I am using Strongswan-5.5.2 with 4.4 Linux Kernel on two Debian systems. ESP tunnel establishment works as expected between two IPv4 endpoints. But ESP tunnel establishment between two IPv6 endpoints and observed following errors in strongswan logs during Quick Mode:
-------------------------------------- charon: [authpriv.info] 14[NET] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> received packet: from 2020::20[500] to 2020::10[500] (444 bytes) charon: [authpriv.info] 14[ENC] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> parsed QUICK_MODE response 1674824392 [ HASH SA No KE ID ID ] charon: [authpriv.info] 14[KNL] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> received netlink error: Protocol not supported (93) charon: [authpriv.info] 14[KNL] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> unable to add SAD entry with SPI cb0cdfda charon: [authpriv.info] 14[KNL] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> received netlink error: Protocol not supported (93) charon: [authpriv.info] 14[KNL] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> unable to add SAD entry with SPI c1205b7d charon: [authpriv.info] 14[IKE] <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> unable to install inbound and outbound IPsec SA (SAD) in kernel -------------------------------------- here is the output of ipsec statusall: Status of IKE charon daemon (strongSwan 5.5.2, Linux 4.4.57, x86_64): uptime: 20 minutes, since Aug 10 12:01:39 2017 malloc: sbrk 1480032, mmap 0, used 345280, free 1134752 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic Listening IP addresses: 2020::10 Connections: 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24: 2020::10...2020::20 IKEv1, dpddelay=30s 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24: local: [2020::10] uses pre-shared key authentication 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24: remote: [2020::20] uses pre-shared key authentication 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24: child: 4.4.4.0/24 === 3.3.3.0/24 TUNNEL, dpdaction=restart Routed Connections: 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24{1}: ROUTED, TUNNEL, reqid 1 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24{1}: 4.4.4.0/24 === 3.3.3.0/24 Security Associations (1 up, 0 connecting): 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24[1]: ESTABLISHED 20 minutes ago, 2020::10[2020::10]...2020::20[2020::20] 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24[1]: IKEv1 SPIs: 23b31ae851f9bddb_i* bd1fcbc1681eb3ca_r, pre-shared key reauthentication in 7 hours 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 -------------------------------------- ipsec.conf contents (peer contents are matching): conn %default ikelifetime = 28800s type = tunnel lifetime = 3600s dpddelay = 30 dpdaction = restart conn 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24 left=2020::10 leftid=2020::10 rightid=2020::20 leftsubnet=4.4.4.0/24 right=2020::20 rightsubnet=3.3.3.0/24 authby=secret keyexchange = ikev1 auto = start fragmentation = yes esp=aes128-sha1-modp2048 ike=aes128-sha1-modp2048! -------------------------------------- >From the logs it looks like the required XFRM modules related to IPv6 support are not pre-loaded by strongSwan. Therefore I manually loaded the missing kernel modules related to XFRM6 viz. ah6, esp6, ipcomp6, xfrm6_tunnel, xfrm6_mode_tunnel, xfrm6_mode_transport, ip6_tunnel. However it didn't result in success of IPv6 SA download. Finally I built all the features recommended at https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules as statically-linked in kernel instead of as modules, and then the IPv6 SA download was successful with the new kernel. This makes me think auto-loading of Ipv6 related xfrm modules is missing in strongSwan. I found the following lines in it's source file src/starter/netkey.c ... /* make sure that all required IPsec modules are loaded */ if (stat(PROC_MODULES, &stb) == 0) { ignore_result(system("modprobe -qv ah4")); ignore_result(system("modprobe -qv esp4")); ignore_result(system("modprobe -qv ipcomp")); ignore_result(system("modprobe -qv xfrm4_tunnel")); ignore_result(system("modprobe -qv xfrm_user")); } ... Shouldn't it be doing modprobe for ipv6 related xfrm modules? Can someone point out the exact modules required to be loaded so that IPv6 SA download by charon succeeds. Thanks & regards, Sandesh Sawant