[Swan] IKEv2 causing netlink errors

Peter Rofner profner at richmondnursery.com
Tue Dec 10 12:35:01 UTC 2019


On 12/9/19 4:18 PM, Paul Wouters wrote:
> On Fri, 6 Dec 2019, Peter Rofner wrote:
> 
>> I have multiple servers running LibreSwan on Gentoo. I updated one 
>> server from 3.27 to 3.29 and my ipsec connection suddenly fails with:
>>
>> ERROR: netlink response for Add SA esp.286bb1e6 at x.x.x.x included errno 
>> 38: Function not implemented
> 
> What kind of IPsec SA was it trying to add to the kernel?

I'm, unfortunately, not versed enough to figure out how to determine that.

>> I spent the day comparing all the kernel settings, cryptography 
>> settings, and libreswan settings on the pair of servers, which 
>> completely matched, all to no avail. Recompiled the kernel multiple 
>> times, still to no avail. The only major difference between servers is 
>> one is a relatively current Xeon server and the one with the error is 
>> an old Atom system.
>>
>> Adding ikev2=no to ipsec.conf restores the connection.
> 
> That seems strange. The version of IKE should not matter for the
> supported kernel algorithms (after than IKEv2 having more algorithms
> than IKEv1)

Agreed. That's why I'm baffled, though I'm not that much of a 
programmer, especially when it comes to the complexities of IPSec. But 
just adding ikev2=no restores the connection.

>> Despite the fact that the connection is restored, I'm curious why 
>> IKEv2 would cause that netlink error.
> 
> I would have to see more logs to determine what happened. Ideally, a log
> of the IKEv1 and IKEv2 runs.

Here are some logs I have. Hopefully this works and provides some clues.

This is where I commented out ikev2=no and the connection fails:

----
Dec 10 07:04:14 [pluto] "Richmond_Home" #1: initiating v2 parent SA
Dec 10 07:04:14 [pluto] "Richmond_Home": constructed local IKE proposals 
for Richmond_Home (IKE SA initiator selecting KE): 
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 
(default)
Dec 10 07:04:14 [pluto] "Richmond_Home" #1: STATE_PARENT_I1: sent v2I1, 
expected v2R1
Dec 10 07:04:14 [pluto] "Richmond_Home": constructed local ESP/AH 
proposals for Richmond_Home (IKE SA initiator emitting ESP/AH 
proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 
2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 
5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default)
Dec 10 07:04:14 [pluto] "Richmond_Home" #2: STATE_PARENT_I2: sent v2I2, 
expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a 
prf=HMAC_SHA2_512 group=MODP2048}
Dec 10 07:04:14 [pluto] "Richmond_Home" #2: IKE SA authentication 
request rejected by peer: AUTHENTICATION_FAILED
Dec 10 07:04:14 [pluto] "Richmond_Home" #2: scheduling retry attempt 1 
of an unlimited number
Dec 10 07:04:14 [pluto] "Richmond_Home" #2: STATE_PARENT_I2: suppressing 
retransmits; will wait 59.922 seconds for retry
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: processing IKE_SA_INIT 
request: SA,KE,Ni,N,N,N (message arrived 0 seconds ago)
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: proposal 
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from 
remote proposals 
1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 
2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 
3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 
4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: STATE_PARENT_R1: received 
v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a 
prf=HMAC_SHA2_512 group=MODP2048}
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: processing encrypted 
IKE_AUTH request: SK (message arrived 0 seconds ago)
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: processing decrypted 
IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr}
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: IKEv2 mode peer ID is 
ID_IPV4_ADDR: 'x.x.x.x'
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: Authenticated using 
authby=secret
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: proposal 
1:ESP:SPI=8b6ef1d5;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote 
proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 
2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 
3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 
4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 
5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: ERROR: netlink response for 
Add SA esp.8b6ef1d5 at x.x.x.x included errno 38: Function not implemented
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: setup_half_ipsec_sa() hit fail:
Dec 10 07:04:21 [pluto] "Richmond_Home" #4: deleting state 
(STATE_UNDEFINED) aged 0.008s and NOT sending notification
Dec 10 07:04:21 [pluto] "Richmond_Home" #4: ERROR: netlink response for 
Del SA esp.8b6ef1d5 at 72.143.98.222 included errno 3: No such process
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: no useful state microcode 
entry found for incoming packet
Dec 10 07:04:21 [pluto] "Richmond_Home" #3: dropping message with no 
matching microcode
----

