Project

General

Profile

Issue #2121

received netlink error: Function not implemented (38)

Added by guo guo about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Category:
kernel
Affected version:
5.4.0
Resolution:
No change required

Description

Hi,
Im trying to create a tunnel between two centos system. but failed.
The strongswan log is:

Sep 26 23:10:45  daemon.info charon: 14[NET] received packet: from 10.1.3.115[500] to 10.1.3.119[500] (192 bytes)
Sep 26 23:10:45  daemon.info charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V ]
Sep 26 23:10:45  daemon.info charon: 14[IKE] received XAuth vendor ID
Sep 26 23:10:45  daemon.info charon: 14[IKE] received DPD vendor ID
Sep 26 23:10:45  daemon.info charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
Sep 26 23:10:45  daemon.info charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 26 23:10:45  daemon.info charon: 14[IKE] 10.1.3.115 is initiating a Main Mode IKE_SA
Sep 26 23:10:45  authpriv.info charon: 14[IKE] 10.1.3.115 is initiating a Main Mode IKE_SA
Sep 26 23:10:45  daemon.info charon: 14[ENC] generating ID_PROT response 0 [ SA V V V ]
Sep 26 23:10:45  daemon.info charon: 14[NET] sending packet: from 10.1.3.119[500] to 10.1.3.115[500] (136 bytes)
Sep 26 23:10:45  daemon.info charon: 07[NET] received packet: from 10.1.3.115[500] to 10.1.3.119[500] (524 bytes)
Sep 26 23:10:45  daemon.info charon: 07[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Sep 26 23:10:45  daemon.info charon: 07[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Sep 26 23:10:45  daemon.info charon: 07[NET] sending packet: from 10.1.3.119[500] to 10.1.3.115[500] (524 bytes)
Sep 26 23:10:45  daemon.info charon: 06[NET] received packet: from 10.1.3.115[500] to 10.1.3.119[500] (108 bytes)
Sep 26 23:10:45  daemon.info charon: 06[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Sep 26 23:10:45  daemon.info charon: 06[CFG] looking for pre-shared key peer configs matching 10.1.3.119...10.1.3.115[10.1.3.115]
Sep 26 23:10:45  daemon.info charon: 06[CFG] selected peer config "net-net3" 
Sep 26 23:10:45  daemon.info charon: 06[IKE] IKE_SA net-net3[6] established between 10.1.3.119[10.1.3.119]...10.1.3.115[10.1.3.115]
Sep 26 23:10:45  authpriv.info charon: 06[IKE] IKE_SA net-net3[6] established between 10.1.3.119[10.1.3.119]...10.1.3.115[10.1.3.115]
Sep 26 23:10:45  daemon.info charon: 06[IKE] scheduling reauthentication in 3349s
Sep 26 23:10:45  daemon.info charon: 06[IKE] maximum IKE_SA lifetime 3529s
Sep 26 23:10:45  daemon.info charon: 06[ENC] generating ID_PROT response 0 [ ID HASH ]
Sep 26 23:10:45  daemon.info charon: 06[NET] sending packet: from 10.1.3.119[500] to 10.1.3.115[500] (92 bytes)
Sep 26 23:10:45  daemon.info charon: 07[NET] received packet: from 10.1.3.115[500] to 10.1.3.119[500] (220 bytes)
Sep 26 23:10:45  daemon.info charon: 07[ENC] parsed QUICK_MODE request 290444869 [ HASH SA No ID ID ]
Sep 26 23:10:45  daemon.info charon: 07[ENC] generating QUICK_MODE response 290444869 [ HASH SA No ID ID ]
Sep 26 23:10:45  daemon.info charon: 07[NET] sending packet: from 10.1.3.119[500] to 10.1.3.115[500] (188 bytes)
Sep 26 23:10:45  daemon.info charon: 16[NET] received packet: from 10.1.3.115[500] to 10.1.3.119[500] (76 bytes)
Sep 26 23:10:45  daemon.info charon: 16[ENC] parsed QUICK_MODE request 290444869 [ HASH ]
Sep 26 23:10:45  daemon.info charon: 16[KNL] received netlink error: Function not implemented (38)
Sep 26 23:10:45  daemon.info charon: 16[KNL] unable to add SAD entry with SPI ccd0ef87
Sep 26 23:10:45  daemon.info charon: 16[KNL] received netlink error: Function not implemented (38)
Sep 26 23:10:45  daemon.info charon: 16[KNL] unable to add SAD entry with SPI c5e34a75
Sep 26 23:10:45  daemon.info charon: 16[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Sep 26 23:10:45  daemon.info charon: 16[IKE] sending DELETE for ESP CHILD_SA with SPI c5e34a75
Sep 26 23:10:45  daemon.info charon: 16[ENC] generating INFORMATIONAL_V1 request 3261844619 [ HASH D ]
Sep 26 23:10:45  daemon.info charon: 16[NET] sending packet: from 10.1.3.119[500] to 10.1.3.115[500] (92 bytes)
My configuration is:
conn net-net3
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret
        left=10.1.3.119
        leftsubnet=
        leftfirewall=yes
        right=10.1.3.115
        rightsubnet=
        auto=start

