f964d92c at x.x.x.x included errno 93: Protocol not supported
> 032 "cisco-client" #2: STATE_QUICK_I1: internal error
> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
> 010 "cisco-client" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
> 010 "cisco-client" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
> 031 "cisco-client" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
> 000 "cisco-client" #2: starting keying attempt 2 of an unlimited number, but releasing whack

Ok...  So I see you are getting the error 93 from Netkey.  So it didn't
like the transform that was attempted to be loaded.  I got that much...

>   Probably, the patch related to your issue went into 2.6.25 ...

I'm the author of some of that patch, at least the multiple proposals
patch, which you do appear to have since some of the error messages I
worked on appear in your log above.

> http://lists.openwall.net/netdev/2008/04/03/35 . 
>   Another user hitting this issue was http://lists.openswan.org/pipermail/users/2005-October/006742.html

Same error.  Very doubtful it's the same problem.

> My problem is that I am on 2.6.27.57 (which should contain the fix) and I do not think
> I am missing anything in my kernel .config (attached). :(

Now I'm lost, or somewhat dazed and confused...  You're on Linux kernel
2.6.27.57 (that's the latest version in the 2.6.27 branch), I get that.
What fix are you referring to?  My patch was to Openswan, not to the
kernel (I am a kernel maintainer but not in that area).  I gather that
you are trying Openswan 2.6.31 on top of the 2.6.27.57 kernel, correct?
Now the 2.6.27.57 kernel would be PRIOR to the 2.6.31 kernel referred to
in the Strongswan thread.  Make sure you are not mixing apples and
oranges here.  I have no clue if the bug they describe impacts 2.6.27.x
but it very well may and you may very well need to get a newer kernel.

The next obvious question is...  That bug is predicated on having IPv6
disabled.  Have you somehow disabled IPv6 for some reason?  If so, WHY?
The time for IPv4-only is now long past.  IANA is about to assign out
the last IPv4 blocks it has and we're done.  I just flat out don't
operate without IPv6 (and I have enough IPv6 only resources I depend on
that I couldn't even if I wanted to).  I probably will NOT be able to
help you if you are running with v6 disabled and have to for some
strange reason.  It's no longer a viable configuration in my
environment.

So...  Let's go down the basics...

Distro?  Ubuntu/Fedora/RedHat/CentOS/other?
Distro version?
Archetecture?
Kernel version (2.6.27.57 I presume - please confirm)?
Distro install or custom build?
Openswan version (2.6.31 I presume - please confirm)?
Distro install (highly unlikely given the age of that kernel) or custom?

> Any clues? Thanks,
> Martin
> 
> For completeness, here is part of my setup in /etc/ipsec.conf:
> 
> conn cisco-client
>         ike=3des-md5-modp1024,3des-sha1-modp1024,aes128-md5,aes192-sha1
                                                  ^^^^^^^^^^^^^^^^^^^^^^^
You haven't specified the DH group for these two so that's why you are
seeing the errors about "multiple DH groups were set in aggressive mode.
Only first one used."  Those are somewhat cosmetic and it will only use
the first DH group encountered (modp1024 from the first proposal).

>         aggrmode=yes # if no aggrmode is set I get no connection

Correct.  The Cisco ASA is going to insist on using aggressive mode.

>         authby=secret
>         left=%defaultroute
>         leftmodecfgclient=yes
>         leftxauthclient=yes
>         leftid=@my-group-name
>         right=x.x.x.x
>         rightxauthserver=yes
>         rightmodecfgserver=yes
>         modecfgpull=yes
>         pfs=no
>         auto=add
>         # XAUTH connections cannot rekey, set the next to `no'
>         rekey=no

The rest looks ok to me but it's hard to tell without a lot more
background.

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20101229/1f79bc60/attachment.bin 


More information about the Users mailing list