[Openswan Users] [strongSwan] ERROR: netlink response for Add SA esp.383251e8 at 10.19.156.242 included errno 93: Protocol not supported

Martin Mokrejs mmokrejs at fold.natur.cuni.cz
Wed Dec 29 20:34:15 EST 2010


Hi Michael,
  it is a bit late here so that might answer some of your questions. ;)
Yes, it is my first post to this list, I deliberately posted to
openswan although referring to strongswan message from the past.
Yes, I have linux-2.6.27.57 kernel with IPv6 support (hope that could be
seen in my .config file ... and sorry, I accidentally left in the filename
.gz), I see no reason for IPv6 support unless I configure IPv6 (Gentoo
Linux). In theory I could enable the IPv6 support but wonder what it
gives to me. ;))
  Yes, I tried openswan-2.6.31 and now also 2.6.32, as I found there
is a newer release but with same error in the end.

Michael H. Warfield wrote:
> Hello,
> 
> On Thu, 2010-12-30 at 00:40 +0100, Martin Mokrejs wrote:
>> Hi,
>>   I found this thread at https://lists.strongswan.org/pipermail/users/2010-April/004748.html
>> and I think it might be related to my issue with openswan-2.6.31.
> 
> I'm having some problems with this message.  Is this your first post on
> this subject to this list?  I don't recall having seen it before but I
> could well have deleted it.  But I don't seen any "in response to"
> header or "thread id" header either (but they're not required).  I'm

I did not want to puzzle anybody, I just handcrafted the $Subject line
based on the above message from Apr 2010 in the other list, sorry for
the mess.

> also not finding it by searching on your subject wrt Openswan.  If you
> have posted on this subject before, forgive me for asking for what may
> be redundant information but I just simply don't have the background
> information on your problem.
> 
> The posting on the StrongSwan list was for the 2.6.31 Linux kernel, not
> the 2.6.31 Openswan version.  Unfortunately, yes, these numbers are
> confusingly similar right at the moment so I have to ask to be precise
> in labeling what it is we are talking about.

I will shutdown the computer as I need some sleep and tomorrow will try
boot with newer kernels (I use this 2.6.27.57 but test newer-ones time
to time).

> 
>> [cut]
>> # ipsec whack --name cisco-client --xauthname mylogin --xauthpass mypass --initiate
>> 003 "cisco-client" #1: multiple DH groups were set in aggressive mode. Only first one used.
>> 003 "cisco-client" #1: transform (7,1,5,128) ignored.
>> 003 "cisco-client" #1: transform (7,1,2,128) ignored.
>> 003 "cisco-client" #1: transform (7,2,5,192) ignored.
>> 003 "cisco-client" #1: transform (7,2,2,192) ignored.
>> 002 "cisco-client" #1: initiating Aggressive Mode #1, connection "cisco-client"
>> 003 "cisco-client" #1: multiple DH groups were set in aggressive mode. Only first one used.
>> 003 "cisco-client" #1: transform (7,1,5,128) ignored.
>> 003 "cisco-client" #1: transform (7,1,2,128) ignored.
>> 003 "cisco-client" #1: transform (7,2,5,192) ignored.
>> 003 "cisco-client" #1: transform (7,2,2,192) ignored.
>> 112 "cisco-client" #1: STATE_AGGR_I1: initiate
>> 003 "cisco-client" #1: received Vendor ID payload [Cisco-Unity]
>> 003 "cisco-client" #1: received Vendor ID payload [XAUTH]
>> 003 "cisco-client" #1: received Vendor ID payload [Dead Peer Detection]
>> 003 "cisco-client" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
>> 003 "cisco-client" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
>> 003 "cisco-client" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
>> 003 "cisco-client" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
>> 002 "cisco-client" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
>> 003 "cisco-client" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
>> 002 "cisco-client" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
>> 004 "cisco-client" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
>> 041 "cisco-client" #1: cisco-client prompt for Username:
>> 002 "cisco-client" #1: XAUTH: Answering XAUTH challenge with user='mylogin'
>> 002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
>> 004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
>> 002 "cisco-client" #1: XAUTH: Successfully Authenticated
>> 002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
>> 004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
>> 002 "cisco-client" #1: modecfg: Sending IP request (MODECFG_I1)
>> 002 "cisco-client" #1: received mode cfg reply
>> 002 "cisco-client" #1: setting client address to 172.16.3.90/32
>> 002 "cisco-client" #1: setting ip source address to 172.16.3.90/32
>> 002 "cisco-client" #1: Received IP4 NETMASK 255.255.255.0
>> 002 "cisco-client" #1: transition from state STATE_MODE_CFG_I1 to state STATE_MAIN_I4
>> 004 "cisco-client" #1: STATE_MAIN_I4: ISAKMP SA established
>> 002 "cisco-client" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 msgid:e0e90c60 proposal=defaults pfsgroup=no-pfs}
>> 117 "cisco-client" #2: STATE_QUICK_I1: initiate
>> 003 "cisco-client" #2: ERROR: netlink response for Add SA esp.f964d92c at x.x.x.x included errno 93: Protocol not supported
>> 032 "cisco-client" #2: STATE_QUICK_I1: internal error
>> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
>> 010 "cisco-client" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
>> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
>> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
>> 010 "cisco-client" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
>> 031 "cisco-client" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
>> 000 "cisco-client" #2: starting keying attempt 2 of an unlimited number, but releasing whack
> 
> Ok...  So I see you are getting the error 93 from Netkey.  So it didn't
> like the transform that was attempted to be loaded.  I got that much...
> 
>>   Probably, the patch related to your issue went into 2.6.25 ...

