[Openswan Users] [strongSwan] ERROR: netlink response for Add SA esp.383251e8 at 10.19.156.242 included errno 93: Protocol not supported

Martin Mokrejs mmokrejs at fold.natur.cuni.cz
Thu Dec 30 07:45:44 EST 2010


Michael H. Warfield wrote:
> On Thu, 2010-12-30 at 02:34 +0100, Martin Mokrejs wrote:
>> Hi Michael,
>>   it is a bit late here so that might answer some of your questions. ;)
>> Yes, it is my first post to this list, I deliberately posted to
>> openswan although referring to strongswan message from the past.
>> Yes, I have linux-2.6.27.57 kernel with IPv6 support (hope that could be
>> seen in my .config file ... and sorry, I accidentally left in the filename
>> .gz), I see no reason for IPv6 support unless I configure IPv6 (Gentoo
>> Linux). In theory I could enable the IPv6 support but wonder what it
>> gives to me. ;))
>>   Yes, I tried openswan-2.6.31 and now also 2.6.32, as I found there
>> is a newer release but with same error in the end.
> 
> Ok...  So...  Let me see if I can address some of this...
> 
>> "Yes, I have linux-2.6.27.57 kernel with IPv6 support"...
> 
> Wait a minute.  Was that a typo?  I just went back to your config and
> found this...

Yes, I forgot the "no" word in the sentence. But you got it right from the
.config.

> 
> # CONFIG_TCP_MD5SIG is not set
> # CONFIG_IPV6 is not set
> # CONFIG_NETWORK_SECMARK is not set
> # CONFIG_NETFILTER is not set
> 
> That's not good.  Did you mean "without IPv6" instead?  That changes the
> meaning of your statement and explains a LOT.  Personally I would also
> change those others as well to yes.  SECMARK is useful for firewall code
> and the MD5 stuff is used by things like BGP (which you may not care
> about).  I care about the MD5 stuff since I'm also the author of much of
> the MD5 logic in the BGP daemon in the quagga routing suite as
> well.  :-P  Do you really want a kernel with no firewalling (NETFILTER)?
> That can not possibly be a stock Gentoo kernel there.

This is my personal laptop computer, I just want to connect to some
Cisco-firewalled network. I do not use firewall in my linux kernel,
I have my own home firewall and that is enough for me.

> 
> "I see no reason for IPv6 support unless I configure IPv6"...
> 
> Sorry...  Does not compute.  That's like saying "I see no reason for
> IPv4 support unless I configure IPv4."  IPv6 is a fact of life right now
> on the net.  In fact, looking at my BGP tables, the routing tables now
> support more IPv6 (advertised) /48 networks than IPv4 (advertised)
> unicast addresses.  Might as well get with the program, it's here today
> right now, and has been globally functional for over half a decade or
> more in production.  In fact (I see you are in .cz) the US DoD has just
> announced that they will soon not be doing business with people whose
> sites are not IPv6 enabled and functional (not that this would be a big
> deal to you).
> 
> Ok...  You're on Gentoo.  I'm not a big Gentoo fan, myself but some of
> my teammates are.  I may run some of this by them.  Personally, I use
> Fedora for most things (just upgraded several dozen systems to F14) with
> some smattering of Ubuntu for my wife, kids, and grandkids.  Still, is
> that the latest kernel you have available?  F14 has 2.6.35 and Linus and
> crew have declared that version to be the latest LTS (Long Term Support)
> branch.  Based on your config and your version, you may well be running
> into that bug described over in the StrongSwan list and your only real
> option will be a newer kernel if that's true.  If you are dead set
> against configuring IPv6 (hard stack or module) then you really have no
> choice but to upgrade.  If you are not dead set against IPv6, then the
> solution to avoid the bug would appear to be obvious and maybe you don't
> need a new kernel then.  And there you have your reason for enabling it.

But that would be set in my home router, university router, etc. I am always
on some internal network which to my knowledge/ignorance is IPv4-only
and I don't know what IPv6 would give me in addition except make my kernel
larger and slower. ;-) The firewall anyway translates my internal IPv4 address
to something else.

