On 08/12/2014 11:58 AM, Reyk Floeter wrote:
> Operation not supported is from the kernel returning "EOPNOTSUPP".
>
> If any of the following sysctls are turned off and it is requested via
> the PFKEYv2 socket, the kernel will return EOPNOTSUPP:
>
> net.inet.esp.enable=1
> net.inet.ah.enable=1
> net.inet.ipcomp.enable=0
>
All three are set to 1.
But strangely, now the "Operation not supported" message does not occur
anymore.
> You can also monitor the pfkey messages with "ipsectl -m" [add one or
> more -v for packet dumps] to see what message returns EOPNOTSUPP.
Here's the output - I don't see any obvious errors ...
sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389
address_src: A.B.C.D
address_dst: 10.x.y.z
spirange: min 0x00000100 max 0xffffffff
sadb_getspi: satype esp vers 2 len 10 seq 19 pid 25389
sa: spi 0xfe52d794 auth none enc none
state mature replay 0 flags 0<>
address_src: A.B.C.D
address_dst: 10.x.y.z
sadb_update: satype esp vers 2 len 41 seq 20 pid 25389
sa: spi 0xfe52d794 auth hmac-sha1 enc aes
state mature replay 64 flags 0x204<tunnel,udpencap>
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 493384368 add 9925 first 0
address_src: A.B.C.D
address_dst: 10.x.y.z
key_auth: bits 160: ...
key_encrypt: bits 128: ...
identity_src: type ufqdn id 0: UFQDN/[email protected]
identity_dst: type fqdn id 0: FQDN/vpn.doe.com
udpencap: udpencap port 4500
tag: ipsec-UFQDN/[email protected]
sadb_update: satype esp vers 2 len 34 seq 20 pid 25389
sa: spi 0xfe52d794 auth hmac-sha1 enc aes
state mature replay 64 flags 0x204<tunnel,udpencap>
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 493384368 add 9925 first 0
address_src: A.B.C.D
address_dst: 10.x.y.z
identity_src: type ufqdn id 0: UFQDN/[email protected]
identity_dst: type fqdn id 0: FQDN/vpn.doe.com
udpencap: udpencap port 4500
tag: ipsec-UFQDN/[email protected]
sadb_add: satype esp vers 2 len 41 seq 21 pid 25389
sa: spi 0xc06ab6b8 auth hmac-sha1 enc aes
state mature replay 64 flags 0x204<tunnel,udpencap>
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 497679335 add 10011 first 0
address_src: 10.x.y.z
address_dst: A.B.C.D
key_auth: bits 160: ...
key_encrypt: bits 128: ...
identity_src: type fqdn id 0: FQDN/vpn.doe.com
identity_dst: type ufqdn id 0: UFQDN/[email protected]
udpencap: udpencap port 4500
tag: ipsec-UFQDN/[email protected]
sadb_add: satype esp vers 2 len 34 seq 21 pid 25389
sa: spi 0xc06ab6b8 auth hmac-sha1 enc aes
state mature replay 64 flags 0x204<tunnel,udpencap>
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 497679335 add 10011 first 0
address_src: 10.x.y.z
address_dst: A.B.C.D
identity_src: type fqdn id 0: FQDN/vpn.doe.com
identity_dst: type ufqdn id 0: UFQDN/[email protected]
udpencap: udpencap port 4500
tag: ipsec-UFQDN/[email protected]
I was wondering wether client sending EAP options would have anything to
do with it:
>> sending end entity cert <johndoe DN>
>> establishing CHILD_SA xfertunnel
>> generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
>> AUTH CPRQ(ADDR DNS DNS) N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP)
>> N(NO_ADD_ADDR) N(EAP_ONLY) ]
Aug 12 12:23:20 tunnel iked[25389]: ikev2_pld_payloads: decrypted
payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
Aug 12 12:23:20 tunnel iked[25389]: ikev2_pld_notify: protoid NONE
spisize 0 type MOBIKE_SUPPORTED
Aug 12 12:23:20 tunnel iked[25389]: ikev2_pld_payloads: decrypted
payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
Aug 12 12:23:20 tunnel iked[25389]: ikev2_pld_notify: protoid NONE
spisize 0 type NO_ADDITIONAL_ADDRESSES
Aug 12 12:23:20 tunnel iked[25389]: ikev2_pld_payloads: decrypted
payload NOTIFY nextpayload NONE critical 0x00 length 8
Aug 12 12:23:20 tunnel iked[25389]: ikev2_pld_notify: protoid NONE
spisize 0 type EAP_ONLY_AUTHENTICATION
thx /markus
