[Openswan Users] ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory

Martin Lambev fsh3mve at gmail.com
Sat Jun 9 04:38:02 EDT 2012 

Hi Tamis,

Thanks for the patch, first I try first file, and second I sow below that one I tought I try it too, but to bee sure will apply it again and do some testings….

Okay here is the results:

first attempt connection ok, but second attempt and third fail on isakmp: phase 1 I ident , 

and there are even more policy left that without it…. and they are not complete.

src 50.50.50.50/32 dst 0.0.0.0/0 
	dir fwd priority 3104 ptype main 
src 50.50.50.50/32 dst 0.0.0.0/0 
	dir in priority 3104 ptype main 
src 50.50.50.50/32 dst 0.0.0.0/0 
	dir out priority 2112 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	dir 4 priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	dir 3 priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	dir 4 priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	dir 3 priority 0 ptype main 

Thanks, I'm start thinking that this could be CentOS 6.2 related?

Best regards,

Martin


On Jun 9, 2012, at 3:02 PM, Panagiotis Tamtamis wrote:

> Hello Martin,
> 
> I am the one who submitted bug#1334 and wrote the patch for it.
> Please try to use the second patch file (bug1334.bug (894 Bytes) Panagiotis Tamtamis, 03/19/2012 02:31 pm)
> 
> The first one is not working well.
> 
> Please try it and report if it resolves your issue. For me it worked ok.
> As far as I now my patch is not included in openswan U2.6.38
> 
> Best Regards,
> Tamis
> 
> 
> 2012/6/7 Martin Lambev <fsh3mve at gmail.com>
> 
> Hello OpenSwan guys,
> Earlier this week I wrote about problem with connection multiply clients with various operating systems (Mac SL, Win 7 and Win XP) that sits behind one real IP address (NATed). I did not try to connect them all together (simultaneously) to L2TP/IPSec-PSK server but, one after another if that matters...
> 
> Linux Openswan U2.6.38/K2.6.32-220.17.1.el6.x86_64 (netkey) (compiled form source) on CentOS 6.2 x64, as L2TP tested with both xl2tpd v.1.3.1 (form EPEL repo) and/or accel-pppd latest git. My server have two real IP addresses assigned to one NIC, example eth0 IP:50.50.50.10 and  alias  eth0:0 IP:50.50.50.50 (addresses are changed)
> 
> I'm using default conf example shipped with openswan v.2.6.38 /etc/ipsec.d/examples/l2tp-psk.conf and one of the real IP as left=50.50.50.10 ( offtopic: xl2tpd has problems and can't connect if I use ALIASED IP eth0:0 error in the log: "udp_xmit failed to 60.161.197.173:52132 with err=-1:Operation not permitted , xl2tpd: Maximum retries exceeded for tunnel 62854.  Closing" )
> Just added to /etc/ipsec.conf , 'listen=' and virtual_private= defaults plus my specific private net behind the router 1.1.1.0/24 + excluded !192.168.100.0/24 for the vpn clients.
> 
> 
> All times IPsec tunnel is established. But in the message log (/var/log/messages) one can see something similar to "l2tp: incorrect tid 0 in tunnel 1" for accel-ppd and "Maximum retries exceeded for tunnel 3561. xl2tpd: Connection 42 closed to 60.161.197.173, port 55650 (Timeout)" for xl2tpd.
> 
> Clients complain that can not connect to xl2tpd...
> 
> I can see in the /var/log/secure that any connection "ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory" when connection is disconnected from the client. When I monitor ip xfrm monitor, Ipsec tries every time to delete the XFRM policy after client disconnect. Mac connection is successfully deleted ( but still in the log file XFRM error appear) but apparently with Windows 7 and XP connections are partly left. That cause the trouble for connections after that...
> 
> Deleting only the partly left XFRM policy that cause the trouble for other clients to connect solve the issue, until that client connects again.
> Flushing the XFRM policy also solves the problem, restarting IPSec also solve that problem ( because I assume it make policy flush then it starts? ).
> This does not affect clients connecting form different IP address (behind NAT) but only clients that sits behind same IP
> 
> Just quick reminder what is the issue - It depends on order which OS you will connect first.:
> 1. First Mac OS X, then Windows 7, then XP can't connect! ( there XFRM policy that left form Win7 that blocks XP connection to xl2tpd).
> 2. First Windows 7, then Mac OS X, then XP can't connect!
> 3. First Windows XP, then (order is not relevant) Win7 and Mac can't connect! ( there XFRM policy that left form XP that blocks Win7 and Mac connection to xl2tpd).
> I have not test with android and iOS to see what is the case…
> 
> Should I file bug report? I've found some similar bug reports but for older versions of openswan. I try to apply Bug1334.patch for version 2.6.37 which I assume is already in 38?, but anyway the result is the same.
> 
> Any solution beside manually deleting left over XFRM policy?
> 
> Best Regards,
> 
> Martin
> 
> 
> 
> 
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 
> 
> -- 
> Think simple!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openswan.org/pipermail/users/attachments/20120609/408b2f9a/attachment.html>

More information about the Users mailing list