Issue #2231: Cannot create IPv4-via-IPv6 tunnel - strongSwan

Issue #2231

Cannot create IPv4-via-IPv6 tunnel

Added by Thomas S about 6 years ago. Updated almost 6 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Category:

kernel

Affected version:

5.2.1

Resolution:

No change required

Description

Hello!

Using the test scenario "net2net-ip4-in-ip6-ikev2" (https://www.strongswan.org/testresults.html) I configured two machines. One is configured as responder, the other as initiator (auto=add vs. auto=start). Other than that, the conf files are pretty much the same (left/right switched around, of course.

Upon starting strongSwan on the initiator it starts the connection fine and establishes phases 1 and 2, but when trying to add the route to the kernel I receive the following error:

Jan 24 17:37:29 initiator ipsec[18930]: 13[KNL] adding SAD entry with SPI 209f6d4c and reqid {1}  (mark 0/0x00000000)
Jan 24 17:37:29 initiator ipsec[18930]: 13[KNL]   using encryption algorithm AES_CBC with key size 256
Jan 24 17:37:29 initiator ipsec[18930]: 13[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Jan 24 17:37:29 initiator ipsec[18930]: 13[KNL]   using replay window of 32 packets
Jan 24 17:37:29 initiator ipsec[18930]: 13[KNL] *received netlink error: Invalid argument (22)*

These plugins have been loaded:

charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown

And this is the output of `lsmod`:

Module                  Size  Used by
sha1_generic            2337  0 
sha1_arm_neon           6403  0 
sha1_arm                3660  1 sha1_arm_neon
sha256_generic          9327  0 
hmac                    2959  0 
deflate                 1845  0 
zlib_deflate           20226  1 deflate
xfrm6_mode_tunnel       1697  0 
xfrm4_mode_tunnel       1825  0 
ip_tunnel              13258  0 
esp6                    6158  0 
ah6                     5700  0 
binfmt_misc             6388  1 
xfrm4_tunnel            1914  0 
tunnel4                 2310  1 xfrm4_tunnel
ipcomp                  2148  0 
xfrm_ipcomp             3942  1 ipcomp
esp4                    6682  0 
ah4                     5858  0 
af_key                 27668  0 
bnep                   10340  2 
hci_uart               17943  1 
btbcm                   5929  1 hci_uart
bluetooth             326105  22 bnep,btbcm,hci_uart
ftdi_sio               31321  1 
brcmfmac              186403  0 
brcmutil                5661  1 brcmfmac
cfg80211              428431  1 brcmfmac
rfkill                 16037  4 cfg80211,bluetooth
snd_bcm2835            20447  0 
snd_pcm                75762  1 snd_bcm2835
snd_timer              19288  1 snd_pcm
bcm2835_wdt             3225  0 
bcm2835_gpiomem         3040  0 
snd                    51908  3 snd_bcm2835,snd_timer,snd_pcm
ch341                   4932  2 
usbserial              22115  8 ch341,ftdi_sio
uio_pdrv_genirq         3164  0 
uio                     8000  1 uio_pdrv_genirq
ipv6                  347594  78 ah6,esp6,xfrm6_mode_tunnel

The used configuration is based on this (auto=start/add and left/right depending on responder/initiator):

conn net-net
    also=host-host
    leftsubnet=10.0.1.0/24
    rightsubnet=192.168.1.0/24

conn host-host
    keyexchange=ikev2
    mobike=no
    left=<local IPv6 address>
    leftid=@left
    leftfirewall=yes
    right=<remote IPv6 address>
    rightid=@right
    auto=start
    esp=aes256-sha256-modp2048!
    ike=aes256-sha256-modp2048!
    leftauth=psk
    rightauth=psk
    dpdaction=clear
    dpddelay=300s

I've been trying to find the reason for the "Invalid Argument" error, but my knowledge in this area is not enough to dig deep into the source code.

What could be the reason for the "Invalid Argument (22)" error caused?

Related issues

History

#1 Updated by Noel Kuntze about 6 years ago

I guess you need the tunnel6 module as well.

#2 Updated by Thomas S about 6 years ago

I added

tunnel6

and

xfrm_tunnel6

but still receive the same error. I would try using

kernel-libipsec

, but the system package (Debian Jessie) is compiled without and I have some trouble starting a self-compiled instance (hangs an loading feature RNG_WEAK ...).

Any other ideas?

#3 Updated by Noel Kuntze about 6 years ago

Well, does IPv4 in Ipv4 work and IPv6 in IPv6?