> 
> Enabling IPv6 support gives you access to some of the newer sites on the
> net which may be IPv6 only.  There are IPv6 only web sites, bittorrent
> sites, ftp sites, etc, etc, etc...  For us in Fedora land, there are
> even Fedora repositories which are IPv6 only (and faster since the load
> is lighter on them...  :-) ).  It's your choice.  If your provider
> provides it native, it's a no brainer, just turn it on and it just works
> (should be enabled by default in Gentoo).  If not, 6to4 works well
> unless you're behind a NAT.  If you are behind a NAT, there are other
> tunnels available, like Teredo/Miredo and TSP or AYIYA.  There in .cz

I am always behind some NAT, be it my home cable modem router or university
Cisco(s).

> land you might check out SixXS for more info.  They'll provide you with
> an entire /48 address space that's globally addressable with 65,536 /64
> subnets of 16 billion * billion host addresses per subnet.  No NAT
> required...
> 
> Asking for a reason to enable it is the wrong question.  Now days
> there's really no reason NOT to enable it any more than there's a reason
> to NOT enable IPv4.
> 
> Bottom line...  At this point, it appears to be that you have two
> options.  One, upgrade to a newer kernel which does not have the bug and
> leave IPv6 turned off.  Two, turn IPv6 on and avoid the bug.  That's it.

I would rather ask once again what is missing in the 2.6.27.57 kernel
or what has to be patched and report to LKML. ;)

> One or the other.  Short of that, there's not much we can do to help you
> since it's a kernel bug and not an Openswan problem.  If you do one of

But you have the knowledge so can probably figure out what is broken in the
vanilla kernel.

> those two actions and you STILL have the problem, then we might have
> something else to look at but it still looks like a kernel problem since
> Netkey is reporting the error and Netkey is in the kernel.

# uname -a
Linux vrapenec 2.6.33.1 #1 Sat Mar 20 06:17:25 CET 2010 i686 Mobile Intel(R) Pentium(R) 4 - M CPU 1.80GHz GenuineIntel GNU/Linux
# /etc/init.d/ipsec start; ipsec whack --name cisco-client --xauthname myname --xauthpass mypass --initiate
 * Starting IPSec ...
ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.33.1...                                                                                                                                                                       [ ok ]
# ipsec whack --name cisco-client --xauthname MokrejsM --xauthpass 5afe9D --initiate
002 "cisco-client" #1: initiating Aggressive Mode #1, connection "cisco-client"
112 "cisco-client" #1: STATE_AGGR_I1: initiate
003 "cisco-client" #1: received Vendor ID payload [Cisco-Unity]
003 "cisco-client" #1: received Vendor ID payload [XAUTH]
003 "cisco-client" #1: received Vendor ID payload [Dead Peer Detection]
003 "cisco-client" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
003 "cisco-client" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
003 "cisco-client" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
003 "cisco-client" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
002 "cisco-client" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'A.A.A.A'
003 "cisco-client" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
002 "cisco-client" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
004 "cisco-client" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
041 "cisco-client" #1: cisco-client prompt for Username:
002 "cisco-client" #1: XAUTH: Answering XAUTH challenge with user='myname'
002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "cisco-client" #1: XAUTH: Successfully Authenticated
002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
002 "cisco-client" #1: modecfg: Sending IP request (MODECFG_I1)
002 "cisco-client" #1: received mode cfg reply
002 "cisco-client" #1: setting client address to 172.16.3.91/32
002 "cisco-client" #1: setting ip source address to 172.16.3.91/32
002 "cisco-client" #1: Received IP4 NETMASK 255.255.255.0
002 "cisco-client" #1: transition from state STATE_MODE_CFG_I1 to state STATE_MAIN_I4
004 "cisco-client" #1: STATE_MAIN_I4: ISAKMP SA established
002 "cisco-client" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:4789c656 proposal=defaults pfsgroup=no-pfs}
117 "cisco-client" #2: STATE_QUICK_I1: initiate
002 "cisco-client" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "cisco-client" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xa20c067d <0x86271318 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
#

Hmm, "ifconfig -a" doesn't show me any new interface

The .config of the 2.6.33.1 kernel is attached. I will try meanwhile versions between 2.6.28
and narrow down the problem manifesting when no IPv6 is in the kernel.

