Hi there list, Yes, you have saw $SUBJECT. But I promise, no need to roll eyes: I *think* I did my homework properly.
Here's the scenario; I have rebuilt a kernel of a WD My Cloud box in order to extend it. The Kernel config is available at https://pastebin.com/mYGiK3eN Prior to posting here I really tried to do my homework, doing extensive mailing list research. But it seems that the kernel build side is apparently OK. The Strongswan output is the following: --- Apr 23 23:28:36 MyCloud systemd[1]: Starting Cleanup of Temporary Directories... Apr 23 23:28:36 MyCloud systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf... Apr 23 23:28:36 MyCloud systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf. Apr 23 23:28:36 MyCloud ipsec[1734]: Starting strongSwan 5.2.1 IPsec [starter]... Apr 23 23:28:36 MyCloud ipsec_starter[1734]: Starting strongSwan 5.2.1 IPsec [starter]... Apr 23 23:28:36 MyCloud systemd[1]: Started Cleanup of Temporary Directories. Apr 23 23:28:36 MyCloud charon[1749]: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.2.26, armv7l) Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loading secrets from '/etc/ipsec.d/mfrf.secrets' Apr 23 23:28:36 MyCloud charon[1749]: 00[CFG] loaded IKE secret for 172.16.8.3 Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies) Apr 23 23:28:36 MyCloud charon[1749]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Apr 23 23:28:36 MyCloud charon[1749]: 00[JOB] spawning 16 worker threads Apr 23 23:28:36 MyCloud ipsec_starter[1734]: charon (1749) started after 80 ms Apr 23 23:28:36 MyCloud charon[1749]: 15[CFG] received stroke: add connection 'teste' Apr 23 23:28:36 MyCloud charon[1749]: 15[CFG] added configuration 'teste' Apr 23 23:28:36 MyCloud charon[1749]: 09[CFG] received stroke: initiate 'teste' Apr 23 23:28:36 MyCloud charon[1749]: 09[IKE] initiating IKE_SA teste[1] to 172.16.8.3 Apr 23 23:28:36 MyCloud charon[1749]: 09[IKE] initiating IKE_SA teste[1] to 172.16.8.3 Apr 23 23:28:36 MyCloud ipsec[1734]: charon (1749) started after 80 ms Apr 23 23:28:37 MyCloud charon[1749]: 09[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Apr 23 23:28:37 MyCloud charon[1749]: 09[NET] sending packet: from 172.16.8.158[500] to 172.16.8.3[500] (1108 bytes) Apr 23 23:28:37 MyCloud charon[1749]: 16[NET] received packet: from 172.16.8.3[500] to 172.16.8.158[500] (376 bytes) Apr 23 23:28:37 MyCloud charon[1749]: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V ] Apr 23 23:28:37 MyCloud charon[1749]: 16[ENC] received unknown vendor ID: 4f:45:75:5c:64:5c:6a:79:5c:5c:61:70 Apr 23 23:28:37 MyCloud charon[1749]: 16[IKE] authentication of '172.16.8.158' (myself) with pre-shared key Apr 23 23:28:37 MyCloud charon[1749]: 16[IKE] establishing CHILD_SA teste Apr 23 23:28:37 MyCloud charon[1749]: 16[IKE] establishing CHILD_SA teste Apr 23 23:28:37 MyCloud charon[1749]: 16[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ] Apr 23 23:28:37 MyCloud charon[1749]: 16[NET] sending packet: from 172.16.8.158[500] to 172.16.8.3[500] (380 bytes) Apr 23 23:28:37 MyCloud charon[1749]: 14[NET] received packet: from 172.16.8.3[500] to 172.16.8.158[500] (204 bytes) Apr 23 23:28:37 MyCloud charon[1749]: 14[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ] Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] authentication of '172.16.8.3' with pre-shared key successful Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] IKE_SA teste[1] established between 172.16.8.158[172.16.8.158]...172.16.8.3[172.16.8.3] Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] IKE_SA teste[1] established between 172.16.8.158[172.16.8.158]...172.16.8.3[172.16.8.3] Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] scheduling reauthentication in 3305s Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] maximum IKE_SA lifetime 3485s Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] received netlink error: Protocol not supported (93) Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] unable to add SAD entry with SPI c6781a65 Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] received