Re: [strongSwan] Kernel NETKEY issue with charon

[Martin Willi]

Hi Alex,

> Now the weird thing comes.. After I ran pluto once (and disabled
> afterwards), charon can establish the connection.. It seems to be
> related to the kernel_alg_register_pfkey() calls or something like
> that.

Sounds like a kernel bug I have fixed some years ago. The XFRM interface
did not probe supported kernel algorithms, but pluto using some PF_KEY
bits actually does.
So if you are using a kernel older than 2.6.20, try to apply the patch
[1].

Regards
Martin

[1]http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b836267aa79c1c5e23e00d9cec047b6870ae0db1

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Kernel NETKEY issue with charon

[ServerAlex]

Hello,
I'm currently installing strongSwan on an embedded internet router. I
loaded all necessary modules before running ipsec start. After ipsec
start (charon only) these ipsec-related modules are loaded (manually
or by ipsec start):

Module  Size  Used byTainted: P
deflate 2826  0
twofish 8012  0
twofish_common 45187  1 twofish
serpent24166  0
blowfish9297  0
ecb 3063  0
sha256  9422  0
xfrm_user  23474  0
xfrm4_tunnel1932  0
ipcomp  6066  0
esp46637  0
ah4 5581  0
af_key 34747  0
xfrm4_mode_transport 1944  0
xfrm4_mode_tunnel   2592  0
ipip9620  0
tunnel4 2579  2 xfrm4_tunnel,ipip
hmac4076  0
crypto_hash 1508  1 hmac
sha12317  0
md5 4815  0
cbc 4046  0
blkcipher   4679  2 ecb,cbc
des19392  0
aes29627  0
cryptomgr   2807  0
crypto_algapi  11055  13
deflate,twofish,serpent,blowfish,ecb,sha256,hmac,sha1,md5,cbc,des,aes,cryptomgr


But when I start my connection now, it gives me this error message:
IKE_SA bla[1] established between [X]...[Y]
installing new virtual IP 10.3.0.1
received netlink error: Function not implemented (89)
unable to add SAD entry with SPI c9146f03
received netlink error: Function not implemented (89)
unable to add SAD entry with SPI cfab2a52
unable to install inbound and outbound IPsec SA (SAD) in kernel

Syslog records this:
Sep  3 00:14:36 router daemon.info syslog: 14[CFG] received stroke:
initiate 'bla'
Sep  3 00:14:36 router daemon.info syslog: 12[IKE] establishing CHILD_SA bla
Sep  3 00:14:36 router authpriv.info syslog: 12[IKE] establishing CHILD_SA bla
Sep  3 00:14:36 router daemon.info syslog: 12[KNL] getting SPI for reqid {2}
Sep  3 00:14:36 router daemon.info syslog: 12[KNL] sending
XFRM_MSG_ALLOCSPI: => 248 bytes @ 0x7ddff768
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]0: F8 00 00 00
16 00 01 00 CE 00 00 00 8B 0A 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]   16: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]   32: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]   48: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]   64: 00 00 00 00
00 00 00 00 A9 FE 02 01 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]   80: 00 00 00 00
00 00 00 00 00 00 00 00 32 00 00 00  2...
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]   96: 55 0E D9 3E
00 00 00 00 00 00 00 00 00 00 00 00  U..>
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  112: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  128: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  144: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  160: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  176: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  192: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  208: 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  224: 02 00 00 00
02 00 01 00 00 00 00 00 00 00 00 00  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL]  240: 00 00 00 C0
FF FF FF CF  
Sep  3 00:14:36 router daemon.info syslog: 12[KNL] got SPI c7868684
for reqid {2}
Sep  3 00:14:36 router daemon.info syslog: 12[ENC] generating
CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
Sep  3 00:14:36 router daemon.info syslog: 12[NET] sending packet:
from 169.254.2.1[4500] to 85.14.217.62[4500]
Sep  3 00:14:36 router daemon.info syslog: 16[NET] received packet:
from 85.14.217.62[4500] to 169.254.2.1[4500]
Sep  3 00:14:36 router daemon.info syslog: 16[ENC] parsed
CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
Sep  3 00:14:36 router daemon.info syslog: 16[KNL] adding SAD entry
with SPI c7868684 and reqid {2}
Sep  3 00:14:36 router daemon.info syslog: 16[KNL]   using encryption
algorithm AES_CBC with key size 128
Sep  3 00:14:36 router daemon.info syslog: 16[KNL]   using integrity
algorithm HMAC_SHA1_96 with key size 160
Sep  3 00:14:36 router daemon.info syslog: 16[KNL] sending
XFRM_MSG_UPD