In more detail form /var/log/messages:

Dec 30 12:55:50 vrapenec ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.33.1...
Dec 30 12:55:50 vrapenec ipsec_setup: Using NETKEY(XFRM) stack
Dec 30 12:55:51 vrapenec ipsec__plutorun: Starting Pluto subsystem...
Dec 30 12:55:51 vrapenec ipsec_setup: ...Openswan IPsec started
Dec 30 12:55:51 vrapenec ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Dec 30 12:55:51 vrapenec pluto: adjusting ipsec.d to /etc/ipsec.d
Dec 30 12:55:51 vrapenec pluto[2751]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:2751
Dec 30 12:55:51 vrapenec pluto[2751]: LEAK_DETECTIVE support [disabled]
Dec 30 12:55:51 vrapenec pluto[2751]: OCF support for IKE [disabled]
Dec 30 12:55:51 vrapenec pluto[2751]: SAref support [disabled]: Protocol not available
Dec 30 12:55:51 vrapenec pluto[2751]: SAbind support [disabled]: Protocol not available
Dec 30 12:55:51 vrapenec pluto[2751]: NSS support [disabled]
Dec 30 12:55:51 vrapenec pluto[2751]: HAVE_STATSD notification support not compiled in
Dec 30 12:55:51 vrapenec pluto[2751]: Setting NAT-Traversal port-4500 floating to on
Dec 30 12:55:51 vrapenec pluto[2751]:    port floating activation criteria nat_t=1/port_float=1
Dec 30 12:55:51 vrapenec pluto[2751]:    NAT-Traversal support  [enabled]
Dec 30 12:55:51 vrapenec pluto[2751]: using /dev/urandom as source of random entropy
Dec 30 12:55:51 vrapenec pluto[2751]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 30 12:55:51 vrapenec pluto[2751]: no helpers will be started, all cryptographic operations will be done inline
Dec 30 12:55:51 vrapenec pluto[2751]: Kernel interface auto-pick
Dec 30 12:55:51 vrapenec pluto[2751]: Using Linux 2.6 IPsec interface code on 2.6.33.1 (experimental code)
Dec 30 12:55:51 vrapenec pluto[2751]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Dec 30 12:55:51 vrapenec pluto[2751]: ike_alg_add(): ERROR: Algorithm already exists
Dec 30 12:55:51 vrapenec pluto[2751]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Dec 30 12:55:51 vrapenec pluto[2751]: ike_alg_add(): ERROR: Algorithm already exists
Dec 30 12:55:51 vrapenec pluto[2751]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Dec 30 12:55:51 vrapenec pluto[2751]: ike_alg_add(): ERROR: Algorithm already exists
Dec 30 12:55:51 vrapenec pluto[2751]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Dec 30 12:55:51 vrapenec pluto[2751]: ike_alg_add(): ERROR: Algorithm already exists
Dec 30 12:55:51 vrapenec pluto[2751]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Dec 30 12:55:51 vrapenec pluto[2751]: ike_alg_add(): ERROR: Algorithm already exists
Dec 30 12:55:51 vrapenec pluto[2751]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Dec 30 12:55:51 vrapenec pluto[2751]: Changed path to directory '/etc/ipsec.d/cacerts'
Dec 30 12:55:51 vrapenec pluto[2751]: Changed path to directory '/etc/ipsec.d/aacerts'
Dec 30 12:55:51 vrapenec pluto[2751]: Changed path to directory '/etc/ipsec.d/ocspcerts'
Dec 30 12:55:51 vrapenec pluto[2751]: Changing to directory '/etc/ipsec.d/crls'
Dec 30 12:55:51 vrapenec pluto[2751]:   Warning: empty directory
Dec 30 12:55:51 vrapenec ipsec__plutorun: 002 added connection description "cisco-client"
Dec 30 12:55:51 vrapenec pluto[2751]: added connection description "cisco-client"
Dec 30 12:55:51 vrapenec pluto[2751]: listening for IKE messages
Dec 30 12:55:51 vrapenec pluto[2751]: adding interface tun0/tun0 192.168.251.6:500
Dec 30 12:55:51 vrapenec pluto[2751]: adding interface tun0/tun0 192.168.251.6:4500
Dec 30 12:55:51 vrapenec pluto[2751]: adding interface eth0/eth0 192.168.0.2:500
Dec 30 12:55:51 vrapenec pluto[2751]: adding interface eth0/eth0 192.168.0.2:4500
Dec 30 12:55:51 vrapenec pluto[2751]: adding interface lo/lo 127.0.0.1:500
Dec 30 12:55:51 vrapenec pluto[2751]: adding interface lo/lo 127.0.0.1:4500
Dec 30 12:55:51 vrapenec pluto[2751]: loading secrets from "/etc/ipsec.secrets"
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: initiating Aggressive Mode #1, connection "cisco-client"
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: received Vendor ID payload [Cisco-Unity]
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: received Vendor ID payload [XAUTH]
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: received Vendor ID payload [Dead Peer Detection]
