Project

General

Profile

Issue #1189

Installing route failed on Linux kernel 4.3

Added by wu ruxu almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Category:
kernel
Affected version:
5.3.3
Resolution:
No change required

Description

strongswan works well on kernel 4.2.5, but after I upgrade to 4.3, a netlink error occur at end of install route.

08[KNL] 10.1.51.82 is on interface eth0
08[KNL] installing route: 0.0.0.0/0 via 10.1.50.1 src 10.8.0.8 dev eth0
08[KNL] getting iface index for eth0
08[KNL] sending RTM_NEWROUTE 208: => 60 bytes @ 0xb3c254d0
08[KNL]    0: 3C 00 00 00 18 00 05 06 D0 00 00 00 75 1B 00 00  <...........u...
08[KNL]   16: 02 00 00 00 DC 04 00 01 00 00 00 00 08 00 01 00  ................
08[KNL]   32: 00 00 00 00 08 00 07 00 0A 08 00 08 08 00 05 00  ................
08[KNL]   48: 0A 01 32 01 08 00 04 00 02 00 00 00              ..2.........
08[KNL] received (2) 208: => 80 bytes @ 0x8e97910
08[KNL]    0: 50 00 00 00 02 00 00 00 D0 00 00 00 75 1B 00 00  P...........u...
08[KNL]   16: EA FF FF FF 3C 00 00 00 18 00 05 06 D0 00 00 00  ....<...........
08[KNL]   32: 75 1B 00 00 02 00 00 00 DC 04 00 01 00 00 00 00  u...............
08[KNL]   48: 08 00 01 00 00 00 00 00 08 00 07 00 0A 08 00 08  ................
08[KNL]   64: 08 00 05 00 0A 01 32 01 08 00 04 00 02 00 00 00  ......2.........
08[KNL] received netlink error: Invalid argument (22)


Related issues

Has duplicate Issue #1225: vpn with lubuntu 15.10 under kernel 4.3Closed01.12.2015

History

#1 Updated by wu ruxu almost 5 years ago

my ipsec.conf

conn svpn
  right=x.x.x.x
  rightsubnet=0.0.0.0/0
  rightid="C=CN, O=strongxyz, CN=x.x.x.x" 
  #rightid=%x.x.x.x
  rightauth=pubkey
        #ike=aes256gcm128-sha512-modp6144,
        ike=aes256-sha256-modp2048,aes256gcm128-sha256-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048,aes256-sha512-modp2048!
  esp=aes256ccm128-sha256-modp2048,aes256-sha256-modp2048,aes256-sha384-modp2048,aes256-sha512-modp2048!
  compress=no
  left=%any
  leftsourceip=%config4
  leftid="C=CN, O=strongxyz, CN=client" 
  leftauth=pubkey
  leftca=%same
  leftcert=client.cert.pem
  leftfirewall=yes
  dpdaction=restart
  auto=add

#2 Updated by Tobias Brunner almost 5 years ago

  • Subject changed from installing route failed on kernel 4.3 to Installing route failed on Linux kernel 4.3
  • Description updated (diff)
  • Status changed from New to Feedback
  • Priority changed from High to Normal

I was able to reproduce this with the 4.3 kernel. It can also happen if you try to install a route with ip route and specify a source address as well as a routing table with src <ip> and table <table id>, respectively (omitting either of these works).

It is apparently caused by commit 021dd3b8a142 ("net: Add routes to the table associated with the device"), which added an extended check that's applied to the source address (in combination with the routing table). This check is not passing with the route we are trying to install.

The experimental patch in the 1189-kernel-netlink-srcroute branch tries to address this by installing an additional route for the virtual IP in routing table 220. I've currently no idea if that's how it's supposed to be done or if there is a way to avoid this, but at least it seems to work on clients requesting a virtual IP. But on gateways there still won't be a route installed that forces the internal IP as source address for packets sent to virtual IPs of clients.

A possible workaround is to set charon.routing_table=0 so the routes are installed in the main routing table.

#3 Updated by Tobias Brunner almost 5 years ago

Here is a kernel patch by the author of the commit mentioned above that fixes the issue: [PATCH] net: Fix prefsrc lookups

#4 Updated by volker kempter almost 5 years ago

#1189:
I'm using strongswan 5.1.2-0ubuntu7 in lubuntu-16.04 (development) with kernel 4.3.

Setting up VPN with the NetworkManager, I get no error, BUT VPN does not work; establishing VPN manually with: sudo ipsec restart, sudo ipsec up ..., I get the following in the console:

received netlink error: invalid argument (22).
Unable to install source route for 139.174.7......

But finally it says: "connection "...." established correctly" (as when using the NetworkManager VPN connection does not work however!!).

No such problem occur when using the kernel 4.2.0.19 instead: VPN works okay.

#5 Updated by Tobias Brunner almost 5 years ago

  • Has duplicate Issue #1225: vpn with lubuntu 15.10 under kernel 4.3 added

#6 Updated by volker kempter almost 5 years ago

at #4 and 5:
please comment whether, at present, there is a workaround or whatever to use strongswan, version 5.1.2, with kernel 4.3!
Any help would be appreciated!

#7 Updated by Tobias Brunner almost 5 years ago

  • Tracker changed from Bug to Issue
  • Category set to kernel

please comment whether, at present, there is a workaround or whatever to use strongswan, version 5.1.2, with kernel 4.3!

There is not. You need the kernel patch I referenced in #1189#note-3.

#8 Updated by volker kempter almost 5 years ago

at #7:
thanks for the reply!

I am probably not too bad in using linux, also from the command line, but not in patching the kernel.
Thus, I decided to stick with kernel 4.2.0-21 under which strongswan works well.

As soon as the kernel 4.3 appears in synaptic, i.e. is recommended officially, I will report the problem to launchpad.

#9 Updated by volker kempter almost 5 years ago

ad #7,8:
the problem is fixed with kernel 4.3.0-4: strongswan vpn works again!

#10 Updated by Tobias Brunner almost 5 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

the problem is fixed with kernel 4.3.0-4: strongswan vpn works again!

I guess that's the Ubuntu kernel version. Upstream the 4.3.1 kernel, released on 2015-12-09, included the fix (Changelog). Closing the issue.

Also available in: Atom PDF