Re: [strongSwan] Netlink and SAD entry error

Thu, 07 Nov 2013 16:28:58 -0800 

More info from kern.log:

Nov  7 13:21:52 nas kernel: [ 2246.765665] alg: aead: Test 1 failed on 
encryption for authenc(hmac(sha1-asm),mv-cbc-aes)
Nov  7 13:21:52 nas kernel: [ 2246.773932] 00000000: e3 53 77 9c 10 79 ae b8 27 
08 94 2d be 77 18 1a
Nov  7 13:21:52 nas kernel: [ 2246.780926] 00000010: f2 7e 6a 69 ca 81 66 aa f3 
9e 19 41 ab 87 1d 8e
Nov  7 13:21:52 nas kernel: [ 2246.787777] 00000020: f6 6e 29 44
Nov  7 13:21:52 nas kernel: [ 2246.803949] alg: aead: Test 1 failed on 
encryption for authenc(hmac(sha1-asm),mv-cbc-aes)
Nov  7 13:21:52 nas kernel: [ 2246.812641] 00000000: e3 53 77 9c 10 79 ae b8 27 
08 94 2d be 77 18 1a
Nov  7 13:21:52 nas kernel: [ 2246.819462] 00000010: 13 4b bd 7c c2 97 9b b6 ae 
08 6a 6c 46 f0 6e fd
Nov  7 13:21:52 nas kernel: [ 2246.826278] 00000020: 93 02 25 a3


From: [email protected]
To: [email protected]
Subject: Netlink and SAD entry error
Date: Thu, 7 Nov 2013 15:04:32 -0300




My strongswan server is failing following a kernel upgrade.  What is the issue? 
 


My config in ipsec.conf:

config setup
        strictcrlpolicy=no
        uniqueids=yes
        charondebug="cfg 4"

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        leftfirewall=yes
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear

conn bb10
        mobike=yes
        ike=aes256-sha1-sha1-modp1024!
        esp=aes256-modp1024-sha1!
        left=%defaultroute
        leftid="C=CA, O=none, CN=192.168.1.100"
        leftcert=serverCert.pem
        right=%any
        rightsourceip=10.11.12.1
        rightid="C=CA, O=none, CN=bb10"
        rightauth=pubkey
        leftauth=pubkey
        auto=add


Errors logged in daemon.log:

Nov  7 13:21:52 nas charon: 09[CFG] configured proposals: 
ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Nov  7 13:21:52 nas charon: 09[CFG] selected proposal: 
ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Nov  7 13:21:52 nas charon: 09[CFG] selecting traffic selectors for us:
Nov  7 13:21:52 nas charon: 09[CFG]  config: 192.168.1.100/32, received: 
0.0.0.0/0 => match: 192.168.1.100/32
Nov  7 13:21:52 nas charon: 09[CFG] selecting traffic selectors for other:
Nov  7 13:21:52 nas charon: 09[CFG]  config: 10.11.12.1/32, received: 0.0.0.0/0 
=> match: 10.11.12.1/32
Nov  7 13:21:52 nas charon: 09[KNL] received netlink error: No such file or 
directory (2)
Nov  7 13:21:52 nas charon: 09[KNL] unable to add SAD entry with SPI ca55d1a0
Nov  7 13:21:52 nas charon: 09[KNL] received netlink error: No such file or 
directory (2)
Nov  7 13:21:52 nas charon: 09[KNL] unable to add SAD entry with SPI aaeff1d8
Nov  7 13:21:52 nas charon: 09[IKE] unable to install inbound and outbound 
IPsec SA (SAD) in kernel
Nov  7 13:21:52 nas charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA
Nov  7 13:21:52 nas charon: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT 
AUTH CP(ADDR) N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Nov  7 13:21:52 nas charon: 09[NET] sending packet: from 192.168.1.100[4500] to 
24.114.73.80[45231] (1276 bytes)
Nov  7 13:22:02 nas charon: 10[NET] received packet: from 24.114.73.80[45231] 
to 192.168.1.100[4500] (1436 bytes)


I thought the new kernel was a missing module, though check.sh doesn't report 
any errors and lsmod seems to have everything that I need already loaded:

lsmod output:

Module                  Size  Used by
authenc                 5858  0
xfrm6_mode_tunnel       1552  0
xfrm4_mode_tunnel       2184  0
xfrm_user              20613  2
xfrm4_tunnel            1478  0
tunnel4                 2047  1 xfrm4_tunnel
ipcomp                  1665  0
xfrm_ipcomp             3257  1 ipcomp
esp4                    5593  0
ah4                     4797  0
ctr                     3433  0
twofish_generic         7239  0
twofish_common         12858  1 twofish_generic
camellia_generic       19582  0
serpent_generic        19827  0
blowfish_generic        3625  0
blowfish_common         6513  1 blowfish_generic
cast5_generic          11096  0
cast_common             4605  1 cast5_generic
des_generic            16820  0
cbc                     2267  0
cmac                    2492  0
xcbc                    2202  0
rmd160                  7244  0
sha512_generic          7457  0
sha256_generic          8589  0
crypto_null             2089  0
af_key                 32934  0
xfrm_algo               4401  5 ah4,esp4,af_key,xfrm_user,xfrm_ipcomp
xt_tcpudp               1976  2
ipv6                  282327  28 xfrm6_mode_tunnel
iptable_filter          1143  1
ip_tables               9770  1 iptable_filter
x_tables               11279  3 ip_tables,xt_tcpudp,iptable_filter
orion_wdt               2869  0
hmac                    2433  0
sha1_generic            1752  0
sha1_arm                3389  0
mv_cesa                10557  0
ext2                   57351  2
mbcache                 5128  1 ext2
netconsole              6138  0
configfs               21555  2 netconsole
sg                     20167  0
sd_mod                 33934  5
crc_t10dif              1110  1 sd_mod
sata_mv                24313  1
usb_storage            36513  2
libata                143640  1 sata_mv
marvell                 7083  0
mvmdio                  3128  0
scsi_mod              150844  4 sg,usb_storage,libata,sd_mod
mv643xx_eth            22129  0
libphy                 16687  3 marvell,mvmdio,mv643xx_eth


Module check with check.sh:

CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m
CONFIG_NET_KEY_MIGRATE=y
CONFIG_INET=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_TUNNEL=m
CONFIG_INET_TUNNEL=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_INET_LRO=m
CONFIG_INET_DIAG=m
CONFIG_INET_TCP_DIAG=m
CONFIG_INET_UDP_DIAG=m
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_TUNNEL=m
CONFIG_INET6_TUNNEL=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m
CONFIG_INET_DCCP_DIAG=m
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_IPV6=m
CONFIG_IPV6_PRIVACY=y
CONFIG_IPV6_ROUTER_PREF=y
CONFIG_IPV6_ROUTE_INFO=y
CONFIG_IPV6_OPTIMISTIC_DAD=y
CONFIG_IPV6_MIP6=m
CONFIG_IPV6_SIT=m
CONFIG_IPV6_SIT_6RD=y
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=m
# CONFIG_IPV6_GRE is not set
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_IPV6_SUBTREES=y
CONFIG_IPV6_MROUTE=y
CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y
CONFIG_IPV6_PIMSM_V2=y
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_NETFILTER_ADVANCED=y
CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_ACCT=m
CONFIG_NETFILTER_NETLINK_QUEUE=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NETFILTER_NETLINK_QUEUE_CT=y
CONFIG_NETFILTER_TPROXY=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_SET=m
CONFIG_NETFILTER_XT_TARGET_AUDIT=m
CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_CT=m
CONFIG_NETFILTER_XT_TARGET_DSCP=m
CONFIG_NETFILTER_XT_TARGET_HL=m
CONFIG_NETFILTER_XT_TARGET_HMARK=m
CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m
CONFIG_NETFILTER_XT_TARGET_LED=m
CONFIG_NETFILTER_XT_TARGET_LOG=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NETMAP=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_TARGET_NOTRACK=m
CONFIG_NETFILTER_XT_TARGET_RATEEST=m
CONFIG_NETFILTER_XT_TARGET_REDIRECT=m
CONFIG_NETFILTER_XT_TARGET_TEE=m
CONFIG_NETFILTER_XT_TARGET_TPROXY=m
CONFIG_NETFILTER_XT_TARGET_TRACE=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_NETFILTER_XT_MATCH_CLUSTER=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_CPU=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m
CONFIG_NETFILTER_XT_MATCH_DSCP=m
CONFIG_NETFILTER_XT_MATCH_ECN=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_HL=m
CONFIG_NETFILTER_XT_MATCH_IPRANGE=m
CONFIG_NETFILTER_XT_MATCH_IPVS=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_NFACCT=m
CONFIG_NETFILTER_XT_MATCH_OSF=m
CONFIG_NETFILTER_XT_MATCH_OWNER=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
CONFIG_NETFILTER_XT_MATCH_QUOTA=m
CONFIG_NETFILTER_XT_MATCH_RATEEST=m
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_RECENT=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_SOCKET=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NETFILTER_XT_MATCH_STATISTIC=m
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_TIME=m
CONFIG_NETFILTER_XT_MATCH_U32=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
root@nas:/home/nas#

                                                                                
  
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to