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'A.A.A.A'
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: XAUTH: Answering XAUTH challenge with user='myname'
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: XAUTH: Successfully Authenticated
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: modecfg: Sending IP request (MODECFG_I1)
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: received mode cfg reply
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: setting client address to 172.16.3.91/32
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: setting ip source address to 172.16.3.91/32
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: Received IP4 NETMASK 255.255.255.0
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: transition from state STATE_MODE_CFG_I1 to state STATE_MAIN_I4
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #1: STATE_MAIN_I4: ISAKMP SA established
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:4789c656 proposal=defaults pfsgroup=no-pfs}
Dec 30 12:56:01 vrapenec kernel: alg: No test for authenc(hmac(sha1),cbc(des3_ede)) (authenc(hmac(sha1-generic),cbc(des3_ede-generic)))
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Dec 30 12:56:01 vrapenec pluto[2751]: "cisco-client" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xa20c067d <0x86271318 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
Dec 30 12:56:04 vrapenec pluto[2751]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to A.A.A.A port 4500, complainant 192.168.0.2: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Dec 30 12:56:09 vrapenec pluto[2751]: "cisco-client" #2: retransmitting in response to duplicate packet; already STATE_QUICK_I2
Dec 30 12:56:12 vrapenec pluto[2751]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to A.A.A.A port 4500, complainant 192.168.0.2: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Dec 30 12:56:17 vrapenec pluto[2751]: "cisco-client" #2: retransmitting in response to duplicate packet; already STATE_QUICK_I2
Dec 30 12:56:20 vrapenec pluto[2751]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to A.A.A.A port 4500, complainant 192.168.0.2: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Dec 30 12:56:25 vrapenec pluto[2751]: "cisco-client" #2: discarding duplicate packet -- exhausted retransmission; already STATE_QUICK_I2
Dec 30 12:56:33 vrapenec pluto[2751]: "cisco-client" #1: received Delete SA payload: replace IPSEC State #2 in 10 seconds
Dec 30 12:56:33 vrapenec pluto[2751]: "cisco-client" #1: received and ignored informational message
Dec 30 12:56:33 vrapenec pluto[2751]: "cisco-client" #1: received Delete SA payload: deleting ISAKMP State #1
Dec 30 12:56:33 vrapenec pluto[2751]: packet from A.A.A.A:4500: received and ignored informational message
Dec 30 12:56:36 vrapenec pluto[2751]: ERROR: asynchronous network error report on eth0 (sport=4500) for message to A.A.A.A port 4500, complainant 192.168.0.2: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Dec 30 12:56:43 vrapenec pluto[2751]: "cisco-client" #3: initiating Aggressive Mode #3, connection "cisco-client"
Dec 30 12:56:44 vrapenec pluto[2751]: "cisco-client" #3: ERROR: asynchronous network error report on eth0 (sport=500) for message to A.A.A.A port 500, complainant 192.168.0.2: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Dec 30 12:56:53 vrapenec pluto[2751]: "cisco-client" #2: IPsec SA expired (--dontrekey)
Dec 30 12:56:56 vrapenec pluto[2751]: "cisco-client" #3: ERROR: asynchronous network error report on eth0 (sport=500) for message to A.A.A.A port 500, complainant 192.168.0.2: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
[cut]
Dec 30 13:09:54 vrapenec pluto[2751]: "cisco-client" #3: max number of retransmissions (20) reached STATE_AGGR_I1
Dec 30 13:09:54 vrapenec pluto[2751]: "cisco-client" #3: starting keying attempt 2 of an unlimited number
Dec 30 13:09:54 vrapenec pluto[2751]: "cisco-client" #4: initiating Aggressive Mode #4 to replace #3, connection "cisco-client"
Dec 30 13:09:57 vrapenec pluto[2751]: "cisco-client" #4: ERROR: asynchronous network error report on eth0 (sport=500) for message to A.A.A.A port 500, complainant 192.168.0.2: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]


# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
A.A.A.A   0.0.0.0         255.255.255.255 UH        0 0          0 eth0
192.168.251.5   0.0.0.0         255.255.255.255 UH        0 0          0 tun0
192.168.251.1   192.168.251.5   255.255.255.255 UGH       0 0          0 tun0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
127.0.0.0       127.0.0.1       255.0.0.0       UG        0 0          0 lo
0.0.0.0         192.168.0.1     0.0.0.0         UG        0 0          0 eth0
#

Ignore 192.168.251.x, it is an OpenVPN stuff. ;-)

# route del -host A.A.A.A

That moved me a bit further:

Dec 30 13:35:52 vrapenec pluto[2751]: initiate on demand from 172.16.3.91:36817 to A.A.A.A:1025 proto=17 state: fos_start because: acquire
Dec 30 13:36:16 vrapenec pluto[2751]: "cisco-client" #5: max number of retransmissions (20) reached STATE_AGGR_I1
Dec 30 13:36:16 vrapenec pluto[2751]: "cisco-client" #5: starting keying attempt 4 of an unlimited number
Dec 30 13:36:16 vrapenec pluto[2751]: "cisco-client" #6: initiating Aggressive Mode #6 to replace #5, connection "cisco-client"
Dec 30 13:36:19 vrapenec pluto[2751]: "cisco-client" #6: ERROR: asynchronous network error report on eth0 (sport=500) for message to A.A.A.A port 500, complainant 192.168.0.2: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Dec 30 13:36:29 vrapenec pluto[2751]: "cisco-client" #6: ERROR: asynchronous network error report on eth0 (sport=500) for message to A.A.A.A port 500, complainant 192.168.0.2: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: received Vendor ID payload [Cisco-Unity]
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: received Vendor ID payload [XAUTH]
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: received Vendor ID payload [Dead Peer Detection]
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: Aggressive mode peer ID is ID_IPV4_ADDR: 'A.A.A.A'
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: XAUTH username requested, but no file descriptor available for prompt
Dec 30 13:36:46 vrapenec pluto[2751]: "cisco-client" #6: sending encrypted notification CERTIFICATE_UNAVAILABLE to A.A.A.A:4500
Dec 30 13:37:16 vrapenec pluto[2751]: "cisco-client" #6: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
Dec 30 13:37:16 vrapenec pluto[2751]: "cisco-client" #6: sending encrypted notification INVALID_PAYLOAD_TYPE to A.A.A.A:4500
Dec 30 13:37:46 vrapenec pluto[2751]: "cisco-client" #6: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
Dec 30 13:37:46 vrapenec pluto[2751]: "cisco-client" #6: sending encrypted notification INVALID_PAYLOAD_TYPE to A.A.A.A:4500
Dec 30 13:38:16 vrapenec pluto[2751]: "cisco-client" #6: message ignored because it contains an unexpected payload type (ISAKMP_NEXT_HASH)
Dec 30 13:38:16 vrapenec pluto[2751]: "cisco-client" #6: sending encrypted notification INVALID_PAYLOAD_TYPE to 195.113.70.98:4500
Dec 30 13:38:46 vrapenec pluto[2751]: "cisco-client" #6: received Delete SA payload: deleting ISAKMP State #6
Dec 30 13:38:46 vrapenec pluto[2751]: packet from 195.113.70.98:4500: received and ignored informational message