------------------------------------^^^^ have meant the author of the
                                         Apr 2010 message, hoping to get some
                                         answer soon ;-)


> I'm the author of some of that patch, at least the multiple proposals
> patch, which you do appear to have since some of the error messages I
> worked on appear in your log above.

Great!, I was lazy to learn to inspect the sources or check if that was
ever reverted or so ...

> 
>> http://lists.openwall.net/netdev/2008/04/03/35 . 
>>   Another user hitting this issue was http://lists.openswan.org/pipermail/users/2005-October/006742.html
> 
> Same error.  Very doubtful it's the same problem.

OK, was a Google-hit. ;)


>> My problem is that I am on 2.6.27.57 (which should contain the fix) and I do not think
>> I am missing anything in my kernel .config (attached). :(
> 
> Now I'm lost, or somewhat dazed and confused...  You're on Linux kernel
> 2.6.27.57 (that's the latest version in the 2.6.27 branch), I get that.
> What fix are you referring to?  My patch was to Openswan, not to the

Although not a "fix" it seems there was some change between 2.6.27 and 2.6.31
which I suspect am missing in 2.6.27.57 (it would have to make into the
linux kernel with 2.6.28 or above). The "fix" I am referring to is:
https://lists.strongswan.org/pipermail/users/2010-April/004748.html

> kernel (I am a kernel maintainer but not in that area).  I gather that
> you are trying Openswan 2.6.31 on top of the 2.6.27.57 kernel, correct?

Yes.

> Now the 2.6.27.57 kernel would be PRIOR to the 2.6.31 kernel referred to
> in the Strongswan thread.  Make sure you are not mixing apples and
> oranges here.  I have no clue if the bug they describe impacts 2.6.27.x
> but it very well may and you may very well need to get a newer kernel.

The question is whether "the fix" (invented between 2.6.27 and 2.6.31 kernel)
was applied over 2.6.27 branch. ;-)

> 
> The next obvious question is...  That bug is predicated on having IPv6
> disabled.  Have you somehow disabled IPv6 for some reason?  If so, WHY?
> The time for IPv4-only is now long past.  IANA is about to assign out
> the last IPv4 blocks it has and we're done.  I just flat out don't
> operate without IPv6 (and I have enough IPv6 only resources I depend on
> that I couldn't even if I wanted to).  I probably will NOT be able to
> help you if you are running with v6 disabled and have to for some
> strange reason.  It's no longer a viable configuration in my
> environment.

# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:e0:xx:xx:xx:xx  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:56553 errors:0 dropped:0 overruns:0 frame:0
          TX packets:53327 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:38854223 (37.0 MiB)  TX bytes:30897029 (29.4 MiB)
          Interrupt:11 Base address:0xa000 

So what should be my IPv6 address?

> 
> So...  Let's go down the basics...
> 
> Distro?  Ubuntu/Fedora/RedHat/CentOS/other?
Gentoo

> Distro version?
Devel, ~x86 ;)

> Archetecture?
x86 (pentium4-m based i686)

> Kernel version (2.6.27.57 I presume - please confirm)?
yes

> Distro install or custom build?
my own build, I remember Linux Slackware 0.9 days ;-)

> Openswan version (2.6.31 I presume - please confirm)?
2.6.31 and 2.6.32 tested meanwhile as well

> Distro install (highly unlikely given the age of that kernel) or custom?
no customizations


I wonder whether -DKLIPS in $CFLAGS does somehow break my binaries.
Please see http://bugs.gentoo.org/show_bug.cgi?id=350107 which I have just
opened. It could be a wrong package setup in Gentoo resulting in misconfigured
compilation.

Thanks for the below comments!
Martin

> 
>> Any clues? Thanks,
>> Martin
>>
>> For completeness, here is part of my setup in /etc/ipsec.conf:
>>
>> conn cisco-client
>>         ike=3des-md5-modp1024,3des-sha1-modp1024,aes128-md5,aes192-sha1
>                                                   ^^^^^^^^^^^^^^^^^^^^^^^
> You haven't specified the DH group for these two so that's why you are
> seeing the errors about "multiple DH groups were set in aggressive mode.
> Only first one used."  Those are somewhat cosmetic and it will only use
> the first DH group encountered (modp1024 from the first proposal).
> 
>>         aggrmode=yes # if no aggrmode is set I get no connection
> 
> Correct.  The Cisco ASA is going to insist on using aggressive mode.
> 
>>         authby=secret
>>         left=%defaultroute
>>         leftmodecfgclient=yes
>>         leftxauthclient=yes
>>         leftid=@my-group-name
>>         right=x.x.x.x
>>         rightxauthserver=yes
>>         rightmodecfgserver=yes
>>         modecfgpull=yes
>>         pfs=no
>>         auto=add
>>         # XAUTH connections cannot rekey, set the next to `no'
>>         rekey=no
> 
> The rest looks ok to me but it's hard to tell without a lot more
> background.


More information about the Users mailing list