Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)
Hi Houman, > I still get the same errors. Although the "faking NAT situation to > enforce UDP encapsulation" is not showing anymore. Is this now something > else? Yes, as the log tells you, it looks like your server is behind a NAT: > Jul 7 00:28:59 de-fsn-6 charon: 11[IKE] local host is behind NAT, > sending keep alives Is there actually an IPv6 NAT? Or should 2a01:4f8:192:::2 be the same address the clients see too? If so, the NAT-D payload may have been invalid (e.g. because the client faked a NAT situation - note, though, that strongSwan only modifies the source IP hash to that effect). > It is very strange that the same configuration works with StringSwan > 5.7.2 but 5.8.2 throws these errors. Something must have changed that > I'm missing, I think. I don't think that any change caused this. Did you have IPv6 connectivity with 5.7.2 too? Regards, Tobias
Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)
Hi Tobias, Thanks again for your help. I have changed *forceencaps* to *no* in /etc/ipsec.conf, saved and rebooted. I still get the same errors. Although the "faking NAT situation to enforce UDP encapsulation" is not showing anymore. Is this now something else? Jul 7 00:28:58 de-fsn-6 charon: 12[ENC] generating INFORMATIONAL response 24 [ ] Jul 7 00:28:58 de-fsn-6 charon: 12[NET] sending packet: from 144.76.11x.xxx[4500] to 2.50.157.xxx[4500] (80 bytes) Jul 7 00:28:59 de-fsn-6 charon: 11[NET] received packet: from 2001:8f8:xxx:xxx:504c:4f39:258e:8191[4500] to 2a01:4f8:192:::2[4500] (144 bytes) Jul 7 00:28:59 de-fsn-6 charon: 11[ENC] parsed INFORMATIONAL request 11 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ] Jul 7 00:28:59 de-fsn-6 charon: 11[IKE] local host is behind NAT, sending keep alives Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] received netlink error: Invalid argument (22) Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] unable to update SAD entry with SPI cf20af06 Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] received netlink error: Invalid argument (22) Jul 7 00:28:59 de-fsn-6 charon: 11[KNL] unable to update SAD entry with SPI 0b13a954 Jul 7 00:28:59 de-fsn-6 charon: 11[ENC] generating INFORMATIONAL response 11 [ N(NATD_S_IP) N(NATD_D_IP) ] Jul 7 00:28:59 de-fsn-6 charon: 11[NET] sending packet: from 2a01:4f8:xxx:732c::2[4500] to 2001:8f8:xxx:53d3:504c:4f39:xxx:8191[4500] (128 bytes) Jul 7 00:28:59 de-fsn-6 charon: 01[KNL] creating acquire job for policy 128.116.xxx.3/32[tcp/https] === 10.10.18.xxx/32[tcp/56633] with reqid {2595} Jul 7 00:28:59 de-fsn-6 charon: 01[CFG] trap not found, unable to acquire reqid 2595 Jul 7 00:29:00 de-fsn-6 charon: 06[NET] received packet: from 2001:8f8:1163::504c:4f39:258e:8191[4500] to 2a01:4f8:xxx:::2[4500] (144 bytes) Jul 7 00:29:00 de-fsn-6 charon: 06[ENC] parsed INFORMATIONAL request 11 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ] Jul 7 00:29:00 de-fsn-6 charon: 06[IKE] received retransmit of request with ID 11, retransmitting response Jul 7 00:29:00 de-fsn-6 charon: 06[NET] sending packet: from 2a01:4f8:192:::2[4500] to 2001:8f8:1163:53d3:504c::258e:8191[4500] (128 bytes) Jul 7 00:29:01 de-fsn-6 charon: 15[IKE] retransmit 5 of request with message ID 0 It is very strange that the same configuration works with StringSwan 5.7.2 but 5.8.2 throws these errors. Something must have changed that I'm missing, I think. If you see no other possibility, I suppose I have no other choice than disabling IPV6 by setting *use_ipv6 = no* in */etc/strongswan.d/charon/socket-default.conf* I was hoping not to do it, as some ISP might only support IPv6 and by doing that I might cause new problems. What do you think? Maybe I should live with that error. After all, it happens only 5 times a day. What is the most sensible thing to do? Many Thanks, Houman On Mon, 6 Jul 2020 at 11:12, Tobias Brunner wrote: > Hi Houman, > > > I could disable *forceencaps=no* but having it enabled helps overcoming > > restrictive firewalls. So maybe it's better for my users if I > > disabled IPv6 instead. Do you agree? > > Or is forcing it not such a big deal after all? > > Depends on the clients. Many will be behind a NAT anyway, others (e.g. > our Android client) will also force UDP encapsulation. Only for > unnatted clients behind restrictive firewalls that can't force it > themselves, will forcing it on the server make a difference. > > > What is strange is that I thought I had disabled ipv6, like this: > > ... > > net.ipv6.conf.all.disable_ipv6 = 1 > > net.ipv6.conf.default.disable_ipv6 = 1 > > I don't think that affects interfaces that are already up, so you might > have to explicitly set it for the specific interface too. > > > Where do I disable it then? > > You may disable charon.plugins.socket-default.use_ipv6 so the plugin > won't open an IPv6 socket. > > Regards, > Tobias >
Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)
