[Openswan Users] ERROR: netlink response for Add SA comp.3f10 at xxx.xxx.xxx.xxx included errno 22: Invalid argument - clarifications

Alex Crow acrow at integrafin.co.uk
Wed Mar 2 13:34:45 EST 2011 

On 02/03/11 10:01, Alex Crow wrote:
> Hi,
>
> I have a very strange issue. I have had openswan running absolutely fine
> for a few years on an old machine in my office to connect to a network
> at a colo. Just recently, to save power, I decided to build a
> virtualised firewall/router box, running on KVM on a fully up-to-date
> Ubuntu Maverick server box. The guest is Lucid (10.04.2 LTS), with
> kernel 2.6.32-25-server. OpenSWAN version is 2.6.23+dfsg-1ubuntu1.
>
> What is odd is that the virtualised OpenSWAN fails to connect any
> connection with "compress=yes" with the following errors:
>
> Mar  1 21:34:29 firewall pluto[1418]: "colo-alex" #14: ERROR: netlink
> response for Add SA comp.3f10 at xxx.xxx.xxx.xxx included errno 22: Invalid
> argument
> Mar  1 21:34:29 firewall pluto[1418]: | add_sa ipcomp failed
>
> Connection def:
>
> conn colo-alex
>           # Left security gateway, subnet behind it, next hop toward right.
>           leftid=@ipsecdr.integrafin.co.uk
>           left=xxx.xxx.xxx.xxx
>           leftsubnet=192.168.pp.0/24
>           leftnexthop=xxx.xxx.xxx.xxy
>           leftrsasigkey=<hidden>
>           # Right security gateway, subnet behind it, next hop toward left.
>           rightid=@ipsec.alex.net
>           right=yyy.yyy.yyy.yyy
>           rightsubnet=192.168.qq.0/24
>           rightrsasigkey=<hidden>
>           rightnexthop=yyy.yyy.yyy.yyy.yyz
>           # To authorize this connection, but not actually start it, at
> startup,
>           # uncomment this.
>           auto=start
>           compress=yes
>           esp=3des-md5
>
> I have the ipcomp and xfrm modules loaded OK:
> root at firewall:~# lsmod | grep ipcomp
> ipcomp                  2212  0
> ipcomp6                 2214  0
> xfrm_ipcomp             5148  2 ipcomp,ipcomp6
> xfrm6_tunnel            7935  1 ipcomp6
> root at firewall:~# lsmod | grep xfrm
> xfrm_user              21932  2
> xfrm4_mode_beet         2131  0
> xfrm4_tunnel            1979  0
> tunnel4                 2909  1 xfrm4_tunnel
> xfrm4_mode_tunnel       2000  24
> xfrm4_mode_transport     1511  0
> xfrm6_mode_transport     1575  0
> xfrm6_mode_ro           1380  0
> xfrm6_mode_beet         2082  0
> xfrm6_mode_tunnel       1904  0
> xfrm_ipcomp             5148  2 ipcomp,ipcomp6
> xfrm6_tunnel            7935  1 ipcomp6
> tunnel6                 2712  1 xfrm6_tunnel
>
> I have another connection between a remote server in another country,
> same guest OS, kernel, OpenSWAN version, which does not have this issue
> with compressed connections (unless they are talking to my virtual
> gateway). The only difference is that the VM host is Lucid instead of
> Maverick. The server at the "opposite" end of both of these connections
> (a "real" box) has a 2.6.18 kernel and runs OpenSWAN 2.4.7.
>
> This same offshore remote server also shows the same errors (they show
> at both ends) for the connection to my virtual machine. If I change to
> compress=no the error does not show up.
>
> Has anyone come across this problem before?
>
> Thanks
>
> Alex
>
>
>
>

Just realised this reads confusingly:

To summarise:

Offshore VM (same kernel/OpenSWAN as my home office) VM connects fine to 
the colo with compress=yes. Only difference to my home office setup is 
the host OS version/kernel.

Home office VM fails to connect to the colo when compress=yes.

Home office VM fails to connect to the offshore VM when compress=yes.

I have checked the sysctl.conf on all boxes and all relevant options are 
the same (or default).

All the gateways have a shorewall firewall set up. I have checked 
everything in the shorewall configs and no messages are being logged 
about rejected or dropped packets on the problematic gateways.

I can provide further info if required, but things like an ipsec barf I 
would have to sanitise to remove public IPs and keys.

If anyone can help it would be most appreciated.

Thanks

Alex

-- 
This message is intended only for the addressee and may contain
confidential information.  Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.

"Transact" is operated by Integrated Financial Arrangements plc
Domain House, 5-7 Singer Street, London  EC2A 4BQ
Tel: (020) 7608 4900 Fax: (020) 7608 5300
(Registered office: as above; Registered in England and Wales under number: 3727592)
Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856)

More information about the Users mailing list