[Openswan Users] ERROR: netlink response for Add SA comp.3f10 at xxx.xxx.xxx.xxx included errno 22: Invalid argument

Alex Crow acrow at integrafin.co.uk
Wed Mar 2 05:01:06 EST 2011 

Hi,

I have a very strange issue. I have had openswan running absolutely fine 
for a few years on an old machine in my office to connect to a network 
at a colo. Just recently, to save power, I decided to build a 
virtualised firewall/router box, running on KVM on a fully up-to-date 
Ubuntu Maverick server box. The guest is Lucid (10.04.2 LTS), with 
kernel 2.6.32-25-server. OpenSWAN version is 2.6.23+dfsg-1ubuntu1.

What is odd is that the virtualised OpenSWAN fails to connect any 
connection with "compress=yes" with the following errors:

Mar  1 21:34:29 firewall pluto[1418]: "colo-alex" #14: ERROR: netlink 
response for Add SA comp.3f10 at xxx.xxx.xxx.xxx included errno 22: Invalid 
argument
Mar  1 21:34:29 firewall pluto[1418]: | add_sa ipcomp failed

Connection def:

conn colo-alex
         # Left security gateway, subnet behind it, next hop toward right.
         leftid=@ipsecdr.integrafin.co.uk
         left=xxx.xxx.xxx.xxx
         leftsubnet=192.168.pp.0/24
         leftnexthop=xxx.xxx.xxx.xxy
         leftrsasigkey=<hidden>
         # Right security gateway, subnet behind it, next hop toward left.
         rightid=@ipsec.alex.net
         right=yyy.yyy.yyy.yyy
         rightsubnet=192.168.qq.0/24
         rightrsasigkey=<hidden>
         rightnexthop=yyy.yyy.yyy.yyy.yyz
         # To authorize this connection, but not actually start it, at 
startup,
         # uncomment this.
         auto=start
         compress=yes
         esp=3des-md5

I have the ipcomp and xfrm modules loaded OK:
root at firewall:~# lsmod | grep ipcomp
ipcomp                  2212  0
ipcomp6                 2214  0
xfrm_ipcomp             5148  2 ipcomp,ipcomp6
xfrm6_tunnel            7935  1 ipcomp6
root at firewall:~# lsmod | grep xfrm
xfrm_user              21932  2
xfrm4_mode_beet         2131  0
xfrm4_tunnel            1979  0
tunnel4                 2909  1 xfrm4_tunnel
xfrm4_mode_tunnel       2000  24
xfrm4_mode_transport     1511  0
xfrm6_mode_transport     1575  0
xfrm6_mode_ro           1380  0
xfrm6_mode_beet         2082  0
xfrm6_mode_tunnel       1904  0
xfrm_ipcomp             5148  2 ipcomp,ipcomp6
xfrm6_tunnel            7935  1 ipcomp6
tunnel6                 2712  1 xfrm6_tunnel

I have another connection between a remote server in another country, 
same guest OS, kernel, OpenSWAN version, which does not have this issue 
with compressed connections (unless they are talking to my virtual 
gateway). The only difference is that the VM host is Lucid instead of 
Maverick. The server at the "opposite" end of both of these connections 
(a "real" box) has a 2.6.18 kernel and runs OpenSWAN 2.4.7.

This same offshore remote server also shows the same errors (they show 
at both ends) for the connection to my virtual machine. If I change to 
compress=no the error does not show up.

Has anyone come across this problem before?

Thanks

Alex




-- 
This message is intended only for the addressee and may contain
confidential information.  Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.

"Transact" is operated by Integrated Financial Arrangements plc
Domain House, 5-7 Singer Street, London  EC2A 4BQ
Tel: (020) 7608 4900 Fax: (020) 7608 5300
(Registered office: as above; Registered in England and Wales under number: 3727592)
Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856)

More information about the Users mailing list