[Openswan Users] [strongSwan] ERROR: netlink response for Add SA esp.383251e8 at 10.19.156.242 included errno 93: Protocol not supported
Michael H. Warfield
mhw at WittsEnd.com
Wed Dec 29 20:11:30 EST 2010
On Thu, 2010-12-30 at 02:34 +0100, Martin Mokrejs wrote:
> Hi Michael,
> it is a bit late here so that might answer some of your questions. ;)
> Yes, it is my first post to this list, I deliberately posted to
> openswan although referring to strongswan message from the past.
> Yes, I have linux-2.6.27.57 kernel with IPv6 support (hope that could be
> seen in my .config file ... and sorry, I accidentally left in the filename
> .gz), I see no reason for IPv6 support unless I configure IPv6 (Gentoo
> Linux). In theory I could enable the IPv6 support but wonder what it
> gives to me. ;))
> Yes, I tried openswan-2.6.31 and now also 2.6.32, as I found there
> is a newer release but with same error in the end.
Ok... So... Let me see if I can address some of this...
> "Yes, I have linux-2.6.27.57 kernel with IPv6 support"...
Wait a minute. Was that a typo? I just went back to your config and
found this...
# CONFIG_TCP_MD5SIG is not set
# CONFIG_IPV6 is not set
# CONFIG_NETWORK_SECMARK is not set
# CONFIG_NETFILTER is not set
That's not good. Did you mean "without IPv6" instead? That changes the
meaning of your statement and explains a LOT. Personally I would also
change those others as well to yes. SECMARK is useful for firewall code
and the MD5 stuff is used by things like BGP (which you may not care
about). I care about the MD5 stuff since I'm also the author of much of
the MD5 logic in the BGP daemon in the quagga routing suite as
well. :-P Do you really want a kernel with no firewalling (NETFILTER)?
That can not possibly be a stock Gentoo kernel there.
"I see no reason for IPv6 support unless I configure IPv6"...
Sorry... Does not compute. That's like saying "I see no reason for
IPv4 support unless I configure IPv4." IPv6 is a fact of life right now
on the net. In fact, looking at my BGP tables, the routing tables now
support more IPv6 (advertised) /48 networks than IPv4 (advertised)
unicast addresses. Might as well get with the program, it's here today
right now, and has been globally functional for over half a decade or
more in production. In fact (I see you are in .cz) the US DoD has just
announced that they will soon not be doing business with people whose
sites are not IPv6 enabled and functional (not that this would be a big
deal to you).
Ok... You're on Gentoo. I'm not a big Gentoo fan, myself but some of
my teammates are. I may run some of this by them. Personally, I use
Fedora for most things (just upgraded several dozen systems to F14) with
some smattering of Ubuntu for my wife, kids, and grandkids. Still, is
that the latest kernel you have available? F14 has 2.6.35 and Linus and
crew have declared that version to be the latest LTS (Long Term Support)
branch. Based on your config and your version, you may well be running
into that bug described over in the StrongSwan list and your only real
option will be a newer kernel if that's true. If you are dead set
against configuring IPv6 (hard stack or module) then you really have no
choice but to upgrade. If you are not dead set against IPv6, then the
solution to avoid the bug would appear to be obvious and maybe you don't
need a new kernel then. And there you have your reason for enabling it.
Enabling IPv6 support gives you access to some of the newer sites on the
net which may be IPv6 only. There are IPv6 only web sites, bittorrent
sites, ftp sites, etc, etc, etc... For us in Fedora land, there are
even Fedora repositories which are IPv6 only (and faster since the load
is lighter on them... :-) ). It's your choice. If your provider
provides it native, it's a no brainer, just turn it on and it just works
(should be enabled by default in Gentoo). If not, 6to4 works well
unless you're behind a NAT. If you are behind a NAT, there are other
tunnels available, like Teredo/Miredo and TSP or AYIYA. There in .cz
land you might check out SixXS for more info. They'll provide you with
an entire /48 address space that's globally addressable with 65,536 /64
subnets of 16 billion * billion host addresses per subnet. No NAT
required...
Asking for a reason to enable it is the wrong question. Now days
there's really no reason NOT to enable it any more than there's a reason
to NOT enable IPv4.
Bottom line... At this point, it appears to be that you have two
options. One, upgrade to a newer kernel which does not have the bug and
leave IPv6 turned off. Two, turn IPv6 on and avoid the bug. That's it.
One or the other. Short of that, there's not much we can do to help you
since it's a kernel bug and not an Openswan problem. If you do one of
those two actions and you STILL have the problem, then we might have
something else to look at but it still looks like a kernel problem since
Netkey is reporting the error and Netkey is in the kernel.
Regards,
Mike
> Michael H. Warfield wrote:
> > Hello,
> >
> > On Thu, 2010-12-30 at 00:40 +0100, Martin Mokrejs wrote:
> >> Hi,
> >> I found this thread at https://lists.strongswan.org/pipermail/users/2010-April/004748.html
> >> and I think it might be related to my issue with openswan-2.6.31.