The network setup as far as I know is:

me (192.168.0.2) - home router internal (192.168.0.1) - home router extenal (78.102.76.40)
          ----- ISP's router (78.102.76.1) ------------------------- cisco (A.A.A.A) - bunch of internal IPv4 networks


What should I do next? ;-)
Thanks!
Martin

> 
> Regards,
> Mike
> 
>> Michael H. Warfield wrote:
>>> Hello,
>>>
>>> On Thu, 2010-12-30 at 00:40 +0100, Martin Mokrejs wrote:
>>>> Hi,
>>>>   I found this thread at https://lists.strongswan.org/pipermail/users/2010-April/004748.html
>>>> and I think it might be related to my issue with openswan-2.6.31.
>>>
>>> I'm having some problems with this message.  Is this your first post on
>>> this subject to this list?  I don't recall having seen it before but I
>>> could well have deleted it.  But I don't seen any "in response to"
>>> header or "thread id" header either (but they're not required).  I'm
>>
>> I did not want to puzzle anybody, I just handcrafted the $Subject line
>> based on the above message from Apr 2010 in the other list, sorry for
>> the mess.
>>
>>> also not finding it by searching on your subject wrt Openswan.  If you
>>> have posted on this subject before, forgive me for asking for what may
>>> be redundant information but I just simply don't have the background
>>> information on your problem.
>>>
>>> The posting on the StrongSwan list was for the 2.6.31 Linux kernel, not
>>> the 2.6.31 Openswan version.  Unfortunately, yes, these numbers are
>>> confusingly similar right at the moment so I have to ask to be precise
>>> in labeling what it is we are talking about.
>>
>> I will shutdown the computer as I need some sleep and tomorrow will try
>> boot with newer kernels (I use this 2.6.27.57 but test newer-ones time
>> to time).
>>
>>>
>>>> [cut]
>>>> # ipsec whack --name cisco-client --xauthname mylogin --xauthpass mypass --initiate
>>>> 003 "cisco-client" #1: multiple DH groups were set in aggressive mode. Only first one used.
>>>> 003 "cisco-client" #1: transform (7,1,5,128) ignored.
>>>> 003 "cisco-client" #1: transform (7,1,2,128) ignored.
>>>> 003 "cisco-client" #1: transform (7,2,5,192) ignored.
>>>> 003 "cisco-client" #1: transform (7,2,2,192) ignored.
>>>> 002 "cisco-client" #1: initiating Aggressive Mode #1, connection "cisco-client"
>>>> 003 "cisco-client" #1: multiple DH groups were set in aggressive mode. Only first one used.
>>>> 003 "cisco-client" #1: transform (7,1,5,128) ignored.
>>>> 003 "cisco-client" #1: transform (7,1,2,128) ignored.
>>>> 003 "cisco-client" #1: transform (7,2,5,192) ignored.
>>>> 003 "cisco-client" #1: transform (7,2,2,192) ignored.
>>>> 112 "cisco-client" #1: STATE_AGGR_I1: initiate
>>>> 003 "cisco-client" #1: received Vendor ID payload [Cisco-Unity]
>>>> 003 "cisco-client" #1: received Vendor ID payload [XAUTH]
>>>> 003 "cisco-client" #1: received Vendor ID payload [Dead Peer Detection]
>>>> 003 "cisco-client" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 
>>>> 003 "cisco-client" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
>>>> 003 "cisco-client" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
>>>> 003 "cisco-client" #1: protocol/port in Phase 1 ID Payload must be 0/0 or 17/500 but are 17/0
>>>> 002 "cisco-client" #1: Aggressive mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
>>>> 003 "cisco-client" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed
>>>> 002 "cisco-client" #1: transition from state STATE_AGGR_I1 to state STATE_AGGR_I2
>>>> 004 "cisco-client" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
>>>> 041 "cisco-client" #1: cisco-client prompt for Username:
>>>> 002 "cisco-client" #1: XAUTH: Answering XAUTH challenge with user='mylogin'
>>>> 002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
>>>> 004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
