[Swan] IKEv2 causing netlink errors

Paul Wouters paul at nohats.ca
Mon Dec 9 21:18:11 UTC 2019

On Fri, 6 Dec 2019, Peter Rofner wrote:

> I have multiple servers running LibreSwan on Gentoo. I updated one server 
> from 3.27 to 3.29 and my ipsec connection suddenly fails with:
> ERROR: netlink response for Add SA esp.286bb1e6 at x.x.x.x included errno 38: 
> Function not implemented

What kind of IPsec SA was it trying to add to the kernel?

> I spent the day comparing all the kernel settings, cryptography settings, and 
> libreswan settings on the pair of servers, which completely matched, all to 
> no avail. Recompiled the kernel multiple times, still to no avail. The only 
> major difference between servers is one is a relatively current Xeon server 
> and the one with the error is an old Atom system.
> Adding ikev2=no to ipsec.conf restores the connection.

That seems strange. The version of IKE should not matter for the
supported kernel algorithms (after than IKEv2 having more algorithms
than IKEv1)

> Despite the fact that the connection is restored, I'm curious why IKEv2 would 
> cause that netlink error.

I would have to see more logs to determine what happened. Ideally, a log
of the IKEv1 and IKEv2 runs.


More information about the Swan mailing list