Hi Houman, > I could disable *forceencaps=no* but having it enabled helps overcoming > restrictive firewalls. So maybe it's better for my users if I > disabled IPv6 instead. Do you agree? > Or is forcing it not such a big deal after all? Depends on the clients. Many will be behind a NAT anyway, others (e.g. our Android client) will also force UDP encapsulation. Only for unnatted clients behind restrictive firewalls that can't force it themselves, will forcing it on the server make a difference. > What is strange is that I thought I had disabled ipv6, like this: > ... > net.ipv6.conf.all.disable_ipv6 = 1 > net.ipv6.conf.default.disable_ipv6 = 1 I don't think that affects interfaces that are already up, so you might have to explicitly set it for the specific interface too. > Where do I disable it then? You may disable charon.plugins.socket-default.use_ipv6 so the plugin won't open an IPv6 socket. Regards, Tobias
Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)
Hi Tobias, Thank you so much for the detailed explanation. You brought up some interesting points. I could disable *forceencaps=no* but having it enabled helps overcoming restrictive firewalls. So maybe it's better for my users if I disabled IPv6 instead. Do you agree? Or is forcing it not such a big deal after all? What is strange is that I thought I had disabled ipv6, like this: */etc/sysctl.conf* net.ipv4.ip_forward = 1 net.ipv4.ip_no_pmtu_disc = 1 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 Where do I disable it then? Many Thanks, Houman On Mon, 6 Jul 2020 at 10:08, Tobias Brunner wrote: > Hi Houman, > > > We have two types of servers. Same users are doing ok on servers with > > StrongSwan 5.7.2 on kernel 5.3.0-53-generic. > > > > But on the servers with StrongSwan 5.8.2 with kernel* 5.4.0-39-generic, > > *the issue arises. (Not for all users, but quite a few) > > I had a closer look at the log and now saw what the problem is. It has > nothing to do with the strongSwan or kernel version. > > The problem is that the client moves from an IPv4 address to an IPv6 > address and you apparently have UDP-encapsulation forced (see the > "faking NAT situation to enforce UDP encapsulation"). However, the > Linux kernel currently does not support UDP encapsulation for IPv6 (the > upcoming 5.8 kernel will be the first one with support for it), so you > get that error when the daemon tries to replace the IPv4 SA with an IPv6 > SA that has UDP encapsulation enabled. Try without forcing UDP > encapsulation (or disable IPv6 in the socket-default plugin if you don't > want clients to use it). > > Regards, > Tobias >
Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)
Hi Houman, > We have two types of servers. Same users are doing ok on servers with > StrongSwan 5.7.2 on kernel 5.3.0-53-generic. > > But on the servers with StrongSwan 5.8.2 with kernel* 5.4.0-39-generic, > *the issue arises. (Not for all users, but quite a few) I had a closer look at the log and now saw what the problem is. It has nothing to do with the strongSwan or kernel version. The problem is that the client moves from an IPv4 address to an IPv6 address and you apparently have UDP-encapsulation forced (see the "faking NAT situation to enforce UDP encapsulation"). However, the Linux kernel currently does not support UDP encapsulation for IPv6 (the upcoming 5.8 kernel will be the first one with support for it), so you get that error when the daemon tries to replace the IPv4 SA with an IPv6 SA that has UDP encapsulation enabled. Try without forcing UDP encapsulation (or disable IPv6 in the socket-default plugin if you don't want clients to use it). Regards, Tobias
Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)
Hi Tobias, We have two types of servers. Same users are doing ok on servers with StrongSwan 5.7.2 on kernel 5.3.0-53-generic. But on the servers with StrongSwan 5.8.2 with kernel* 5.4.0-39-generic, *the issue arises. (Not for all users, but quite a few) increase the log level for knl to 2 to see which operation failed May you please elaborate a bit more how to change the log level for knl? In which config do I do that? Many Thanks, Houman On Mon, 6 Jul 2020 at 09:20, Tobias Brunner wrote: > Hi, > > > I'm seeing a strange error in StrongSwan U5.8.2/K5.4.0-39-generic > > (Ubuntu 20.04). > > I don't get this error with StrongSwan U5.7.2/K5.3.0-53-generic (Ubuntu > > 19.10). > > In the same situation (i.e. if a client's IP address changes)? Or just > in general? Can you replicate this error? > > > received netlink error: Invalid argument (22) > > As the error indicates, this is returned by the kernel if it doesn't > like the provided data. Either when querying the existing SA or when > replacing it with updated IP addresses (increase the log level for knl > to 2 to see which operation failed). Also, what kernel version are you > using? > > Regards, > Tobias >
Re: [strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)
Hi, > I'm seeing a strange error in StrongSwan U5.8.2/K5.4.0-39-generic > (Ubuntu 20.04). > I don't get this error with StrongSwan U5.7.2/K5.3.0-53-generic (Ubuntu > 19.10). In the same situation (i.e. if a client's IP address changes)? Or just in general? Can you replicate this error? > received netlink error: Invalid argument (22) As the error indicates, this is returned by the kernel if it doesn't like the provided data. Either when querying the existing SA or when replacing it with updated IP addresses (increase the log level for knl to 2 to see which operation failed). Also, what kernel version are you using? Regards, Tobias