[Openswan Users] Fwd: "ERROR: netlink response for Get SA" and no ipsec traffic
Samir Hussain
shussain at xelerance.com
Tue Apr 25 08:52:00 EDT 2017
Rescued from the spam bucket. Please remember to subscribe to the
mailing list before posting to it.
-------- Forwarded Message --------
Subject: "ERROR: netlink response for Get SA" and no ipsec traffic
Date: Mon, 24 Apr 2017 18:09:00 -0300
From: Rodrigo Stuffs <rbs at brasilia.br>
To: users at lists.openswan.org
Hi there list,
Here's the scenario; I have rebuilt a kernel of a WD My Cloud box in order
to extend it. It is currently running kernel 3.2.
The Kernel config is available at https://pastebin.com/mYGiK3eN
Prior to posting here I really tried to do my homework, doing extensive
mailing list research. But it seems that the kernel build side is
apparently OK.
It is a real simple ipsec setup, between two systems in the local network:
172.16.8.158 (the LibreSwan box, compiled from source, version
libreswan-3.20)
and 172.16.8.3 (a openswan 2.6.37 box).
Both endpoints uses a PSK key.
It seems that the ipsec negotiation does succeed, but the LibreSwan box
does not send or replies to ipsec traffic from the other node.
I have spotted this line in the systemd log:
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #2: ERROR: netlink
response for Get SA esp.865e967 at 172.16.8.3
<mailto:esp.865e967 at 172.16.8.3> included errno 3: No such process
The configuration is pretty much standard and untouched. I have only added
a include clause, see below:
---
root at MyCloud:/dev/shm# grep -v \# /etc/ipsec.conf
config setup
include /etc/ipsec.d/*.conf
---
root at MyCloud:/dev/shm# grep -v \# /etc/ipsec.secrets
include /etc/ipsec.d/*.secrets
---
And here are the relevant config files:
---
root at MyCloud:/dev/shm# cat /etc/ipsec.d/mfrf.conf (the only .conf file
over there)
conn teste
left=172.16.8.158
right=172.16.8.3
authby=secret
auto=start
---
root at MyCloud:/dev/shm# cat /etc/ipsec.d/mfrf.secrets (the only .secrets
file over here too)
172.16.8.3 : PSK "zomgsecretkeyhere"
---
The systemd output is the following:
---
Apr 24 20:43:04 MyCloud pluto[26502]: NSS DB directory: sql:/etc/ipsec.d
Apr 24 20:43:04 MyCloud pluto[26502]: Initializing NSS
Apr 24 20:43:04 MyCloud pluto[26502]: Opening NSS database
"sql:/etc/ipsec.d" read-only
Apr 24 20:43:04 MyCloud pluto[26502]: NSS initialized
Apr 24 20:43:04 MyCloud pluto[26502]: NSS crypto library initialized
Apr 24 20:43:04 MyCloud pluto[26502]: FIPS HMAC integrity support [disabled]
Apr 24 20:43:04 MyCloud pluto[26502]: libcap-ng support [enabled]
Apr 24 20:43:04 MyCloud pluto[26502]: Linux audit support [disabled]
Apr 24 20:43:04 MyCloud pluto[26502]: Starting Pluto (Libreswan Version
3.20 XFRM(netkey) KLIPS USE_FORK USE_PTHREAD_SETSCHEDPRIO NSS DNSSEC
USE_SYSTEMD_WATCHDOG LIBCAP_NG XAUTH_PAM NETWORKMANAGER CURL(non-NSS))
pid:26502
Apr 24 20:43:04 MyCloud pluto[26502]: core dump dir: /var/run/pluto
Apr 24 20:43:04 MyCloud pluto[26502]: secrets file: /etc/ipsec.secrets
Apr 24 20:43:04 MyCloud pluto[26502]: leak-detective enabled
Apr 24 20:43:04 MyCloud pluto[26502]: NSS crypto [enabled]
Apr 24 20:43:04 MyCloud pluto[26502]: XAUTH PAM support [enabled]
Apr 24 20:43:04 MyCloud pluto[26502]: NAT-Traversal support [enabled]
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT aes_ccm_16: IKEv1:
ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm aes_ccm_c)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT aes_ccm_12: IKEv1:
ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_b)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT aes_ccm_8: IKEv1:
ESP IKEv2: ESP FIPS {256,192,*128} (aes_ccm_a)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT 3des_cbc: IKEv1: IKE
ESP IKEv2: IKE ESP FIPS [*192] (3des)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT camellia_ctr: IKEv1:
ESP IKEv2: ESP {256,192,*128}
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT camellia: IKEv1: IKE
