[Openswan Users] [strongSwan] ERROR: netlink response for Add SA esp.383251e8 at 10.19.156.242 included errno 93: Protocol not supported

Michael H. Warfield mhw at WittsEnd.com
Thu Dec 30 09:11:54 EST 2010


Hey Paul,

On Thu, 2010-12-30 at 01:31 -0500, Paul Wouters wrote:
> On Thu, 30 Dec 2010, Martin Mokrejs wrote:

> > 003 "cisco-client" #2: ERROR: netlink response for Add SA esp.f964d92c at x.x.x.x included errno 93: Protocol not supported

> Though nothing here points to ipv6....

But if you read the posting over on the Strongswan list he pointed to,
they mention a bug in the 2.6.31 (and possibly earlier) kernels where
Netkey returns this error, regardless, if IPv6 is disabled in the kernel
due to a coding error.  That error is sufficient to explain his symptoms
and agrees with his config if the same bug is present in 2.6.27, which
is close enough to assume that it does.  Since I don't EVER test with
IPv6 disabled, I would personally never have seen this bug.

> >  Probably, the patch related to your issue went into 2.6.25 ...
> > http://lists.openwall.net/netdev/2008/04/03/35 .
> >  Another user hitting this issue was http://lists.openswan.org/pipermail/users/2005-October/006742.html
> >
> > My problem is that I am on 2.6.27.57 (which should contain the fix) and I do not think
> > I am missing anything in my kernel .config (attached). :(
> 
> Note that ESP and TUNNEL support got split into ipv4 and ipv6 versions, so if
> this was an ipv6 version, you would also need:

> CONFIG_INET6_ESP=m
> CONFIG_INET6_XFRM_TUNNEL=m
> CONFIG_INET6_XFRM_MODE_TRANSPORT=m
> CONFIG_INET6_XFRM_MODE_TUNNEL=m

> If using compress=yes, you would also need:

> CONFIG_INET6_IPCOMP=m

But he has "# CONFIG_IPV6 is not set" in the config so none of the INET6
options are even relevant.

> and you would need to modprobe the corresponding modules if you are not
> using the openswan startup scripts.

> However, all of this does not seem to be your problem though it would not
> hurt to verify with ipv6 enabled as module just so we can rule this out.

It's not.  It's disabled in his config and he has stated it's disabled
though his reply initially had a typo.  A simple test would be for him
to reenable IPv6 as either a module or in the kernel itself and retest.

> It might be useful to see "ipsec verify" and "ipsec barf" to get more info
> about your system state.
> 
Paul

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20101230/0d0210cc/attachment-0001.bin 


More information about the Users mailing list