Issue #1189
Installing route failed on Linux kernel 4.3
Description
strongswan works well on kernel 4.2.5, but after I upgrade to 4.3, a netlink error occur at end of install route.
08[KNL] 10.1.51.82 is on interface eth0 08[KNL] installing route: 0.0.0.0/0 via 10.1.50.1 src 10.8.0.8 dev eth0 08[KNL] getting iface index for eth0 08[KNL] sending RTM_NEWROUTE 208: => 60 bytes @ 0xb3c254d0 08[KNL] 0: 3C 00 00 00 18 00 05 06 D0 00 00 00 75 1B 00 00 <...........u... 08[KNL] 16: 02 00 00 00 DC 04 00 01 00 00 00 00 08 00 01 00 ................ 08[KNL] 32: 00 00 00 00 08 00 07 00 0A 08 00 08 08 00 05 00 ................ 08[KNL] 48: 0A 01 32 01 08 00 04 00 02 00 00 00 ..2......... 08[KNL] received (2) 208: => 80 bytes @ 0x8e97910 08[KNL] 0: 50 00 00 00 02 00 00 00 D0 00 00 00 75 1B 00 00 P...........u... 08[KNL] 16: EA FF FF FF 3C 00 00 00 18 00 05 06 D0 00 00 00 ....<........... 08[KNL] 32: 75 1B 00 00 02 00 00 00 DC 04 00 01 00 00 00 00 u............... 08[KNL] 48: 08 00 01 00 00 00 00 00 08 00 07 00 0A 08 00 08 ................ 08[KNL] 64: 08 00 05 00 0A 01 32 01 08 00 04 00 02 00 00 00 ......2......... 08[KNL] received netlink error: Invalid argument (22)
Related issues
History
#1 Updated by wu ruxu almost 5 years ago
my ipsec.conf
conn svpn
right=x.x.x.x
rightsubnet=0.0.0.0/0
rightid="C=CN, O=strongxyz, CN=x.x.x.x"
#rightid=%x.x.x.x
rightauth=pubkey
#ike=aes256gcm128-sha512-modp6144,
ike=aes256-sha256-modp2048,aes256gcm128-sha256-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048,aes256-sha512-modp2048!
esp=aes256ccm128-sha256-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048,aes256-sha512-modp2048!
compress=no
left=%any
leftsourceip=%config4
leftid="C=CN, O=strongxyz, CN=client"
leftauth=pubkey
leftca=%same
leftcert=client.cert.pem
leftfirewall=yes
dpdaction=restart
auto=add
#2 Updated by Tobias Brunner almost 5 years ago
- Subject changed from installing route failed on kernel 4.3 to Installing route failed on Linux kernel 4.3
- Description updated (diff)
- Status changed from New to Feedback
- Priority changed from High to Normal
I was able to reproduce this with the 4.3 kernel. It can also happen if you try to install a route with ip route and specify a source address as well as a routing table with src <ip> and table <table id>, respectively (omitting either of these works).
It is apparently caused by commit 021dd3b8a142 ("net: Add routes to the table associated with the device"), which added an extended check that's applied to the source address (in combination with the routing table). This check is not passing with the route we are trying to install.
The experimental patch in the 1189-kernel-netlink-srcroute branch tries to address this by installing an additional route for the virtual IP in routing table 220. I've currently no idea if that's how it's supposed to be done or if there is a way to avoid this, but at least it seems to work on clients requesting a virtual IP. But on gateways there still won't be a route installed that forces the internal IP as source address for packets sent to virtual IPs of clients.
A possible workaround is to set charon.routing_table=0 so the routes are installed in the main routing table.
#3 Updated by Tobias Brunner almost 5 years ago
Here is a kernel patch by the author of the commit mentioned above that fixes the issue: [PATCH] net: Fix prefsrc lookups
#4 Updated by volker kempter over 4 years ago
#1189:
I'm using strongswan 5.1.2-0ubuntu7 in lubuntu-16.04 (development) with kernel 4.3.
Setting up VPN with the NetworkManager, I get no error, BUT VPN does not work; establishing VPN manually with: sudo ipsec restart, sudo ipsec up ..., I get the following in the console:
received netlink error: invalid argument (22).
Unable to install source route for 139.174.7......
But finally it says: "connection "...." established correctly" (as when using the NetworkManager VPN connection does not work however!!).
No such problem occur when using the kernel 4.2.0.19 instead: VPN works okay.
#5 Updated by Tobias Brunner over 4 years ago
- Has duplicate Issue #1225: vpn with lubuntu 15.10 under kernel 4.3 added
#6 Updated by volker kempter over 4 years ago
at #4 and 5:
please comment whether, at present, there is a workaround or whatever to use strongswan, version 5.1.2, with kernel 4.3!
Any help would be appreciated!
#7 Updated by Tobias Brunner over 4 years ago
- Tracker changed from Bug to Issue
- Category set to kernel
please comment whether, at present, there is a workaround or whatever to use strongswan, version 5.1.2, with kernel 4.3!
There is not. You need the kernel patch I referenced in #1189#note-3.
#8 Updated by volker kempter over 4 years ago
at #7:
thanks for the reply!
I am probably not too bad in using linux, also from the command line, but not in patching the kernel.
Thus, I decided to stick with kernel 4.2.0-21 under which strongswan works well.
As soon as the kernel 4.3 appears in synaptic, i.e. is recommended officially, I will report the problem to launchpad.
#9 Updated by volker kempter over 4 years ago
ad #7,8:
the problem is fixed with kernel 4.3.0-4: strongswan vpn works again!
#10 Updated by Tobias Brunner over 4 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required
the problem is fixed with kernel 4.3.0-4: strongswan vpn works again!
I guess that's the Ubuntu kernel version. Upstream the 4.3.1 kernel, released on 2015-12-09, included the fix (Changelog). Closing the issue.