[Swan] IKEv2 causing netlink errors
Peter Rofner
profner at richmondnursery.com
Tue Dec 10 12:35:01 UTC 2019
On 12/9/19 4:18 PM, Paul Wouters wrote:
> On Fri, 6 Dec 2019, Peter Rofner wrote:
>
>> I have multiple servers running LibreSwan on Gentoo. I updated one
>> server from 3.27 to 3.29 and my ipsec connection suddenly fails with:
>>
>> ERROR: netlink response for Add SA esp.286bb1e6 at x.x.x.x included errno
>> 38: Function not implemented
>
> What kind of IPsec SA was it trying to add to the kernel?
I'm, unfortunately, not versed enough to figure out how to determine that.
>> I spent the day comparing all the kernel settings, cryptography
>> settings, and libreswan settings on the pair of servers, which
>> completely matched, all to no avail. Recompiled the kernel multiple
>> times, still to no avail. The only major difference between servers is
>> one is a relatively current Xeon server and the one with the error is
>> an old Atom system.
>>
>> Adding ikev2=no to ipsec.conf restores the connection.
>
> That seems strange. The version of IKE should not matter for the
> supported kernel algorithms (after than IKEv2 having more algorithms
> than IKEv1)
Agreed. That's why I'm baffled, though I'm not that much of a
programmer, especially when it comes to the complexities of IPSec. But
just adding ikev2=no restores the connection.
>> Despite the fact that the connection is restored, I'm curious why
>> IKEv2 would cause that netlink error.
>
> I would have to see more logs to determine what happened. Ideally, a log
> of the IKEv1 and IKEv2 runs.
Here are some logs I have. Hopefully this works and provides some clues.
This is where I commented out ikev2=no and the connection fails:
----
Dec 10 07:04:14 [pluto] "Richmond_Home" #1: initiating v2 parent SA
Dec 10 07:04:14 [pluto] "Richmond_Home": constructed local IKE proposals
for Richmond_Home (IKE SA initiator selecting KE):
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519
(default)
Dec 10 07:04:14 [pluto] "Richmond_Home" #1: STATE_PARENT_I1: sent v2I1,
expected v2R1
Dec 10 07:04:14 [pluto] "Richmond_Home": constructed local ESP/AH
proposals for Richmond_Home (IKE SA initiator emitting ESP/AH
proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED
2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED
5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
Dec 10 07:04:14 [pluto] "Richmond_Home" #2: STATE_PARENT_I2: sent v2I2,
expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a
prf=HMAC_SHA2_512 group=MODP2048}
Dec 10 07:04:14 [pluto] "Richmond_Home" #2: IKE SA authentication
request rejected by peer: AUTHENTICATION_FAILED
Dec 10 07:04:14 [pluto] "Richmond_Home" #2: scheduling retry attempt 1
of an unlimited number
Dec 10 07:04:14 [pluto] "Richmond_Home" #2: STATE_PARENT_I2: suppressing
retransmits; will wait 59.922 seconds for retry
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: processing IKE_SA_INIT
request: SA,KE,Ni,N,N,N (message arrived 0 seconds ago)
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: proposal
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from
remote proposals
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match]
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: STATE_PARENT_R1: received
v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a
prf=HMAC_SHA2_512 group=MODP2048}
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: processing encrypted
IKE_AUTH request: SK (message arrived 0 seconds ago)
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: processing decrypted
IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr}
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: IKEv2 mode peer ID is
ID_IPV4_ADDR: 'x.x.x.x'
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: Authenticated using
authby=secret
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: proposal
1:ESP:SPI=8b6ef1d5;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote
proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match]
2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED
5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: ERROR: netlink response for
Add SA esp.8b6ef1d5 at x.x.x.x included errno 38: Function not implemented
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: setup_half_ipsec_sa() hit fail:
Dec 10 07:04:21 [pluto] "Richmond_Home" #4: deleting state
(STATE_UNDEFINED) aged 0.008s and NOT sending notification
Dec 10 07:04:21 [pluto] "Richmond_Home" #4: ERROR: netlink response for
Del SA esp.8b6ef1d5 at 72.143.98.222 included errno 3: No such process
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: no useful state microcode
entry found for incoming packet
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: dropping message with no
matching microcode
----
And the log when ikev2=no returned to the ipsec.conf file and the
connection establishes:
----
Dec 10 07:09:17 [pluto] "Richmond_Home" #1: initiating Main Mode
Dec 10 07:09:17 [pluto] "Richmond_Home" #1: STATE_MAIN_I2: sent MI2,
expecting MR2
Dec 10 07:09:17 [pluto] "Richmond_Home" #1: STATE_MAIN_I3: sent MI3,
expecting MR3
Dec 10 07:09:17 [pluto] "Richmond_Home" #1: Peer ID is ID_IPV4_ADDR:
'x.x.x.x'
Dec 10 07:09:17 [pluto] "Richmond_Home" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256
group=MODP2048}
Dec 10 07:09:17 [pluto] "Richmond_Home" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
{using isakmp#1 msgid:5660323e proposal=defaults pfsgroup=MODP2048}
Dec 10 07:09:18 [pluto] "Richmond_Home" #2: STATE_QUICK_I2: sent QI2,
IPsec SA established tunnel mode {ESP=>0x21824963 <0x4640938b
xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
Dec 10 07:09:26 [pluto] "Richmond_Home" #3: responding to Main Mode
Dec 10 07:09:26 [pluto] "Richmond_Home" #3: STATE_MAIN_R1: sent MR1,
expecting MI2
Dec 10 07:09:26 [pluto] "Richmond_Home" #3: STATE_MAIN_R2: sent MR2,
expecting MI3
Dec 10 07:09:26 [pluto] "Richmond_Home" #3: Peer ID is ID_IPV4_ADDR:
'72.143.98.222'
Dec 10 07:09:26 [pluto] "Richmond_Home" #3: STATE_MAIN_R3: sent MR3,
ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256
integ=HMAC_SHA2_256 group=MODP2048}
Dec 10 07:09:26 [pluto] "Richmond_Home" #3: the peer proposed:
10.100.3.0/24:0/0 -> 10.100.1.0/24:0/0
Dec 10 07:09:26 [pluto] "Richmond_Home" #4: responding to Quick Mode
proposal {msgid:9b7cf5f5}
Dec 10 07:09:26 [pluto] "Richmond_Home" #4: us:
10.100.3.0/24===x.x.x.x<x.x.x.x>
Dec 10 07:09:26 [pluto] "Richmond_Home" #4: them:
x.x.x.x<x.x.x.x>===10.100.1.0/24
Dec 10 07:09:26 [pluto] "Richmond_Home" #4: keeping refhim=0 during rekey
Dec 10 07:09:26 [pluto] "Richmond_Home" #4: STATE_QUICK_R1: sent QR1,
inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0xe96b5d09
<0x807f1757 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
Dec 10 07:09:26 [pluto] "Richmond_Home" #4: STATE_QUICK_R2: IPsec SA
established tunnel mode {ESP=>0xe96b5d09 <0x807f1757
xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
----
I did notice the AUTHENTICATION_FAILED message in the first logs, but
again, I'm don't get that since there are no other configuration changes
other than removing ikev2=no.
One other difference between this connection and others my server is
connecting to is this endpoint has a dynamic gateway so I can't add a
static rightnexthop while all the other connections are fully static.
Not sure if that's an influence or not.
Thanks for your time.
--
Peter Rofner
Richmond Nursery Inc.
http://www.richmondnursery.com
More information about the Swan
mailing list