[Openswan Users] ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory

[Martin Lambev]

Hello OpenSwan guys,
Earlier this week I wrote about problem with connection multiply clients with various operating systems (Mac SL, Win 7 and Win XP) that sits behind one real IP address (NATed). I did not try to connect them all together (simultaneously) to L2TP/IPSec-PSK server but, one after another if that matters...

Linux Openswan U2.6.38/K2.6.32-220.17.1.el6.x86_64 (netkey) (compiled form source) on CentOS 6.2 x64, as L2TP tested with both xl2tpd v.1.3.1 (form EPEL repo) and/or accel-pppd latest git. My server have two real IP addresses assigned to one NIC, example eth0 IP:50.50.50.10 and  alias  eth0:0 IP:50.50.50.50 (addresses are changed)

I'm using default conf example shipped with openswan v.2.6.38 /etc/ipsec.d/examples/l2tp-psk.conf and one of the real IP as left=50.50.50.10 ( offtopic: xl2tpd has problems and can't connect if I use ALIASED IP eth0:0 error in the log: "udp_xmit failed to 60.161.197.173:52132 with err=-1:Operation not permitted , xl2tpd: Maximum retries exceeded for tunnel 62854.  Closing" )
Just added to /etc/ipsec.conf , 'listen=' and virtual_private= defaults plus my specific private net behind the router 1.1.1.0/24 + excluded !192.168.100.0/24 for the vpn clients. 


All times IPsec tunnel is established. But in the message log (/var/log/messages) one can see something similar to "l2tp: incorrect tid 0 in tunnel 1" for accel-ppd and "Maximum retries exceeded for tunnel 3561. xl2tpd: Connection 42 closed to 60.161.197.173, port 55650 (Timeout)" for xl2tpd. 

Clients complain that can not connect to xl2tpd... 

I can see in the /var/log/secure that any connection "ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory" when connection is disconnected from the client. When I monitor ip xfrm monitor, Ipsec tries every time to delete the XFRM policy after client disconnect. Mac connection is successfully deleted ( but still in the log file XFRM error appear) but apparently with Windows 7 and XP connections are partly left. That cause the trouble for connections after that...

Deleting only the partly left XFRM policy that cause the trouble for other clients to connect solve the issue, until that client connects again. 
Flushing the XFRM policy also solves the problem, restarting IPSec also solve that problem ( because I assume it make policy flush then it starts? ). 
This does not affect clients connecting form different IP address (behind NAT) but only clients that sits behind same IP

Just quick reminder what is the issue - It depends on order which OS you will connect first.:
1. First Mac OS X, then Windows 7, then XP can't connect! ( there XFRM policy that left form Win7 that blocks XP connection to xl2tpd).
2. First Windows 7, then Mac OS X, then XP can't connect! 
3. First Windows XP, then (order is not relevant) Win7 and Mac can't connect! ( there XFRM policy that left form XP that blocks Win7 and Mac connection to xl2tpd).
I have not test with android and iOS to see what is the case…

Should I file bug report? I've found some similar bug reports but for older versions of openswan. I try to apply Bug1334.patch for version 2.6.37 which I assume is already in 38?, but anyway the result is the same.

Any solution beside manually deleting left over XFRM policy? 

Best Regards,

Martin