I have a working setup with the following modules:

lsmod lsmod

Module                  Size  Used by
esp6                   20480  0
xfrm6_mode_transport    16384  0
echainiv               16384  0
tcp_diag               16384  0
inet_diag              20480  1 tcp_diag
bluetooth             450560  0
rfkill                 20480  2 bluetooth
ip6t_REJECT            16384  7
nf_reject_ipv6         16384  1 ip6t_REJECT
xt_hl                  16384  4
xt_NFLOG               16384  8
nfnetlink_log          20480  3 xt_NFLOG
xt_comment             16384  29
xt_addrtype            16384  1
xt_socket              16384  5
ip6table_filter        16384  1
ip6table_raw           16384  0
ip6table_mangle        16384  1
nf_log_ipv4            16384  3
nf_log_ipv6            16384  5
nf_log_common          16384  2 nf_log_ipv4,nf_log_ipv6
xt_iprange             16384  3
xt_nat                 16384  12
xt_connmark            16384  5
iptable_raw            16384  0
xt_TCPMSS              16384  2
xt_rateest             16384  2
xt_owner               16384  40
xt_RATEEST             16384  3 xt_rateest
ip6table_nat           16384  1
nf_nat_ipv6            16384  1 ip6table_nat
ip6_tables             28672  4 ip6table_filter,ip6table_mangle,ip6table_nat,ip6table_raw
iptable_mangle         16384  1
dummy                  16384  0
nfnetlink_cttimeout    16384  0
ip_set_hash_net        32768  4
ip_set_hash_ip         32768  10
ext4                  512000  1
crc16                  16384  2 ext4,bluetooth
mbcache                20480  1 ext4
jbd2                   90112  1 ext4
cirrus                 24576  1
ttm                    77824  1 cirrus
drm_kms_helper        106496  1 cirrus
drm                   286720  4 ttm,drm_kms_helper,cirrus
syscopyarea            16384  1 drm_kms_helper
sysfillrect            16384  1 drm_kms_helper
sysimgblt              16384  1 drm_kms_helper
iosf_mbi               16384  0
fb_sys_fops            16384  1 drm_kms_helper
pcspkr                 16384  0
acpi_cpufreq           20480  0
evdev                  24576  1
parport_pc             28672  0
i2c_piix4              24576  0
parport                40960  1 parport_pc
tpm_tis                20480  0
input_leds             16384  0
tpm                    36864  1 tpm_tis
psmouse               122880  0
led_class              16384  1 input_leds
processor              32768  1 acpi_cpufreq
mac_hid                16384  0
button                 16384  0
sch_fq_codel           20480  5
tcp_westwood           16384  35
chacha20poly1305       20480  0
poly1305_x86_64        16384  0
poly1305_generic       16384  1 poly1305_x86_64
chacha20_x86_64        20480  0
chacha20_generic       16384  1 chacha20_x86_64
seqiv                  16384  0
authenc                16384  0
xfrm4_mode_tunnel      16384  0
xfrm6_mode_tunnel      16384  0
xfrm_ipcomp            16384  0
tunnel6                16384  0
ip_tunnel              24576  0
xfrm_user              32768  2
xfrm4_tunnel           16384  0
tunnel4                16384  1 xfrm4_tunnel
pcrypt                 16384  0
esp4                   20480  0
ah4                    20480  0
xfrm_algo              16384  5 ah4,esp4,esp6,xfrm_user,xfrm_ipcomp
tun                    28672  6
xt_tcpudp              16384  43
xt_set                 16384  34
ip_set                 36864  3 ip_set_hash_net,ip_set_hash_ip,xt_set
xt_policy              16384  37
xt_multiport           16384  14
xt_limit               16384  4
xt_conntrack           16384  31
nfnetlink_queue        20480  0
nf_conntrack_netlink    36864  0
nfnetlink              16384  7 nfnetlink_log,ip_set,nfnetlink_cttimeout,nf_conntrack_netlink,nfnetlink_queue
nf_conntrack_ipv6      20480  19
nf_defrag_ipv6         36864  2 xt_socket,nf_conntrack_ipv6
ipt_REJECT             16384  13
nf_reject_ipv4         16384  1 ipt_REJECT
ipt_MASQUERADE         16384  1
nf_nat_masquerade_ipv4    16384  1 ipt_MASQUERADE
xt_LOG                 16384  8
iptable_nat            16384  1
nf_conntrack_ipv4      16384  19
nf_defrag_ipv4         16384  2 xt_socket,nf_conntrack_ipv4
nf_nat_ipv4            16384  1 iptable_nat
nf_nat                 20480  4 nf_nat_ipv4,nf_nat_ipv6,xt_nat,nf_nat_masquerade_ipv4
nf_conntrack           90112  10 nf_nat,nfnetlink_cttimeout,nf_nat_ipv4,nf_nat_ipv6,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_netlink,xt_connmark,nf_conntrack_ipv4,nf_conntrack_ipv6
iptable_filter         16384  1
ip_tables              28672  4 iptable_filter,iptable_mangle,iptable_nat,iptable_raw
x_tables               28672  30 ip6table_filter,xt_RATEEST,xt_iprange,xt_hl,ip6table_mangle,xt_comment,xt_rateest,xt_policy,ip_tables,xt_socket,xt_tcpudp,ipt_MASQUERADE,xt_NFLOG,xt_limit,xt_owner,xt_conntrack,xt_LOG,xt_nat,xt_set,xt_multiport,iptable_filter,ip6table_raw,xt_TCPMSS,xt_connmark,ipt_REJECT,iptable_mangle,ip6_tables,xt_addrtype,iptable_raw,ip6t_REJECT
xfs                   839680  1
libcrc32c              16384  1 xfs
crc32c_generic         16384  0
sha256_ssse3           32768  3
sha256_generic         24576  1 sha256_ssse3
hmac                   16384  1
drbg                   32768  1
ansi_cprng             16384  0
algif_skcipher         20480  0
af_alg                 16384  1 algif_skcipher
hid_generic            16384  0
usbhid                 45056  0
hid                   114688  2 hid_generic,usbhid
dm_crypt               28672  2
dm_mod                102400  5 dm_crypt
sr_mod                 24576  0
cdrom                  49152  1 sr_mod
sd_mod                 36864  4
ata_generic            16384  0
pata_acpi              16384  0
virtio_net             28672  0
virtio_balloon         16384  0
virtio_scsi            20480  3
crct10dif_pclmul       16384  0
crc32_pclmul           16384  0
crc32c_intel           24576  1
serio_raw              16384  0
atkbd                  24576  0
libps2                 16384  2 atkbd,psmouse
aesni_intel           167936  5
aes_x86_64             20480  1 aesni_intel
lrw                    16384  1 aesni_intel
gf128mul               16384  1 lrw
glue_helper            16384  1 aesni_intel
ablk_helper            16384  1 aesni_intel
uhci_hcd               40960  0
cryptd                 20480  4 aesni_intel,ablk_helper
ehci_pci               16384  0
virtio_pci             24576  0
virtio_ring            20480  4 virtio_net,virtio_pci,virtio_balloon,virtio_scsi
virtio                 16384  4 virtio_net,virtio_pci,virtio_balloon,virtio_scsi
ehci_hcd               73728  1 ehci_pci
ata_piix               36864  0
usbcore               196608  4 uhci_hcd,ehci_hcd,ehci_pci,usbhid
libata                196608  3 pata_acpi,ata_generic,ata_piix
usb_common             16384  1 usbcore
scsi_mod              151552  4 libata,sd_mod,sr_mod,virtio_scsi
floppy                 65536  0
i8042                  28672  0
serio                  20480  6 serio_raw,atkbd,i8042,psmouse

