[Swan] klips_error:ipsec_xmit_encap_init

Erik Andersson erik at ingate.com
Mon Feb 22 17:12:20 UTC 2016


Hi all,

I'm running libreswan 3.15 on centos 7. I'm trying to setup a 
IPv6-in-IPv4 tunnel according to the following configuration:

version 2.0
config setup
         protostack=klips
         interfaces="ipsec0=eth0"

conn mytunnel
         authby=secret
         right=10.48.28.60
         left=10.48.28.70
         rightsubnet=2001:470:dc8c:5000::/64
         leftsubnet=2001:470:dc8c:4000::/64
         connaddrfamily=ipv6
         type=tunnel
         pfs=yes

The SAs are create as expected:

000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE 
connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(2), authenticated(2), anonymous(0)
000
000 #3: "mytunnel":500 STATE_QUICK_R2 (IPsec SA established); 
EVENT_SA_REPLACE in 24662s; isakmp#2; idle; import:not set
000 #3: "mytunnel" esp.fc8b8f41 at 10.48.28.70 esp.a951a5fa at 10.48.28.60 
tun.1000 at 10.48.28.70 tun.1001 at 10.48.28.60 ref=0 refhim=4294901761 
Traffic:! ESPmax=4194303B
000 #4: "mytunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 24181s; newest IPSEC; eroute owner; isakmp#1; idle; 
import:admin initiate
000 #4: "mytunnel" used 2678s ago; esp.fc8b8f42 at 10.48.28.70 
esp.a951a5fb at 10.48.28.60 tun.1002 at 10.48.28.70 tun.1003 at 10.48.28.60 ref=0 
refhim=4294901761 Traffic:! ESPmax=4194303B
000 #5: "mytunnel":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 1378s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); 
idle; import:admin initiate
000
000 Bare Shunt list:
000

Sending and receiving ICMPv6 and UDP traffic between the two subnets 
work. I've trouble with TCP connections. E.g. when starting a new ssh 
connection from the the host 2001:470:dc8c:4000::20 (centos 7) to the 
host 2001:470:dc8c:5000::20 (centos 7) several of these KLIPS errors are 
printed in the kernel log (on both gateways):

  [ 1731.562351] klips_error:ipsec_xmit_encap_init: tried to skb_put 29, 
19 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR  This should never 
happen, please report.
[ 1731.768707] klips_error:ipsec_xmit_encap_init: tried to skb_put 29, 
19 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR  This should never 
happen, please report.
[ 1731.975623] klips_error:ipsec_xmit_encap_init: tried to skb_put 29, 
19 available. Retuning IPSEC_XMIT_ESP_PUSHPULLERR  This should never 
happen, please report.

No ssh login prompt is displayed on the client end. I've tried ftp with 
similar result. Bump to libreswan 3.16 doesn't help.

Doing IPv4-in-IPv6 tunnel works fine. No KLIPS errors when using TCP.

Any ideas?

Thanks in advance,

/Erik


More information about the Swan mailing list