[Swan] FAILURE in loading XFRM IPsec stack on 3.28
Paul Wouters
paul at nohats.ca
Tue May 28 02:18:06 UTC 2019
On Mon, 27 May 2019, Computerisms Corporation wrote:
> _stackmanager[523]: FAILURE in loading XFRM IPsec stack
>
> I traced it down in the code to a file called _stackmanager.in, and it
> appears the error is generated because of a missing file:
>
> /proc/net/xfrm_stat
>
> Here is where I have been spinning my wheels for a bit too long, I am not
> sure if that is supposed to be created as a result of iproute2 or some other
> package, or maybe it's a kernel module (I did install and then remove dkms
> trying to xtables-addons working) issue and I need to modprobe something, or
> if Libreswan was supposed to create it and didn't.
It is part of the kernel, and is created by enabling CONFIG_XFRM_STATISTICS.
We used to check XFRM using /proc/net/pf_key but that was really the
PFKEYv2 API, not the netlink/xfrm API, and work is happening in the
kernel to completely disable the PFKEYv2 API. So we needed another test.
We thought most distributions had CONFIG_XFRM_STATISTICS enabled, so it
was the easiest for us to detect XFRM support in the kernel. But some
people don't seem to have this enabled.
Does your system have /proc/sys/net/core/xfrm_acq_expires ? Maybe we
need to switch to that to test whether XFRM support is available.
> So, did I find a real problem, or am I just in need of someone to point out a
> glaringly obvious error on my part?
It's not you, it's us :)
Although, /proc/net/xfrm_stat is your _only_ way of getting any
debugging of the kernel level IPsec related events, so you really
do want it enabled in your custom kernels too :)
Paul
More information about the Swan
mailing list