Issue #183: Strongswan + IPComp -> received netlink error: Protocol not supported (93) - strongSwan

Issue #183

Strongswan + IPComp -> received netlink error: Protocol not supported (93)

Added by Ronald Uit over 13 years ago. Updated over 12 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Tobias Brunner

Category:

charon

Affected version:

4.6.2

Resolution:

No feedback

Description

Hello strongswan developers and users,

I'm having a problem getting ipcomp to work. Below are only the relevant parts of the files that are involved in this. However, I also attached them as complete files to this issue. This setup works without any flaws when I disable IPcomp compression (compress=no).

This is a direct LAN connection setup using netkey, ikev2, tunnel mode and no NAT.

Relevant part of server ipsec.conf:

conn %default
    left=%any
    leftcert=/home/secure/ronald/.vpn/certs/alphaCert.der
    leftupdown="sudo /etc/updown.sh &" 
    #
    right=%any
    rightid="C=NL, O=Chimera, CN=*" 
    leftsendcert=never
    #
    dpdaction=clear
    dpddelay=5
    keyingtries=%forever
    compress=yes
    inactivity=300
    #
    auto=add
conn remote
    leftsubnet=10.1.9.248/29
    rightsubnet=10.1.9.248/29

Relevant part of client ipsec.conf

conn %default
    left=%any
    leftcert=/home/secure/ronald/.vpn/certs/charlieCert.der
    leftupdown="/bin/sh /etc/updown.sh &" 
    #
    rightid="C=NL, O=Chimera, CN=Alpha" 
    rightcert=/home/secure/ronald/.vpn/certs/alphaCert.der
    #
    dpdaction=restart
    dpddelay=5
    keyingtries=%forever
    #
    auto=add
conn home
    compress=yes
    right=10.1.9.253
    rightsubnet=10.1.9.253/32
    leftsubnet=10.1.9.252/32

Turned on knl debugging in strongswan.conf, and this seems the relevant output:

Mar 11 13:35:13 [charon] 15[KNL] got SPI cbdd2ae4 for reqid {1}_
Mar 11 13:35:13 [charon] 15[KNL] adding SAD entry with SPI 000086d8 and reqid {1}_
Mar 11 13:35:13 [charon] 15[KNL] using compression algorithm IPCOMP_DEFLATE_
Mar 11 13:35:13 [charon] 15[KNL] sending XFRM_MSG_UPDSA: => 312 bytes 0x7f2b3b30af10_ Mar 11 13:35:13 [charon] 15[KNL] adding SAD entry with SPI cbdd2ae4 and reqid {1}_ Mar 11 13:35:13 [charon] 15[KNL] using encryption algorithm AES_CBC with key size 128_ Mar 11 13:35:13 [charon] 15[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160_ Mar 11 13:35:13 [charon] 15[KNL] sending XFRM_MSG_UPDSA: => 420 bytes 0x7f2b3b30b4f0_

All good here, but further down below is where things go wrong:

Mar 11 13:35:13 [charon] 15[KNL] received netlink error: Protocol not supported (93)_
Mar 11 13:35:13 [charon] 15[KNL] unable to add SAD entry with SPI cbdd2ae4_
Mar 11 13:35:13 [charon] 15[KNL] adding SAD entry with SPI 00005713 and reqid {1}_
Mar 11 13:35:13 [charon] 15[KNL] using compression algorithm IPCOMP_DEFLATE_
Mar 11 13:35:13 [charon] 15[KNL] sending XFRM_MSG_NEWSA: => 312 bytes @ 0x7f2b3b30af10_

Seeing this, I thought it was a kernel (3.2.5 vanilla + ck-patches) configuration issue. However:

cat kernelconfig-server | grep -e XFRM -e IPCOMP -e DEFLATE

CONFIG_XFRM=y
CONFIG_XFRM_USER=y
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
# CONFIG_XFRM_STATISTICS is not set
CONFIG_XFRM_IPCOMP=y
CONFIG_INET_IPCOMP=y
CONFIG_INET_XFRM_TUNNEL=y
# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
CONFIG_INET_XFRM_MODE_TUNNEL=y
# CONFIG_INET_XFRM_MODE_BEET is not set
CONFIG_PPP_DEFLATE=y
CONFIG_CRYPTO_DEFLATE=y
CONFIG_ZLIB_DEFLATE=y

I'm kind of in the dark here. I also tried enabling CONFIG_XFRM_SUB_POLICY as it seems that multiple SAD's are added for one connection when strongswan uses IPSec. However, this does not change the situation. And using a vanilla kernel without any patches doesn't change the situation as well.

ipsec.conf-client (647 Bytes) ipsec.conf-client	Client ipsec.conf	Ronald Uit, 12.03.2012 07:41
ipsec.conf-server (519 Bytes) ipsec.conf-server	Server ipsec.conf	Ronald Uit, 12.03.2012 07:41
ipsec.log-server (18.3 KB) ipsec.log-server	Server log (knl = 3 default = -1)	Ronald Uit, 12.03.2012 07:41
kernelconfig-server (61.9 KB) kernelconfig-server	Server kernel configuration	Ronald Uit, 12.03.2012 07:41
ipsec.conf-client.txt (647 Bytes) ipsec.conf-client.txt		Ronald Uit, 12.03.2012 07:44
ipsec.conf-server.txt (519 Bytes) ipsec.conf-server.txt		Ronald Uit, 12.03.2012 07:44
ipsec.log-server.txt (18.3 KB) ipsec.log-server.txt		Ronald Uit, 12.03.2012 07:44
kernelconfig-server.txt (61.9 KB) kernelconfig-server.txt		Ronald Uit, 12.03.2012 07:44

History

#1 Updated by Ronald Uit over 13 years ago

File ipsec.conf-client.txt ipsec.conf-client.txt added
File ipsec.conf-server.txt ipsec.conf-server.txt added
File ipsec.log-server.txt ipsec.log-server.txt added
File kernelconfig-server.txt kernelconfig-server.txt added

Here is the same configuration again, suffixed with .txt so they (hopefully) won't be downloaded as BIN-files :/

#2 Updated by Tobias Brunner over 13 years ago

Status changed from New to Feedback
Assignee changed from Martin Willi to Tobias Brunner

Hi Ronald,

# CONFIG_INET_XFRM_MODE_TRANSPORT is not set

Please make sure you enable transport mode in the kernel. The reason this is required is how SAs are installed with IPComp enabled. Since the IP tunneling is done by the IPComp SA the actual IPsec SA is installed in transport mode (otherwise packets would be encapsulated twice).

Regards,
Tobias

#3 Updated by Ronald Uit over 13 years ago

Thank you for your time and effort. I'll try again when I get home, thanks a lot!

#4 Updated by Tobias Brunner over 13 years ago

Status changed from Feedback to Closed
Resolution set to No feedback

#5 Updated by Andreas Steffen over 12 years ago

Tracker changed from Bug to Issue

Project

General

Profile

strongSwan

Issues