>>>> 002 "cisco-client" #1: XAUTH: Successfully Authenticated
>>>> 002 "cisco-client" #1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1
>>>> 004 "cisco-client" #1: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
>>>> 002 "cisco-client" #1: modecfg: Sending IP request (MODECFG_I1)
>>>> 002 "cisco-client" #1: received mode cfg reply
>>>> 002 "cisco-client" #1: setting client address to 172.16.3.90/32
>>>> 002 "cisco-client" #1: setting ip source address to 172.16.3.90/32
>>>> 002 "cisco-client" #1: Received IP4 NETMASK 255.255.255.0
>>>> 002 "cisco-client" #1: transition from state STATE_MODE_CFG_I1 to state STATE_MAIN_I4
>>>> 004 "cisco-client" #1: STATE_MAIN_I4: ISAKMP SA established
>>>> 002 "cisco-client" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+DONTREKEY+UP+MODECFGPULL+AGGRESSIVE+IKEv2ALLOW {using isakmp#1 msgid:e0e90c60 proposal=defaults pfsgroup=no-pfs}
>>>> 117 "cisco-client" #2: STATE_QUICK_I1: initiate
>>>> 003 "cisco-client" #2: ERROR: netlink response for Add SA esp.f964d92c at x.x.x.x included errno 93: Protocol not supported
>>>> 032 "cisco-client" #2: STATE_QUICK_I1: internal error
>>>> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
>>>> 010 "cisco-client" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
>>>> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
>>>> 003 "cisco-client" #2: discarding duplicate packet; already STATE_QUICK_I1
>>>> 010 "cisco-client" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
>>>> 031 "cisco-client" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
>>>> 000 "cisco-client" #2: starting keying attempt 2 of an unlimited number, but releasing whack
>>>
>>> Ok...  So I see you are getting the error 93 from Netkey.  So it didn't
>>> like the transform that was attempted to be loaded.  I got that much...
>>>
>>>>   Probably, the patch related to your issue went into 2.6.25 ...
>>
>> ------------------------------------^^^^ have meant the author of the
>>                                          Apr 2010 message, hoping to get some
>>                                          answer soon ;-)
>>
>>
>>> I'm the author of some of that patch, at least the multiple proposals
>>> patch, which you do appear to have since some of the error messages I
>>> worked on appear in your log above.
>>
>> Great!, I was lazy to learn to inspect the sources or check if that was
>> ever reverted or so ...
>>
>>>
>>>> http://lists.openwall.net/netdev/2008/04/03/35 . 
>>>>   Another user hitting this issue was http://lists.openswan.org/pipermail/users/2005-October/006742.html
>>>
>>> Same error.  Very doubtful it's the same problem.
>>
>> OK, was a Google-hit. ;)
>>
>>
>>>> My problem is that I am on 2.6.27.57 (which should contain the fix) and I do not think
>>>> I am missing anything in my kernel .config (attached). :(
>>>
>>> Now I'm lost, or somewhat dazed and confused...  You're on Linux kernel
>>> 2.6.27.57 (that's the latest version in the 2.6.27 branch), I get that.
>>> What fix are you referring to?  My patch was to Openswan, not to the
>>
>> Although not a "fix" it seems there was some change between 2.6.27 and 2.6.31
>> which I suspect am missing in 2.6.27.57 (it would have to make into the
>> linux kernel with 2.6.28 or above). The "fix" I am referring to is:
>> https://lists.strongswan.org/pipermail/users/2010-April/004748.html
>>
>>> kernel (I am a kernel maintainer but not in that area).  I gather that
>>> you are trying Openswan 2.6.31 on top of the 2.6.27.57 kernel, correct?
>>
>> Yes.
>>
>>> Now the 2.6.27.57 kernel would be PRIOR to the 2.6.31 kernel referred to
>>> in the Strongswan thread.  Make sure you are not mixing apples and
>>> oranges here.  I have no clue if the bug they describe impacts 2.6.27.x
>>> but it very well may and you may very well need to get a newer kernel.