ESP IKEv2: IKE ESP {256,192,*128} (camellia_cbc)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT aes_gcm_16: IKEv1: IKE
ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm aes_gcm_c)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT aes_gcm_12: IKEv1: IKE
ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_b)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT aes_gcm_8: IKEv1: IKE
ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_gcm_a)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT aes_ctr: IKEv1: IKE
ESP IKEv2: IKE ESP FIPS {256,192,*128} (aesctr)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT aes: IKEv1: IKE
ESP IKEv2: IKE ESP FIPS {256,192,*128} (aes_cbc)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT serpent: IKEv1: IKE
ESP IKEv2: IKE ESP {256,192,*128} (serpent_cbc)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT twofish: IKEv1: IKE
ESP IKEv2: IKE ESP {256,192,*128} (twofish_cbc)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT twofish_ssh: IKEv1:
IKE IKEv2: IKE ESP {256,192,*128} (twofish_cbc_ssh)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT cast: IKEv1:
ESP IKEv2: ESP {*128} (cast_cbc)
Apr 24 20:43:04 MyCloud pluto[26502]: ENCRYPT null: IKEv1:
ESP IKEv2: ESP []
Apr 24 20:43:04 MyCloud pluto[26502]: HASH md5: IKEv1:
IKE IKEv2:
Apr 24 20:43:04 MyCloud pluto[26502]: HASH sha: IKEv1:
IKE IKEv2: FIPS (sha1)
Apr 24 20:43:04 MyCloud pluto[26502]: HASH sha2_256: IKEv1:
IKE IKEv2: FIPS (sha2 sha256)
Apr 24 20:43:04 MyCloud pluto[26502]: HASH sha2_384: IKEv1:
IKE IKEv2: FIPS (sha384)
Apr 24 20:43:04 MyCloud pluto[26502]: HASH sha2_512: IKEv1:
IKE IKEv2: FIPS (sha512)
Apr 24 20:43:04 MyCloud pluto[26502]: PRF md5: IKEv1:
IKE IKEv2: IKE (hmac_md5)
Apr 24 20:43:04 MyCloud pluto[26502]: PRF sha: IKEv1:
IKE IKEv2: IKE FIPS (sha1 hmac_sha1)
Apr 24 20:43:04 MyCloud pluto[26502]: PRF sha2_256: IKEv1:
IKE IKEv2: IKE FIPS (sha2 sha256 hmac_sha2_256)
Apr 24 20:43:04 MyCloud pluto[26502]: PRF sha2_384: IKEv1:
IKE IKEv2: IKE FIPS (sha384 hmac_sha2_384)
Apr 24 20:43:04 MyCloud pluto[26502]: PRF sha2_512: IKEv1:
IKE IKEv2: IKE FIPS (sha512 hmac_sha2_512)
Apr 24 20:43:04 MyCloud pluto[26502]: INTEG md5: IKEv1: IKE
ESP AH IKEv2: IKE ESP AH (hmac_md5 hmac_md5_96)
Apr 24 20:43:04 MyCloud pluto[26502]: INTEG sha: IKEv1: IKE
ESP AH IKEv2: IKE ESP AH FIPS (sha1 sha1_96 hmac_sha1 hmac_sha1_96)
Apr 24 20:43:04 MyCloud pluto[26502]: INTEG sha2_512: IKEv1: IKE
ESP AH IKEv2: IKE ESP AH FIPS (sha512 hmac_sha2_512 hmac_sha2_512_256)
Apr 24 20:43:04 MyCloud pluto[26502]: INTEG sha2_384: IKEv1: IKE
ESP AH IKEv2: IKE ESP AH FIPS (sha384 hmac_sha2_384 hmac_sha2_384_192)
Apr 24 20:43:04 MyCloud pluto[26502]: INTEG sha2_256: IKEv1: IKE
ESP AH IKEv2: IKE ESP AH FIPS (sha2 sha256 hmac_sha2_256
hmac_sha2_256_128)
Apr 24 20:43:04 MyCloud pluto[26502]: INTEG aes_xcbc: IKEv1:
ESP AH IKEv2: ESP AH FIPS (aes_xcbc_96)
Apr 24 20:43:04 MyCloud pluto[26502]: INTEG aes_cmac: IKEv1:
ESP AH IKEv2: ESP AH FIPS (aes_cmac_96)
Apr 24 20:43:04 MyCloud pluto[26502]: INTEG ripemd: IKEv1:
ESP AH IKEv2: (hmac_ripemd hmac_ripemd_160_96)
Apr 24 20:43:04 MyCloud pluto[26502]: DH MODP1024: IKEv1:
IKE IKEv2: IKE (dh2)
Apr 24 20:43:04 MyCloud pluto[26502]: DH MODP1536: IKEv1:
IKE IKEv2: IKE (dh5)
Apr 24 20:43:04 MyCloud pluto[26502]: DH MODP2048: IKEv1:
IKE IKEv2: IKE FIPS (dh14)
Apr 24 20:43:04 MyCloud pluto[26502]: DH MODP3072: IKEv1:
IKE IKEv2: IKE FIPS (dh15)
Apr 24 20:43:04 MyCloud pluto[26502]: DH MODP4096: IKEv1:
IKE IKEv2: IKE FIPS (dh16)
Apr 24 20:43:04 MyCloud pluto[26502]: DH MODP6144: IKEv1:
IKE IKEv2: IKE FIPS (dh17)
Apr 24 20:43:04 MyCloud pluto[26502]: DH MODP8192: IKEv1:
IKE IKEv2: IKE FIPS (dh18)
Apr 24 20:43:04 MyCloud pluto[26502]: DH DH19: IKEv1:
IKE IKEv2: IKE FIPS (ecp_256)
Apr 24 20:43:04 MyCloud pluto[26502]: DH DH20: IKEv1:
IKE IKEv2: IKE FIPS (ecp_384)
Apr 24 20:43:04 MyCloud pluto[26502]: DH DH21: IKEv1:
IKE IKEv2: IKE FIPS (ecp_521)
