[Swan] Setting up ike/ipsec tunnel over TCP

Tue Oct 6 01:55:13 UTC 2020

On Mon, 5 Oct 2020 at 21:26, M Thotager <mallesh.thotager at gmail.com> wrote:

>> > Sep 28 21:47:47.408661: | netlink: enabling tunnel mode
>> > Sep 28 21:47:47.408674: | XFRM: adding IPsec SA with reqid 16389
>> > Sep 28 21:47:47.408685: | netlink: setting IPsec SA replay-window to 32 using old-style req
>> > Sep 28 21:47:47.408699: | adding xfrm-encap-tmpl when adding sa encap_type=0(espintcp) sport=4500 dport=48792
>> > Sep 28 21:47:47.408711: | netlink: esp-hw-offload not set for IPsec SA
>> > Sep 28 21:47:47.408882: "mysubnet" #1: ERROR: netlink response for Add SA esp.654c8f7b at 10.30.65.7 included errno 22: Invalid argument
>> > Sep 28 21:47:47.408929: "mysubnet" #1: setup_half_ipsec_sa() hit fail:
>> > Sep 28 21:47:47.408943: | ikev2_child_sa_respond returned STF_FATAL

Looking at https://testing.libreswan.org/v3.30-1888-g407c55e1e6-main/ikev2-tcp-00-yes/OUTPUT/west.pluto.log.gz

| netlink: enabling tunnel mode
| XFRM: adding IPsec SA with reqid 16389
| netlink: setting IPsec SA replay-window to 32 using old-style req
| adding xfrm-encap-tmpl when adding sa encap_type=7(espintcp)
sport=49484 dport=4500
| netlink: esp-hw-offload not set for IPsec SA
| netlink response for Add SA esp.d3453b38 at 192.1.2.23 included non-error error
| setup_half_ipsec_sa() is installing inbound eroute? inbound=0 owner=#0 mode=1

the two logs disagree over sa_encap_type "espintcp" :-(  Here's the
relevant code in ip_encap.c:

/*
 * XXX: linux can't include both headers.
 */
#ifdef linux
#  include <linux/udp.h>        /* for TCP_ENCAP_ESPINTCP and
UDP_ENCAP_ESPINUDP */
#else
#  include <netinet/udp.h>        /* for UDP_ENCAP_ESPINUDP aka NAT */
#endif

const struct ip_encap ip_encap_esp_in_tcp = {
    .name = "espintcp",
    .outer = &ip_protocol_tcp,
    .inner = &ip_protocol_esp,
#ifdef TCP_ENCAP_ESPINTCP
    .encap_type = TCP_ENCAP_ESPINTCP,
#endif
};

so presumably TCP_ENCAP_TCPINTCP isn't defined (I'll see if there's an
easy way of making this barf).