[Openswan Users] [strongSwan] ERROR: netlink response for Add SA esp.383251e8 at 10.19.156.242 included errno 93: Protocol not supported

Martin Mokrejs mmokrejs at fold.natur.cuni.cz
Thu Dec 30 12:29:37 EST 2010


Hi everybody,

Michael H. Warfield wrote:
> Hey Paul,
> 
> On Thu, 2010-12-30 at 01:31 -0500, Paul Wouters wrote:
>> On Thu, 30 Dec 2010, Martin Mokrejs wrote:
> 
>>> 003 "cisco-client" #2: ERROR: netlink response for Add SA esp.f964d92c at x.x.x.x included errno 93: Protocol not supported
> 
>> Though nothing here points to ipv6....
> 
> But if you read the posting over on the Strongswan list he pointed to,
> they mention a bug in the 2.6.31 (and possibly earlier) kernels where
> Netkey returns this error, regardless, if IPv6 is disabled in the kernel
> due to a coding error.  That error is sufficient to explain his symptoms
> and agrees with his config if the same bug is present in 2.6.27, which
> is close enough to assume that it does.  Since I don't EVER test with
> IPv6 disabled, I would personally never have seen this bug.

So, with no IPv6 in the kernel the bug is present in 2.6.27.57, 2.6.28,
2.6.28.10 but not in 2.6.29 (nor 2.6.29.6, 2.6.31.14, 2.6.33.1).

Second, enabling IPv6 in 2.6.28.10 avoids the problem.

> 
>>>  Probably, the patch related to your issue went into 2.6.25 ...
>>> http://lists.openwall.net/netdev/2008/04/03/35 .
>>>  Another user hitting this issue was http://lists.openswan.org/pipermail/users/2005-October/006742.html
>>>
>>> My problem is that I am on 2.6.27.57 (which should contain the fix) and I do not think
>>> I am missing anything in my kernel .config (attached). :(
>>
>> Note that ESP and TUNNEL support got split into ipv4 and ipv6 versions, so if
>> this was an ipv6 version, you would also need:
> 
>> CONFIG_INET6_ESP=m
>> CONFIG_INET6_XFRM_TUNNEL=m
>> CONFIG_INET6_XFRM_MODE_TRANSPORT=m
>> CONFIG_INET6_XFRM_MODE_TUNNEL=m
> 
>> If using compress=yes, you would also need:
> 
>> CONFIG_INET6_IPCOMP=m
> 
> But he has "# CONFIG_IPV6 is not set" in the config so none of the INET6
> options are even relevant.
> 
>> and you would need to modprobe the corresponding modules if you are not
>> using the openswan startup scripts.
> 
>> However, all of this does not seem to be your problem though it would not
>> hurt to verify with ipv6 enabled as module just so we can rule this out.
> 
> It's not.  It's disabled in his config and he has stated it's disabled
> though his reply initially had a typo.  A simple test would be for him
> to reenable IPv6 as either a module or in the kernel itself and retest.
> 
>> It might be useful to see "ipsec verify" and "ipsec barf" to get more info
>> about your system state.


# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.29 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
#
# find /proc/sys/net/ipv4/conf/ -name send_redirects | while read f; do echo 0 > $f; done
# find /proc/sys/net/ipv4/conf/ -name accept_redirects | while read f; do echo 0 > $f; done

Do not know why I had these enabled. :(


# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.29 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:e0:18:b6:9d:31  
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1290 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1282 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:628367 (613.6 KiB)  TX bytes:177653 (173.4 KiB)
          Interrupt:11 Base address:0x2000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:32 errors:0 dropped:0 overruns:0 frame:0
          TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:10629 (10.3 KiB)  TX bytes:10629 (10.3 KiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:192.168.251.6  P-t-P:192.168.251.5  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:100 errors:0 dropped:0 overruns:0 frame:0
          TX packets:99 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:6225 (6.0 KiB)  TX bytes:5559 (5.4 KiB)

#

Now what? Where is my interface? ;-) For the very moment am now on 2.6.29 no IPv6,
do not have the "errno 93: Protocol not supported" but no connection anyways. ;)
M


More information about the Users mailing list