One of the kernels was cut off. but the related modules have been loaded. as follows:

Module                  Size  Used by    Not tainted
gcm                    12784  0 
xfrm_user              22010  2 
xfrm4_tunnel            1901  0 
xfrm4_mode_tunnel       1861  0 
ipcomp                  2057  0 
xfrm_ipcomp             4276  1 ipcomp
esp4                    5092  0 
ah4                     4054  0 
ixgbe                 211467  0 
igb                   169652  0 
e1000e                269462  0 
e1000                 167131  0 
smsc7500               65191  0 
8139too                29998  0 

af_key.ko  //Symbol: NET_KEY [=y] 
af_key.ko  //Symbol: NET_KEY [=y] 

I have referred to project #1509 , set esp=aes128gcm8-sha2_384-modp1024! or aes128gcm16-sha2_384-modp1024, both error;
The log is (the system of kernels was cutted off):

Sep 26 23:23:10  daemon.info charon: 15[NET] received packet: from 10.1.3.115[500] to 10.1.3.119[500] (108 bytes)
Sep 26 23:23:10  daemon.info charon: 15[ENC] parsed INFORMATIONAL_V1 request 2689827860 [ HASH D ]
Sep 26 23:23:10  daemon.info charon: 15[IKE] received DELETE for IKE_SA net-net3[6]
Sep 26 23:23:10  daemon.info charon: 15[IKE] deleting IKE_SA net-net3[6] between 10.1.3.119[10.1.3.119]...10.1.3.115[10.1.3.115]
Sep 26 23:23:10  authpriv.info charon: 15[IKE] deleting IKE_SA net-net3[6] between 10.1.3.119[10.1.3.119]...10.1.3.115[10.1.3.115]
Sep 26 23:23:12  daemon.info charon: 11[NET] received packet: from 10.1.3.115[500] to 10.1.3.119[500] (192 bytes)
Sep 26 23:23:12  daemon.info charon: 11[ENC] parsed ID_PROT request 0 [ SA V V V V ]
Sep 26 23:23:12  daemon.info charon: 11[IKE] received XAuth vendor ID
Sep 26 23:23:12  daemon.info charon: 11[IKE] received DPD vendor ID
Sep 26 23:23:12  daemon.info charon: 11[IKE] received NAT-T (RFC 3947) vendor ID
Sep 26 23:23:12  daemon.info charon: 11[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Sep 26 23:23:12  daemon.info charon: 11[IKE] 10.1.3.115 is initiating a Main Mode IKE_SA
Sep 26 23:23:12  authpriv.info charon: 11[IKE] 10.1.3.115 is initiating a Main Mode IKE_SA
Sep 26 23:23:12  daemon.info charon: 11[ENC] generating ID_PROT response 0 [ SA V V V ]
Sep 26 23:23:12  daemon.info charon: 11[NET] sending packet: from 10.1.3.119[500] to 10.1.3.115[500] (136 bytes)
Sep 26 23:23:12  daemon.info charon: 16[NET] received packet: from 10.1.3.115[500] to 10.1.3.119[500] (524 bytes)
Sep 26 23:23:12  daemon.info charon: 16[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Sep 26 23:23:12  daemon.info charon: 16[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Sep 26 23:23:12  daemon.info charon: 16[NET] sending packet: from 10.1.3.119[500] to 10.1.3.115[500] (524 bytes)
Sep 26 23:23:12  daemon.info charon: 09[NET] received packet: from 10.1.3.115[500] to 10.1.3.119[500] (108 bytes)
