[Openswan Users] [strongSwan] ERROR: netlink response for Add SA esp.383251e8 at 10.19.156.242 included errno 93: Protocol not supported
Martin Mokrejs
mmokrejs at fold.natur.cuni.cz
Wed Dec 29 20:34:15 EST 2010
Hi Michael,
it is a bit late here so that might answer some of your questions. ;)
Yes, it is my first post to this list, I deliberately posted to
openswan although referring to strongswan message from the past.
Yes, I have linux-2.6.27.57 kernel with IPv6 support (hope that could be
seen in my .config file ... and sorry, I accidentally left in the filename
.gz), I see no reason for IPv6 support unless I configure IPv6 (Gentoo
Linux). In theory I could enable the IPv6 support but wonder what it
gives to me. ;))
Yes, I tried openswan-2.6.31 and now also 2.6.32, as I found there
is a newer release but with same error in the end.
Michael H. Warfield wrote:
> Hello,
>
> On Thu, 2010-12-30 at 00:40 +0100, Martin Mokrejs wrote:
>> Hi,
>> I found this thread at https://lists.strongswan.org/pipermail/users/2010-April/004748.html
>> and I think it might be related to my issue with openswan-2.6.31.
>
> I'm having some problems with this message. Is this your first post on
> this subject to this list? I don't recall having seen it before but I
> could well have deleted it. But I don't seen any "in response to"
> header or "thread id" header either (but they're not required). I'm
I did not want to puzzle anybody, I just handcrafted the $Subject line
based on the above message from Apr 2010 in the other list, sorry for
the mess.
> also not finding it by searching on your subject wrt Openswan. If you
> have posted on this subject before, forgive me for asking for what may
> be redundant information but I just simply don't have the background
> information on your problem.
>
> The posting on the StrongSwan list was for the 2.6.31 Linux kernel, not
> the 2.6.31 Openswan version. Unfortunately, yes, these numbers are
> confusingly similar right at the moment so I have to ask to be precise
> in labeling what it is we are talking about.
I will shutdown the computer as I need some sleep and tomorrow will try
boot with newer kernels (I use this 2.6.27.57 but test newer-ones time
to time).
>
>> [cut]
>> # ipsec whack --name cisco-client --xauthname mylogin --xauthpass mypass --initiate
>> 003 "cisco-client" #1: multiple DH groups were set in aggressive mode. Only first one used.
>> 003 "cisco-client" #1: transform (7,1,5,128) ignored.
>> 003 "cisco-client" #1: transform (7,1,2,128) ignored.
>> 003 "cisco-client" #1: transform (7,2,5,192) ignored.
>> 003 "cisco-client" #1: transform (7,2,2,192) ignored.
>> 002 "cisco-client" #1: initiating Aggressive Mode #1, connection "cisco-client"
>> 003 "cisco-client" #1: multiple DH groups were set in aggressive mode. Only first one used.
>> 003 "cisco-client" #1: transform (7,1,5,128) ignored.
>> 003 "cisco-client" #1: transform (7,1,2,128) ignored.
>> 003 "cisco-client" #1: transform (7,2,5,192) ignored.
>> 003 "cisco-client" #1: transform (7,2,2,192) ignored.
>> 112 "cisco-client" #1: STATE_AGGR_I1: initiate
>> 003 "cisco-client" #1: received Vendor ID payload [Cisco-Unity]
>> 003 "cisco-client" #1: received Vendor ID payload [XAUTH]
>> 003 "cisco-client" #1: received Vendor ID payload [Dead Peer Detection]
>> 003 "cisco-client" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
>> 003 "cisco-client" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
>> 003 "cisco-client" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
>> 003 "cisco-client" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
>> 002 "cisco-client" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
>> 003 "cisco-client" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
>> 002 "cisco-client" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
>> 004 "cisco-client" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
>> 041 "cisco-client" #1: cisco-client prompt for Username:
>> 002 "cisco-client" #1: XAUTH: Answering XAUTH challenge with user='mylogin'
>> 002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
>> 004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
>> 002 "cisco-client" #1: XAUTH: Successfully Authenticated
>> 002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
>> 004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
>> 002 "cisco-client" #1: modecfg: Sending IP request (MODECFG_I1)
>> 002 "cisco-client" #1: received mode cfg reply
>> 002 "cisco-client" #1: setting client address to 172.16.3.90/32
>> 002 "cisco-client" #1: setting ip source address to 172.16.3.90/32
>> 002 "cisco-client" #1: Received IP4 NETMASK 255.255.255.0
>> 002 "cisco-client" #1: transition from state STATE_MODE_CFG_I1 to state STATE_MAIN_I4
>> 004 "cisco-client" #1: STATE_MAIN_I4: ISAKMP SA established
>> 002 "cisco-client" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 msgid:e0e90c60 proposal=defaults pfsgroup=no-pfs}
>> 117 "cisco-client" #2: STATE_QUICK_I1: initiate
>> 003 "cisco-client" #2: ERROR: netlink response for Add SA esp.f964d92c at x.x.x.x included errno 93: Protocol not supported
>> 032 "cisco-client" #2: STATE_QUICK_I1: internal error
>> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
>> 010 "cisco-client" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
>> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
>> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
>> 010 "cisco-client" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
>> 031 "cisco-client" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
>> 000 "cisco-client" #2: starting keying attempt 2 of an unlimited number, but releasing whack
>
> Ok... So I see you are getting the error 93 from Netkey. So it didn't
> like the transform that was attempted to be loaded. I got that much...