>>
>> The question is whether "the fix" (invented between 2.6.27 and 2.6.31 kernel)
>> was applied over 2.6.27 branch. ;-)
>>
>>>
>>> The next obvious question is...  That bug is predicated on having IPv6
>>> disabled.  Have you somehow disabled IPv6 for some reason?  If so, WHY?
>>> The time for IPv4-only is now long past.  IANA is about to assign out
>>> the last IPv4 blocks it has and we're done.  I just flat out don't
>>> operate without IPv6 (and I have enough IPv6 only resources I depend on
>>> that I couldn't even if I wanted to).  I probably will NOT be able to
>>> help you if you are running with v6 disabled and have to for some
>>> strange reason.  It's no longer a viable configuration in my
>>> environment.
>>
>> # ifconfig -a
>> eth0      Link encap:Ethernet  HWaddr 00:e0:xx:xx:xx:xx  
>>           inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
>>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>           RX packets:56553 errors:0 dropped:0 overruns:0 frame:0
>>           TX packets:53327 errors:0 dropped:0 overruns:0 carrier:0
>>           collisions:0 txqueuelen:1000 
>>           RX bytes:38854223 (37.0 MiB)  TX bytes:30897029 (29.4 MiB)
>>           Interrupt:11 Base address:0xa000 
>>
>> So what should be my IPv6 address?
>>
>>>
>>> So...  Let's go down the basics...
>>>
>>> Distro?  Ubuntu/Fedora/RedHat/CentOS/other?
>> Gentoo
>>
>>> Distro version?
>> Devel, ~x86 ;)
>>
>>> Archetecture?
>> x86 (pentium4-m based i686)
>>
>>> Kernel version (2.6.27.57 I presume - please confirm)?
>> yes
>>
>>> Distro install or custom build?
>> my own build, I remember Linux Slackware 0.9 days ;-)
>>
>>> Openswan version (2.6.31 I presume - please confirm)?
>> 2.6.31 and 2.6.32 tested meanwhile as well
>>
>>> Distro install (highly unlikely given the age of that kernel) or custom?
>> no customizations
>>
>>
>> I wonder whether -DKLIPS in $CFLAGS does somehow break my binaries.
>> Please see http://bugs.gentoo.org/show_bug.cgi?id=350107 which I have just
>> opened. It could be a wrong package setup in Gentoo resulting in misconfigured
>> compilation.
>>
>> Thanks for the below comments!
>> Martin
>>
>>>
>>>> Any clues? Thanks,
>>>> Martin
>>>>
>>>> For completeness, here is part of my setup in /etc/ipsec.conf:
>>>>
>>>> conn cisco-client
>>>>         ike=3des-md5-modp1024,3des-sha1-modp1024,aes128-md5,aes192-sha1
>>>                                                   ^^^^^^^^^^^^^^^^^^^^^^^
>>> You haven't specified the DH group for these two so that's why you are
>>> seeing the errors about "multiple DH groups were set in aggressive mode.
>>> Only first one used."  Those are somewhat cosmetic and it will only use
>>> the first DH group encountered (modp1024 from the first proposal).
>>>
>>>>         aggrmode=yes # if no aggrmode is set I get no connection
>>>
>>> Correct.  The Cisco ASA is going to insist on using aggressive mode.
>>>
>>>>         authby=secret
>>>>         left=%defaultroute
>>>>         leftmodecfgclient=yes
>>>>         leftxauthclient=yes
>>>>         leftid=@my-group-name
>>>>         right=x.x.x.x
>>>>         rightxauthserver=yes
>>>>         rightmodecfgserver=yes
>>>>         modecfgpull=yes
>>>>         pfs=no
>>>>         auto=add
>>>>         # XAUTH connections cannot rekey, set the next to `no'
>>>>         rekey=no
>>>
>>> The rest looks ok to me but it's hard to tell without a lot more
>>> background.
>> _______________________________________________
>> Users at openswan.org
>> http://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan: 
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
> 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: .config
Url: http://lists.openswan.org/pipermail/users/attachments/20101230/e0bc9c71/attachment-0001.pl 


More information about the Users mailing list