Sep 26 23:23:12  daemon.info charon: 09[ENC] parsed ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Sep 26 23:23:12  daemon.info charon: 09[CFG] looking for pre-shared key peer configs matching 10.1.3.119...10.1.3.115[10.1.3.115]
Sep 26 23:23:12  daemon.info charon: 09[CFG] selected peer config "net-net3" 
Sep 26 23:23:12  daemon.info charon: 09[IKE] IKE_SA net-net3[7] established between 10.1.3.119[10.1.3.119]...10.1.3.115[10.1.3.115]
Sep 26 23:23:12  authpriv.info charon: 09[IKE] IKE_SA net-net3[7] established between 10.1.3.119[10.1.3.119]...10.1.3.115[10.1.3.115]
Sep 26 23:23:12  daemon.info charon: 09[IKE] scheduling reauthentication in 3323s
Sep 26 23:23:12  daemon.info charon: 09[IKE] maximum IKE_SA lifetime 3503s
Sep 26 23:23:12  daemon.info charon: 09[ENC] generating ID_PROT response 0 [ ID HASH ]
Sep 26 23:23:12  daemon.info charon: 09[NET] sending packet: from 10.1.3.119[500] to 10.1.3.115[500] (92 bytes)
Sep 26 23:23:12  daemon.info charon: 16[NET] received packet: from 10.1.3.115[500] to 10.1.3.119[500] (316 bytes)
Sep 26 23:23:12  daemon.info charon: 16[ENC] parsed QUICK_MODE request 1473450355 [ HASH SA No KE ID ID ]
Sep 26 23:23:12  daemon.info charon: 16[CFG] received proposals: ESP:AES_GCM_16_128/MODP_1024/NO_EXT_SEQ
Sep 26 23:23:12  daemon.info charon: 16[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_M
Sep 26 23:23:12  daemon.info charon: 16[IKE] no matching proposal found, sending NO_PROPOSAL_CHOSEN
Sep 26 23:23:12  daemon.info charon: 16[ENC] generating INFORMATIONAL_V1 request 2222741211 [ HASH N(NO_PROP) ]
Sep 26 23:23:12  daemon.info charon: 16[NET] sending packet: from 10.1.3.119[500] to 10.1.3.115[500] (92 bytes)

Now i don't know how to configure the esp option. please help me...
thank you.

History

#1 Updated by Tobias Brunner about 5 years ago

  • Description updated (diff)
  • Status changed from New to Feedback
  • Priority changed from Urgent to Normal

One of the kernels was cut off.

What do you mean?

16[KNL] received netlink error: Function not implemented (38)

This usually means the kernel does not support at least one of the negotiated algorithms.

I have referred to project #1509 , set esp=aes128gcm8-sha2_384-modp1024! or aes128gcm16-sha2_384-modp1024, both error;

Well, read the log. Apparently, the two peers don't agree on a common proposal (the client proposes AES-GCM but the responder does not have a proposal with that algorithm).

Now i don't know how to configure the esp option. please help me...

Configure it so that both peers agree on a proposal and so that the selected algorithms are supported by your kernel, which originally does not seem to have been the case.

#2 Updated by guo guo about 5 years ago

I'm done.
The reason is lack of some configuration(AES cipher algorithms (AES-NI)、SHA224 and SHA256 digest algorithm) in kernel.

Thank you for your help.

#3 Updated by Tobias Brunner about 5 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No change required

Also available in: Atom PDF