> >
> > I'm having some problems with this message. Is this your first post on
> > this subject to this list? I don't recall having seen it before but I
> > could well have deleted it. But I don't seen any "in response to"
> > header or "thread id" header either (but they're not required). I'm
>
> I did not want to puzzle anybody, I just handcrafted the $Subject line
> based on the above message from Apr 2010 in the other list, sorry for
> the mess.
>
> > also not finding it by searching on your subject wrt Openswan. If you
> > have posted on this subject before, forgive me for asking for what may
> > be redundant information but I just simply don't have the background
> > information on your problem.
> >
> > The posting on the StrongSwan list was for the 2.6.31 Linux kernel, not
> > the 2.6.31 Openswan version. Unfortunately, yes, these numbers are
> > confusingly similar right at the moment so I have to ask to be precise
> > in labeling what it is we are talking about.
>
> I will shutdown the computer as I need some sleep and tomorrow will try
> boot with newer kernels (I use this 2.6.27.57 but test newer-ones time
> to time).
>
> >
> >> [cut]
> >> # ipsec whack --name cisco-client --xauthname mylogin --xauthpass mypass --initiate
> >> 003 "cisco-client" #1: multiple DH groups were set in aggressive mode. Only first one used.
> >> 003 "cisco-client" #1: transform (7,1,5,128) ignored.
> >> 003 "cisco-client" #1: transform (7,1,2,128) ignored.
> >> 003 "cisco-client" #1: transform (7,2,5,192) ignored.
> >> 003 "cisco-client" #1: transform (7,2,2,192) ignored.
> >> 002 "cisco-client" #1: initiating Aggressive Mode #1, connection "cisco-client"
> >> 003 "cisco-client" #1: multiple DH groups were set in aggressive mode. Only first one used.
> >> 003 "cisco-client" #1: transform (7,1,5,128) ignored.
> >> 003 "cisco-client" #1: transform (7,1,2,128) ignored.
> >> 003 "cisco-client" #1: transform (7,2,5,192) ignored.
> >> 003 "cisco-client" #1: transform (7,2,2,192) ignored.
> >> 112 "cisco-client" #1: STATE_AGGR_I1: initiate
> >> 003 "cisco-client" #1: received Vendor ID payload [Cisco-Unity]
> >> 003 "cisco-client" #1: received Vendor ID payload [XAUTH]
> >> 003 "cisco-client" #1: received Vendor ID payload [Dead Peer Detection]
> >> 003 "cisco-client" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
> >> 003 "cisco-client" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
> >> 003 "cisco-client" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> >> 003 "cisco-client" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
> >> 002 "cisco-client" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
> >> 003 "cisco-client" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
> >> 002 "cisco-client" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
> >> 004 "cisco-client" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> >> 041 "cisco-client" #1: cisco-client prompt for Username:
> >> 002 "cisco-client" #1: XAUTH: Answering XAUTH challenge with user='mylogin'
> >> 002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
> >> 004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> >> 002 "cisco-client" #1: XAUTH: Successfully Authenticated
> >> 002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
> >> 004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
> >> 002 "cisco-client" #1: modecfg: Sending IP request (MODECFG_I1)
> >> 002 "cisco-client" #1: received mode cfg reply
> >> 002 "cisco-client" #1: setting client address to 172.16.3.90/32
> >> 002 "cisco-client" #1: setting ip source address to 172.16.3.90/32
> >> 002 "cisco-client" #1: Received IP4 NETMASK 255.255.255.0
> >> 002 "cisco-client" #1: transition from state STATE_MODE_CFG_I1 to state STATE_MAIN_I4
> >> 004 "cisco-client" #1: STATE_MAIN_I4: ISAKMP SA established
> >> 002 "cisco-client" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 msgid:e0e90c60 proposal=defaults pfsgroup=no-pfs}
> >> 117 "cisco-client" #2: STATE_QUICK_I1: initiate
> >> 003 "cisco-client" #2: ERROR: netlink response for Add SA esp.f964d92c at x.x.x.x included errno 93: Protocol not supported
> >> 032 "cisco-client" #2: STATE_QUICK_I1: internal error
> >> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
> >> 010 "cisco-client" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
> >> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
> >> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
> >> 010 "cisco-client" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
> >> 031 "cisco-client" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
> >> 000 "cisco-client" #2: starting keying attempt 2 of an unlimited number, but releasing whack
> >
> > Ok... So I see you are getting the error 93 from Netkey. So it didn't
> > like the transform that was attempted to be loaded. I got that much...
> >
> >> Probably, the patch related to your issue went into 2.6.25 ...
>
> ------------------------------------^^^^ have meant the author of the
> Apr 2010 message, hoping to get some
> answer soon ;-)
>
>
> > I'm the author of some of that patch, at least the multiple proposals
> > patch, which you do appear to have since some of the error messages I
> > worked on appear in your log above.
>
> Great!, I was lazy to learn to inspect the sources or check if that was
> ever reverted or so ...
