[Swan-dev] XfrmOutNoStates in Fedora 28

Paul Wouters paul at nohats.ca
Fri Jul 6 03:30:58 UTC 2018


On Thu, 5 Jul 2018, Qiuyu Xiao wrote:

> I recently encountered a problem when running Libreswan in Fedora 28.
> I though it might be a bug so I just post it here.
>
> Basically, I was deploying transport mode IPsec between two hosts.
> After I set up Libreswan in Fedora 28 with 4.14.0 kernel, I found that
> the packet cannot be sent out and /proc/net/xfrm_stat shows
> XfrmOutNoStates errors. But the host can receive and process ESP
> packets (I tested this with a Fedora 27 host where Libreswan can
> correctly run).
>
> Below is some detailed information:
> Host version:
> Fedora 28 with kernel 4.14.0-1.fc28.x86_64
>
> Libreswan version:
> 3.23-2.fc28

There have been some issues with transport mode being broken in upstream
kernels. It might be worth seeing if the f28 kernel is broken or not.
I also just pushed 3.25-2 into fedora28, if you want to check if
upgrading libreswan helps.

> ip xfrm policy
> ------------------
> src 10.33.78.167/32 dst 10.33.79.184/32
>        dir out priority 2080 ptype main
>        tmpl src 0.0.0.0 dst 0.0.0.0
>                proto esp reqid 16389 mode transport
>
> src 10.33.79.184/32 dst 10.33.78.167/32
>        dir in priority 2080 ptype main
>        tmpl src 0.0.0.0 dst 0.0.0.0
>                proto esp reqid 16389 mode transport
>
> ip xfrm state
> -----------------
> src 10.33.79.184 dst 10.33.78.167
>        proto esp spi 0xd16f9fd1 reqid 16389 mode transport
>        replay-window 32
>        aead rfc4106(gcm(aes))
> 0x6d15bb854f28069891f40905320cc0debcc93e46eb6093b4cd6bff65dee5fbebd4fa1aaf
> 128
>        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
>        sel src 10.33.79.184/32 dst 10.33.78.167/32
>
> src 10.33.78.167 dst 10.33.79.184
>        proto esp spi 0x1bd4d970 reqid 16389 mode transport
>        replay-window 32
>        aead rfc4106(gcm(aes))
> 0xb874dedc137d202b502c03ead3f3cc1a565ed680b25832d4ac3dd7d1ea1ab37b2fc27599
> 128
>        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
>        sel src 10.33.78.167/32 dst 10.33.79.184/32

This all looks okay.

Paul


More information about the Swan-dev mailing list