On Fri, 6 Dec 2019, Peter Rofner wrote:
I have multiple servers running LibreSwan on Gentoo. I updated one server
from 3.27 to 3.29 and my ipsec connection suddenly fails with:
ERROR: netlink response for Add SA [email protected] included errno 38:
Function not implemented
What kind of IPsec SA was it trying to add to the kernel?
I spent the day comparing all the kernel settings, cryptography settings, and
libreswan settings on the pair of servers, which completely matched, all to
no avail. Recompiled the kernel multiple times, still to no avail. The only
major difference between servers is one is a relatively current Xeon server
and the one with the error is an old Atom system.
Adding ikev2=no to ipsec.conf restores the connection.
That seems strange. The version of IKE should not matter for the
supported kernel algorithms (after than IKEv2 having more algorithms
than IKEv1)
Despite the fact that the connection is restored, I'm curious why IKEv2 would
cause that netlink error.
I would have to see more logs to determine what happened. Ideally, a log
of the IKEv1 and IKEv2 runs.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
