Hi, You need 4in6 support for ESP in the kernel.
Kind regards Noel On 11.08.2017 07:07, Sandesh Sawant wrote: > I am using Strongswan-5.5.2 with 4.4 Linux Kernel on two Debian systems. ESP > tunnel establishment works as expected between two IPv4 endpoints. But ESP > tunnel establishment between two IPv6 endpoints and observed following errors > in strongswan logs during Quick Mode: > > -------------------------------------- > > charon: [authpriv.info <http://authpriv.info>] 14[NET] > <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> received packet: from > 2020::20[500] to 2020::10[500] (444 bytes) > > charon: [authpriv.info <http://authpriv.info>] 14[ENC] > <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> parsed QUICK_MODE response > 1674824392 [ HASH SA No KE ID ID ] > > charon: [authpriv.info <http://authpriv.info>] 14[KNL] > <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> received netlink error: Protocol > not supported (93) > > charon: [authpriv.info <http://authpriv.info>] 14[KNL] > <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> unable to add SAD entry with SPI > cb0cdfda > > charon: [authpriv.info <http://authpriv.info>] 14[KNL] > <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> received netlink error: Protocol > not supported (93) > > charon: [authpriv.info <http://authpriv.info>] 14[KNL] > <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> unable to add SAD entry with SPI > c1205b7d > > charon: [authpriv.info <http://authpriv.info>] 14[IKE] > <2020::10_4.4.4.0/24-2020::20_3.3.3.0/24|1> unable to install inbound and > outbound IPsec SA (SAD) in kernel > > -------------------------------------- > > here is the output of ipsec statusall: > > Status of IKE charon daemon (strongSwan 5.5.2, Linux 4.4.57, x86_64): > > uptime: 20 minutes, since Aug 10 12:01:39 2017 > > malloc: sbrk 1480032, mmap 0, used 345280, free 1134752 > > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 3 > > loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem > openssl fips-prf xcbc cmac hmac attr kernel-netlink resolve socket-default > stroke vici updown xauth-generic > > Listening IP addresses: > > 2020::10 > > Connections: > > 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24: 2020::10...2020::20 IKEv1, > dpddelay=30s > > 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24: local: [2020::10] uses pre-shared > key authentication > > 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24: remote: [2020::20] uses pre-shared > key authentication > > 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24: child: 4.4.4.0/24 > <http://4.4.4.0/24> === 3.3.3.0/24 <http://3.3.3.0/24> TUNNEL, > dpdaction=restart > > Routed Connections: > > 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24{1}: ROUTED, TUNNEL, reqid 1 > > 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24{1}: 4.4.4.0/24 <http://4.4.4.0/24> > === 3.3.3.0/24 <http://3.3.3.0/24> > > Security Associations (1 up, 0 connecting): > > 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24[1]: ESTABLISHED 20 minutes ago, > 2020::10[2020::10]...2020::20[2020::20] > > 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24[1]: IKEv1 SPIs: 23b31ae851f9bddb_i* > bd1fcbc1681eb3ca_r, pre-shared key reauthentication in 7 hours > > 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24[1]: IKE proposal: > AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > > -------------------------------------- > > ipsec.conf contents (peer contents are matching): > > conn %default > ikelifetime = 28800s > type = tunnel > lifetime = 3600s > dpddelay = 30 > dpdaction = restart > > conn 2020::10_4.4.4.0/24-2020::20_3.3.3.0/24 > left=2020::10 > leftid=2020::10 > rightid=2020::20 > leftsubnet=4.4.4.0/24 <http://4.4.4.0/24> > right=2020::20 > rightsubnet=3.3.3.0/24 <http://3.3.3.0/24> > authby=secret > keyexchange = ikev1 > auto = start > fragmentation = yes > esp=aes128-sha1-modp2048 > ike=aes128-sha1-modp2048! > > -------------------------------------- > > From the logs it looks like the required XFRM modules related to IPv6 support > are not pre-loaded by strongSwan. > Therefore I manually loaded the missing kernel modules related to XFRM6 viz. > ah6, esp6, ipcomp6, xfrm6_tunnel, xfrm6_mode_tunnel, xfrm6_mode_transport, > ip6_tunnel. However it didn't result in success of IPv6 SA download. > > Finally I built all the features recommended at > https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules as > statically-linked in kernel instead of as modules, and then the IPv6 SA > download was successful with the new kernel. > > This makes me think auto-loading of Ipv6 related xfrm modules is missing in > strongSwan. I found the following lines in it's source file > src/starter/netkey.c > ... > > /* make sure that all required IPsec modules are loaded */ > if (stat(PROC_MODULES, &stb) == 0) > { > ignore_result(system("modprobe -qv ah4")); > ignore_result(system("modprobe -qv esp4")); > ignore_result(system("modprobe -qv ipcomp")); > ignore_result(system("modprobe -qv xfrm4_tunnel")); > ignore_result(system("modprobe -qv xfrm_user")); > } > ... > Shouldn't it be doing modprobe for ipv6 related xfrm modules? > > Can someone point out the exact modules required to be loaded so that IPv6 SA > download by charon succeeds. > > Thanks & regards, > Sandesh Sawant
signature.asc
Description: OpenPGP digital signature