And the log when ikev2=no returned to the ipsec.conf file and the 
connection establishes:

----
Dec 10 07:09:17 [pluto] "Richmond_Home" #1: initiating Main Mode
Dec 10 07:09:17 [pluto] "Richmond_Home" #1: STATE_MAIN_I2: sent MI2, 
expecting MR2
Dec 10 07:09:17 [pluto] "Richmond_Home" #1: STATE_MAIN_I3: sent MI3, 
expecting MR3
Dec 10 07:09:17 [pluto] "Richmond_Home" #1: Peer ID is ID_IPV4_ADDR: 
'x.x.x.x'
Dec 10 07:09:17 [pluto] "Richmond_Home" #1: STATE_MAIN_I4: ISAKMP SA 
established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 
group=MODP2048}
Dec 10 07:09:17 [pluto] "Richmond_Home" #2: initiating Quick Mode 
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO 
{using isakmp#1 msgid:5660323e proposal=defaults pfsgroup=MODP2048}
Dec 10 07:09:18 [pluto] "Richmond_Home" #2: STATE_QUICK_I2: sent QI2, 
IPsec SA established tunnel mode {ESP=>0x21824963 <0x4640938b 
xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
Dec 10 07:09:26 [pluto] "Richmond_Home" #3: responding to Main Mode
Dec 10 07:09:26 [pluto] "Richmond_Home" #3: STATE_MAIN_R1: sent MR1, 
expecting MI2
Dec 10 07:09:26 [pluto] "Richmond_Home" #3: STATE_MAIN_R2: sent MR2, 
expecting MI3
Dec 10 07:09:26 [pluto] "Richmond_Home" #3: Peer ID is ID_IPV4_ADDR: 
'72.143.98.222'
Dec 10 07:09:26 [pluto] "Richmond_Home" #3: STATE_MAIN_R3: sent MR3, 
ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 
integ=HMAC_SHA2_256 group=MODP2048}
Dec 10 07:09:26 [pluto] "Richmond_Home" #3: the peer proposed: 
10.100.3.0/24:0/0 -> 10.100.1.0/24:0/0
Dec 10 07:09:26 [pluto] "Richmond_Home" #4: responding to Quick Mode 
proposal {msgid:9b7cf5f5}
Dec 10 07:09:26 [pluto] "Richmond_Home" #4:     us: 
10.100.3.0/24===x.x.x.x<x.x.x.x>
Dec 10 07:09:26 [pluto] "Richmond_Home" #4:   them: 
x.x.x.x<x.x.x.x>===10.100.1.0/24
Dec 10 07:09:26 [pluto] "Richmond_Home" #4: keeping refhim=0 during rekey
Dec 10 07:09:26 [pluto] "Richmond_Home" #4: STATE_QUICK_R1: sent QR1, 
inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0xe96b5d09 
<0x807f1757 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
Dec 10 07:09:26 [pluto] "Richmond_Home" #4: STATE_QUICK_R2: IPsec SA 
established tunnel mode {ESP=>0xe96b5d09 <0x807f1757 
xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
----

I did notice the AUTHENTICATION_FAILED message in the first logs, but 
again, I'm don't get that since there are no other configuration changes 
other than removing ikev2=no.

One other difference between this connection and others my server is 
connecting to is this endpoint has a dynamic gateway so I can't add a 
static rightnexthop while all the other connections are fully static. 
Not sure if that's an influence or not.

Thanks for your time.

-- 
Peter Rofner
Richmond Nursery Inc.
http://www.richmondnursery.com


More information about the Swan mailing list