Apr 24 20:43:04 MyCloud pluto[26502]: DH DH23: IKEv1:
IKE IKEv2: IKE FIPS
Apr 24 20:43:04 MyCloud pluto[26502]: DH DH24: IKEv1:
IKE IKEv2: IKE FIPS
Apr 24 20:43:04 MyCloud pluto[26502]: starting up 1 crypto helpers
Apr 24 20:43:04 MyCloud pluto[26502]: started thread for crypto helper 0
(master fd 12)
Apr 24 20:43:04 MyCloud pluto[26502]: Using Linux XFRM/NETKEY IPsec
interface code on 3.2.26
Apr 24 20:43:04 MyCloud pluto[26502]: seccomp security for crypto helper
not supported
Apr 24 20:43:05 MyCloud pluto[26502]: systemd watchdog not enabled - not
sending watchdog keepalives
Apr 24 20:43:05 MyCloud pluto[26502]: seccomp security not supported
Apr 24 20:43:06 MyCloud pluto[26502]: added connection description "teste"
Apr 24 20:43:06 MyCloud pluto[26502]: added connection description
"v6neighbor-hole-in"
Apr 24 20:43:06 MyCloud pluto[26502]: added connection description
"v6neighbor-hole-out"
Apr 24 20:43:06 MyCloud pluto[26502]: listening for IKE messages
Apr 24 20:43:06 MyCloud pluto[26502]: adding interface eth0/eth0
172.16.8.158:500 <http://172.16.8.158:500>
Apr 24 20:43:06 MyCloud pluto[26502]: adding interface eth0/eth0
172.16.8.158:4500 <http://172.16.8.158:4500>
Apr 24 20:43:06 MyCloud pluto[26502]: adding interface lo/lo
127.0.0.1:500 <http://127.0.0.1:500>
Apr 24 20:43:06 MyCloud pluto[26502]: adding interface lo/lo
127.0.0.1:4500 <http://127.0.0.1:4500>
Apr 24 20:43:06 MyCloud pluto[26502]: adding interface lo/lo ::1:500
Apr 24 20:43:06 MyCloud pluto[26502]: | setup callback for interface
lo:500 fd 21
Apr 24 20:43:06 MyCloud pluto[26502]: | setup callback for interface
lo:4500 fd 20
Apr 24 20:43:06 MyCloud pluto[26502]: | setup callback for interface
lo:500 fd 19
Apr 24 20:43:06 MyCloud pluto[26502]: | setup callback for interface
eth0:4500 fd 18
Apr 24 20:43:06 MyCloud pluto[26502]: | setup callback for interface
eth0:500 fd 17
Apr 24 20:43:06 MyCloud pluto[26502]: loading secrets from
"/etc/ipsec.secrets"
Apr 24 20:43:06 MyCloud pluto[26502]: loading secrets from
"/etc/ipsec.d/mfrf.secrets"
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #1: initiating Main Mode
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #1: transition from state
STATE_MAIN_I1 to state STATE_MAIN_I2
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #1: STATE_MAIN_I2: sent
MI2, expecting MR2
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #1: transition from state
STATE_MAIN_I2 to state STATE_MAIN_I3
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #1: STATE_MAIN_I3: sent
MI3, expecting MR3
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #1: Main mode peer ID is
ID_IPV4_ADDR: '172.16.8.3'
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #1: transition from state
STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #1: STATE_MAIN_I4: ISAKMP
SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#1 msgid:88274ca8 proposal=defaults pfsgroup=MODP2048}
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #2: ERROR: netlink
response for Get SA esp.865e967 at 172.16.8.3
<mailto:esp.865e967 at 172.16.8.3> included errno 3: No such process
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #2: transition from state
STATE_QUICK_I1 to state STATE_QUICK_I2
Apr 24 20:43:06 MyCloud pluto[26502]: "teste" #2: STATE_QUICK_I2: sent
QI2, IPsec SA established tunnel mode {ESP=>0x0865e967 <0x93513ee6
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}
---
Kernel config:
---
root at MyCloud:~# bash teste.sh
CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_IPV6=m
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
---
root at MyCloud:/dev/shm# grep -e XFRM -e IPCOMP -e DEFLATE
/boot/config-3.2.26
CONFIG_XFRM=y
CONFIG_XFRM_USER=m
CONFIG_XFRM_SUB_POLICY=y
CONFIG_XFRM_MIGRATE=y
CONFIG_XFRM_STATISTICS=y
CONFIG_XFRM_IPCOMP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_CRYPTO_DEFLATE=y
CONFIG_ZLIB_DEFLATE=y
---
Thougts?
Thanks for your time o/
More information about the Users
mailing list