>
>> Probably, the patch related to your issue went into 2.6.25 ...
------------------------------------^^^^ have meant the author of the
Apr 2010 message, hoping to get some
answer soon ;-)
> I'm the author of some of that patch, at least the multiple proposals
> patch, which you do appear to have since some of the error messages I
> worked on appear in your log above.
Great!, I was lazy to learn to inspect the sources or check if that was
ever reverted or so ...
>
>> http://lists.openwall.net/netdev/2008/04/03/35 .
>> Another user hitting this issue was http://lists.openswan.org/pipermail/users/2005-October/006742.html
>
> Same error. Very doubtful it's the same problem.
OK, was a Google-hit. ;)
>> My problem is that I am on 2.6.27.57 (which should contain the fix) and I do not think
>> I am missing anything in my kernel .config (attached). :(
>
> Now I'm lost, or somewhat dazed and confused... You're on Linux kernel
> 2.6.27.57 (that's the latest version in the 2.6.27 branch), I get that.
> What fix are you referring to? My patch was to Openswan, not to the
Although not a "fix" it seems there was some change between 2.6.27 and 2.6.31
which I suspect am missing in 2.6.27.57 (it would have to make into the
linux kernel with 2.6.28 or above). The "fix" I am referring to is:
https://lists.strongswan.org/pipermail/users/2010-April/004748.html
> kernel (I am a kernel maintainer but not in that area). I gather that
> you are trying Openswan 2.6.31 on top of the 2.6.27.57 kernel, correct?
Yes.
> Now the 2.6.27.57 kernel would be PRIOR to the 2.6.31 kernel referred to
> in the Strongswan thread. Make sure you are not mixing apples and
> oranges here. I have no clue if the bug they describe impacts 2.6.27.x
> but it very well may and you may very well need to get a newer kernel.
The question is whether "the fix" (invented between 2.6.27 and 2.6.31 kernel)
was applied over 2.6.27 branch. ;-)
>
> The next obvious question is... That bug is predicated on having IPv6
> disabled. Have you somehow disabled IPv6 for some reason? If so, WHY?
> The time for IPv4-only is now long past. IANA is about to assign out
> the last IPv4 blocks it has and we're done. I just flat out don't
> operate without IPv6 (and I have enough IPv6 only resources I depend on
> that I couldn't even if I wanted to). I probably will NOT be able to
> help you if you are running with v6 disabled and have to for some
> strange reason. It's no longer a viable configuration in my
> environment.
# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:e0:xx:xx:xx:xx
inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:56553 errors:0 dropped:0 overruns:0 frame:0
TX packets:53327 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:38854223 (37.0 MiB) TX bytes:30897029 (29.4 MiB)
Interrupt:11 Base address:0xa000
So what should be my IPv6 address?
>
> So... Let's go down the basics...
>
> Distro? Ubuntu/Fedora/RedHat/CentOS/other?
Gentoo
> Distro version?
Devel, ~x86 ;)
> Archetecture?
x86 (pentium4-m based i686)
> Kernel version (2.6.27.57 I presume - please confirm)?
yes
> Distro install or custom build?
my own build, I remember Linux Slackware 0.9 days ;-)
> Openswan version (2.6.31 I presume - please confirm)?
2.6.31 and 2.6.32 tested meanwhile as well
> Distro install (highly unlikely given the age of that kernel) or custom?
no customizations
I wonder whether -DKLIPS in $CFLAGS does somehow break my binaries.
Please see http://bugs.gentoo.org/show_bug.cgi?id=350107 which I have just
opened. It could be a wrong package setup in Gentoo resulting in misconfigured
compilation.
Thanks for the below comments!
Martin
>
>> Any clues? Thanks,
>> Martin
>>
>> For completeness, here is part of my setup in /etc/ipsec.conf:
>>
>> conn cisco-client
>> ike=3des-md5-modp1024,3des-sha1-modp1024,aes128-md5,aes192-sha1
> ^^^^^^^^^^^^^^^^^^^^^^^
> You haven't specified the DH group for these two so that's why you are
> seeing the errors about "multiple DH groups were set in aggressive mode.
> Only first one used." Those are somewhat cosmetic and it will only use
> the first DH group encountered (modp1024 from the first proposal).
>
>> aggrmode=yes # if no aggrmode is set I get no connection
>
> Correct. The Cisco ASA is going to insist on using aggressive mode.
>
>> authby=secret
>> left=%defaultroute
>> leftmodecfgclient=yes
>> leftxauthclient=yes
>> leftid=@my-group-name
>> right=x.x.x.x
>> rightxauthserver=yes
>> rightmodecfgserver=yes
>> modecfgpull=yes
>> pfs=no
>> auto=add
>> # XAUTH connections cannot rekey, set the next to `no'
>> rekey=no
>
> The rest looks ok to me but it's hard to tell without a lot more
> background.
More information about the Users
mailing list