>
> >
> >> http://lists.openwall.net/netdev/2008/04/03/35 .
> >> Another user hitting this issue was http://lists.openswan.org/pipermail/users/2005-October/006742.html
> >
> > Same error. Very doubtful it's the same problem.
>
> OK, was a Google-hit. ;)
>
>
> >> My problem is that I am on 2.6.27.57 (which should contain the fix) and I do not think
> >> I am missing anything in my kernel .config (attached). :(
> >
> > Now I'm lost, or somewhat dazed and confused... You're on Linux kernel
> > 2.6.27.57 (that's the latest version in the 2.6.27 branch), I get that.
> > What fix are you referring to? My patch was to Openswan, not to the
>
> Although not a "fix" it seems there was some change between 2.6.27 and 2.6.31
> which I suspect am missing in 2.6.27.57 (it would have to make into the
> linux kernel with 2.6.28 or above). The "fix" I am referring to is:
> https://lists.strongswan.org/pipermail/users/2010-April/004748.html
>
> > kernel (I am a kernel maintainer but not in that area). I gather that
> > you are trying Openswan 2.6.31 on top of the 2.6.27.57 kernel, correct?
>
> Yes.
>
> > Now the 2.6.27.57 kernel would be PRIOR to the 2.6.31 kernel referred to
> > in the Strongswan thread. Make sure you are not mixing apples and
> > oranges here. I have no clue if the bug they describe impacts 2.6.27.x
> > but it very well may and you may very well need to get a newer kernel.
>
> The question is whether "the fix" (invented between 2.6.27 and 2.6.31 kernel)
> was applied over 2.6.27 branch. ;-)
>
> >
> > The next obvious question is... That bug is predicated on having IPv6
> > disabled. Have you somehow disabled IPv6 for some reason? If so, WHY?
> > The time for IPv4-only is now long past. IANA is about to assign out
> > the last IPv4 blocks it has and we're done. I just flat out don't
> > operate without IPv6 (and I have enough IPv6 only resources I depend on
> > that I couldn't even if I wanted to). I probably will NOT be able to
> > help you if you are running with v6 disabled and have to for some
> > strange reason. It's no longer a viable configuration in my
> > environment.
>
> # ifconfig -a
> eth0 Link encap:Ethernet HWaddr 00:e0:xx:xx:xx:xx
> inet addr:192.168.0.2 Bcast:192.168.0.255 Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:56553 errors:0 dropped:0 overruns:0 frame:0
> TX packets:53327 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:38854223 (37.0 MiB) TX bytes:30897029 (29.4 MiB)
> Interrupt:11 Base address:0xa000
>
> So what should be my IPv6 address?
>
> >
> > So... Let's go down the basics...
> >
> > Distro? Ubuntu/Fedora/RedHat/CentOS/other?
> Gentoo
>
> > Distro version?
> Devel, ~x86 ;)
>
> > Archetecture?
> x86 (pentium4-m based i686)
>
> > Kernel version (2.6.27.57 I presume - please confirm)?
> yes
>
> > Distro install or custom build?
> my own build, I remember Linux Slackware 0.9 days ;-)
>
> > Openswan version (2.6.31 I presume - please confirm)?
> 2.6.31 and 2.6.32 tested meanwhile as well
>
> > Distro install (highly unlikely given the age of that kernel) or custom?
> no customizations
>
>
> I wonder whether -DKLIPS in $CFLAGS does somehow break my binaries.
> Please see http://bugs.gentoo.org/show_bug.cgi?id=350107 which I have just
> opened. It could be a wrong package setup in Gentoo resulting in misconfigured
> compilation.
>
> Thanks for the below comments!
> Martin
>
> >
> >> Any clues? Thanks,
> >> Martin
> >>
> >> For completeness, here is part of my setup in /etc/ipsec.conf:
> >>
> >> conn cisco-client
> >> ike=3des-md5-modp1024,3des-sha1-modp1024,aes128-md5,aes192-sha1
> > ^^^^^^^^^^^^^^^^^^^^^^^
> > You haven't specified the DH group for these two so that's why you are
> > seeing the errors about "multiple DH groups were set in aggressive mode.
> > Only first one used." Those are somewhat cosmetic and it will only use
> > the first DH group encountered (modp1024 from the first proposal).
> >
> >> aggrmode=yes # if no aggrmode is set I get no connection
> >
> > Correct. The Cisco ASA is going to insist on using aggressive mode.
> >
> >> authby=secret
> >> left=%defaultroute
> >> leftmodecfgclient=yes
> >> leftxauthclient=yes
> >> leftid=@my-group-name
> >> right=x.x.x.x
> >> rightxauthserver=yes
> >> rightmodecfgserver=yes
> >> modecfgpull=yes
> >> pfs=no
> >> auto=add
> >> # XAUTH connections cannot rekey, set the next to `no'
> >> rekey=no
> >
> > The rest looks ok to me but it's hard to tell without a lot more
> > background.
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20101229/05182dc9/attachment.bin
More information about the Users
mailing list