[Swan] libreswan 3.8 (netkey) and modules

Paul Wouters paul at nohats.ca
Fri Feb 28 17:25:02 EET 2014 

On Fri, 28 Feb 2014, Pavel Kopchyk wrote:

> ERROR: Module xfrm4_mode_tunnel is in use
> ERROR: Module esp4 is in use
> FAILURE to unload NETKEY esp4/esp6 module
> Starting pluto IKE daemon for IPsec:                       [  OK  ]
>
> For me it is not critical since I only use NETKEY (in this case).
> But if I want try to use KLIPS after NETKEY?

There is disagreement about this with the kernel people.

This happens when sockets in the kernel are still holding deleted SA's.
There is no way to "force delete" these. I was told "there's nothing
you can do because those SAs may be pinned down by sockets, in which
case the only thing you can do is to kill those processes". As pluto
has shut down by the time we try to delete the modules, I'm not sure
what processes are being referred to here.

The only solution given to me was "don't delete the modules", which we
do exactly for the reason you mention above: to support switching
IPsec stacks.

Apparently, we can try to use rmmod -w but that might cause very long
delay times. I think this amounts to the same as running "stop" twice
in a row. I think it might work, and we could try to incorporate that.

The kernel people don't consider this their problem. They cannot remove
modules whose code can still be executed and they already provided a
wait mechanism.

> Feb 28 08:47:30 test kernel: tunnel6: Unknown symbol icmpv6_send
> Feb 28 08:47:30 test kernel: tunnel6: Unknown symbol icmpv6_send
> Feb 28 08:47:30 test kernel: xfrm6_mode_tunnel: Unknown symbol
> xfrm6_prepare_output
> Feb 28 08:47:30 test kernel: xfrm6_mode_beet: Unknown symbol
> xfrm6_prepare_output
> Feb 28 08:47:30 test kernel: esp6: Unknown symbol xfrm6_rcv
> Feb 28 08:47:30 test kernel: esp6: Unknown symbol xfrm6_find_1stfragopt
> Feb 28 08:47:30 test kernel: ah6: Unknown symbol xfrm6_rcv
> Feb 28 08:47:30 test kernel: ah6: Unknown symbol xfrm6_find_1stfragopt
> Feb 28 08:47:30 test kernel: NET: Registered protocol family 15
>
> May make sense to check the ipv6?

I'm not sure how you got those issues? It looks like modprobing failed
somehow for the ipv6 related ipsec modules? Why are those compiled
but the core ipv6 modules are not?

Paul

More information about the Swan mailing list