netlink error: Protocol not supported (93) Apr 23 23:28:37 MyCloud charon[1749]: 14[KNL] unable to add SAD entry with SPI a6ac1542 Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] failed to establish CHILD_SA, keeping IKE_SA Apr 23 23:28:37 MyCloud charon[1749]: 14[IKE] sending DELETE for ESP CHILD_SA with SPI c6781a65 Apr 23 23:28:37 MyCloud charon[1749]: 14[ENC] generating INFORMATIONAL request 2 [ D ] Apr 23 23:28:37 MyCloud charon[1749]: 14[NET] sending packet: from 172.16.8.158[500] to 172.16.8.3[500] (76 bytes) Apr 23 23:28:41 MyCloud charon[1749]: 06[IKE] retransmit 1 of request with message ID 2 Apr 23 23:28:41 MyCloud charon[1749]: 06[NET] sending packet: from 172.16.8.158[500] to 172.16.8.3[500] (76 bytes) Apr 23 23:28:48 MyCloud charon[1749]: 08[IKE] retransmit 2 of request with message ID 2 Apr 23 23:28:48 MyCloud charon[1749]: 08[NET] sending packet: from 172.16.8.158[500] to 172.16.8.3[500] (76 bytes) --- It is a real simple ipsec setup, between two systems in the local network: 172.16.8.158 (the Strongswan box) and 172.16.8.3 (a openswan 2.6.37 box). The ipsec endpoints should use a PSK key. The configuration is pretty much standard and untouched. I have only added a include clause, see below: --- root@MyCloud:/dev/shm# grep -v \# /etc/ipsec.conf config setup include /etc/ipsec.d/*.conf --- root@MyCloud:/dev/shm# grep -v \# /etc/ipsec.secrets include /etc/ipsec.d/*.secrets --- And here are the relevant config files: root@MyCloud:/dev/shm# cat /etc/ipsec.d/mfrf.conf (the only .conf file over there) conn teste left=172.16.8.158 right=172.16.8.3 ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 authby=secret auto=start --- root@MyCloud:/dev/shm# cat /etc/ipsec.d/mfrf.secrets (the only .secrets file over here too) 172.16.8.3 : PSK "zomgsecretkeyhere" --- The Strongswan version: --- root@MyCloud:/dev/shm# dpkg -l | grep strongsw ii libstrongswan 5.2.1-6+deb8u2 armhf strongSwan utility and crypto library ii libstrongswan-standard-plugins 5.2.1-6+deb8u2 armhf strongSwan utility and crypto library (standard plugins) ii strongswan 5.2.1-6+deb8u2 all IPsec VPN solution metapackage ii strongswan-charon 5.2.1-6+deb8u2 armhf strongSwan Internet Key Exchange daemon ii strongswan-libcharon 5.2.1-6+deb8u2 armhf strongSwan charon library ii strongswan-starter 5.2.1-6+deb8u2 armhf strongSwan daemon starter and configuration file parser The loaded modules output: --- root@MyCloud:~# bash teste.sh CONFIG_XFRM_USER=m CONFIG_NET_KEY=m CONFIG_INET=y CONFIG_IP_ADVANCED_ROUTER=y CONFIG_IP_MULTIPLE_TABLES=y CONFIG_INET_AH=m CONFIG_INET_ESP=m CONFIG_INET_IPCOMP=m CONFIG_INET_XFRM_MODE_TRANSPORT=m CONFIG_INET_XFRM_MODE_TUNNEL=m CONFIG_INET_XFRM_MODE_BEET=m CONFIG_IPV6=m CONFIG_INET6_AH=m CONFIG_INET6_ESP=m CONFIG_INET6_IPCOMP=m CONFIG_INET6_XFRM_MODE_TRANSPORT=m CONFIG_INET6_XFRM_MODE_TUNNEL=m CONFIG_INET6_XFRM_MODE_BEET=m CONFIG_IPV6_MULTIPLE_TABLES=y CONFIG_NETFILTER=y CONFIG_NETFILTER_XTABLES=m CONFIG_NETFILTER_XT_MATCH_POLICY=m --- root@MyCloud:/dev/shm# grep -e XFRM -e IPCOMP -e DEFLATE /boot/config-3.2.26 CONFIG_XFRM=y CONFIG_XFRM_USER=m CONFIG_XFRM_SUB_POLICY=y CONFIG_XFRM_MIGRATE=y CONFIG_XFRM_STATISTICS=y CONFIG_XFRM_IPCOMP=m CONFIG_INET_IPCOMP=m CONFIG_INET_XFRM_TUNNEL=m CONFIG_INET_XFRM_MODE_TRANSPORT=m CONFIG_INET_XFRM_MODE_TUNNEL=m CONFIG_INET_XFRM_MODE_BEET=m CONFIG_INET6_IPCOMP=m CONFIG_INET6_XFRM_TUNNEL=m CONFIG_INET6_XFRM_MODE_TRANSPORT=m CONFIG_INET6_XFRM_MODE_TUNNEL=m CONFIG_INET6_XFRM_MODE_BEET=m CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m CONFIG_CRYPTO_DEFLATE=y CONFIG_ZLIB_DEFLATE=y --- lsmod output: root@MyCloud:/dev/shm# lsmod Module Size Used by xfrm6_mode_tunnel 1514 0 xfrm4_mode_tunnel 1586 0 xfrm_user 24068 2 xfrm4_tunnel 1443 0 tunnel4 2043 1 xfrm4_tunnel pfe 428717 0 ipcomp 1770 0 xfrm_ipcomp 4059 1 ipcomp ah4 4666 0 af_key 30346 0 cryptosoft 13291 0 cryptodev 11075 0 ocf 23776 2 cryptodev,cryptosoft ipv6 262883 20 xfrm6_mode_tunnel --- Any hints? /o\ Thanks for stopping by! \o - Rodrigo.
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
