[Openswan Users] ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory

Panagiotis Tamtamis tamtamis at gmail.com
Sat Jun 9 03:02:44 EDT 2012 

Hello Martin,

I am the one who submitted bug#1334 and wrote the patch for it.
Please try to use the second patch file
(bug1334.bug<https://www.openswan.org/attachments/508/bug1334.bug>
(894
Bytes) Panagiotis Tamtamis, 03/19/2012 02:31 pm)

The first one is not working well.

Please try it and report if it resolves your issue. For me it worked ok.
As far as I now my patch is not included in openswan U2.6.38

Best Regards,
Tamis


2012/6/7 Martin Lambev <fsh3mve at gmail.com>

>
> Hello OpenSwan guys,
> Earlier this week I wrote about problem with connection multiply clients
> with various operating systems (Mac SL, Win 7 and Win XP) that sits behind
> one real IP address (NATed). I did not try to connect them all together
> (simultaneously) to L2TP/IPSec-PSK server but, one after another if that
> matters...
>
> Linux Openswan U2.6.38/K2.6.32-220.17.1.el6.x86_64 (netkey) (compiled form
> source) on CentOS 6.2 x64, as L2TP tested with both xl2tpd v.1.3.1 (form
> EPEL repo) and/or accel-pppd latest git. My server have two real IP
> addresses assigned to one NIC, example eth0 IP:50.50.50.10 and  alias
>  eth0:0 IP:50.50.50.50 (addresses are changed)
>
> I'm using default conf example shipped with openswan v.2.6.38
> /etc/ipsec.d/examples/l2tp-psk.conf and one of the real IP as
> left=50.50.50.10 ( offtopic: xl2tpd has problems and can't connect if I use
> ALIASED IP eth0:0 error in the log: "udp_xmit failed to
> 60.161.197.173:52132 with err=-1:Operation not permitted , xl2tpd:
> Maximum retries exceeded for tunnel 62854.  Closing" )
> Just added to /etc/ipsec.conf , 'listen=' and virtual_private= defaults
> plus my specific private net behind the router 1.1.1.0/24 + excluded !
> 192.168.100.0/24 for the vpn clients.
>
>
> All times IPsec tunnel is established. But in the message log
> (/var/log/messages) one can see something similar to "l2tp: incorrect tid 0
> in tunnel 1" for accel-ppd and "Maximum retries exceeded for tunnel 3561.
> xl2tpd: Connection 42 closed to 60.161.197.173, port 55650 (Timeout)" for
> xl2tpd.
>
> Clients complain that can not connect to xl2tpd...
>
> I can see in the /var/log/secure that any connection "ERROR: netlink
> XFRM_MSG_DELPOLICY response for flow eroute_connection delete included
> errno 2: No such file or directory" when connection is disconnected from
> the client. When I monitor ip xfrm monitor, Ipsec tries every time to
> delete the XFRM policy after client disconnect. Mac connection is
> successfully deleted ( but still in the log file XFRM error appear) but
> apparently with Windows 7 and XP connections are partly left. That cause
> the trouble for connections after that...
>
> Deleting only the partly left XFRM policy that cause the trouble for other
> clients to connect solve the issue, until that client connects again.
> Flushing the XFRM policy also solves the problem, restarting IPSec also
> solve that problem ( because I assume it make policy flush then it starts?
> ).
> This does not affect clients connecting form different IP address (behind
> NAT) but only clients that sits behind same IP
>
> Just quick reminder what is the issue - It depends on order which OS you
> will connect first.:
> 1. First Mac OS X, then Windows 7, then XP can't connect! ( there XFRM
> policy that left form Win7 that blocks XP connection to xl2tpd).
> 2. First Windows 7, then Mac OS X, then XP can't connect!
> 3. First Windows XP, then (order is not relevant) Win7 and Mac can't
> connect! ( there XFRM policy that left form XP that blocks Win7 and Mac
> connection to xl2tpd).
> I have not test with android and iOS to see what is the case…
>
> Should I file bug report? I've found some similar bug reports but for
> older versions of openswan. I try to apply Bug1334.patch for version 2.6.37
> which I assume is already in 38?, but anyway the result is the same.
>
> Any solution beside manually deleting left over XFRM policy?
>
> Best Regards,
>
> Martin
>
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>



-- 
Think simple!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120609/012496d4/attachment-0001.html>

More information about the Users mailing list