[Swan] IKEv2 causing netlink errors
Paul Wouters
paul at nohats.ca
Mon Dec 9 21:18:11 UTC 2019
On Fri, 6 Dec 2019, Peter Rofner wrote:
> I have multiple servers running LibreSwan on Gentoo. I updated one server
> from 3.27 to 3.29 and my ipsec connection suddenly fails with:
>
> ERROR: netlink response for Add SA esp.286bb1e6 at x.x.x.x included errno 38:
> Function not implemented
What kind of IPsec SA was it trying to add to the kernel?
> I spent the day comparing all the kernel settings, cryptography settings, and
> libreswan settings on the pair of servers, which completely matched, all to
> no avail. Recompiled the kernel multiple times, still to no avail. The only
> major difference between servers is one is a relatively current Xeon server
> and the one with the error is an old Atom system.
>
> Adding ikev2=no to ipsec.conf restores the connection.
That seems strange. The version of IKE should not matter for the
supported kernel algorithms (after than IKEv2 having more algorithms
than IKEv1)
> Despite the fact that the connection is restored, I'm curious why IKEv2 would
> cause that netlink error.
I would have to see more logs to determine what happened. Ideally, a log
of the IKEv1 and IKEv2 runs.
Paul
More information about the Swan
mailing list