#4 Updated by Thomas S about 6 years ago

IPv6 in IPv6 results in the same "Invalid Argument" error from netlink. IPv4 in IPv4 can't be tested in this case because the machines have just IPv6 WAN connections (hence the wish for an IPv4 tunnel through IPv6).

#5 Updated by Thomas S about 6 years ago

Recompiled with --enable-kernel-libipsec and the routes are added without problems.

What could be the problem when using strongSwan without the kernel-libipsec plugin?

#6 Updated by Tobias Brunner about 6 years ago

Category changed from kernel-interface to kernel
Status changed from New to Feedback

What could be the problem when using strongSwan without the kernel-libipsec plugin?

Missing modules (could also be crypto modules). Did you compare your output of lsmod with that of Noel?

#7 Updated by Thomas S about 6 years ago

Yes, compared and modprobe'd the missing modules (except for things like cdrom). Still the same error.

Is there any way to get more details out of what is happening there? There must be a way to get a more detailed reason as for why the error Invalid Argument (22) is returned.

#8 Updated by Tobias Brunner about 6 years ago

Is there any way to get more details out of what is happening there?

No.

There must be a way to get a more detailed reason as for why the error Invalid Argument (22) is returned.

Unless you are willing to modify the kernel sources and recompile it there isn't.

Can you establish the IPv6-only host-to-host connection? Since the installation of the SAs is exactly the same in both cases, and the negotiated algorithms are probably the same, that should fail too (that IPv4 is tunneled and not IPv6 only comes into play when installing the policies).

#9 Updated by Thomas S about 6 years ago

The IPv6 connections cannot be established, either. Does that mean that there are probably crypto modules missing from the kernel?

Here is cat /proc/crypto | grep aes:

name         : rfc3686(ctr(aes))
driver       : rfc3686(ctr(aes-generic))
name         : ctr(aes)
driver       : ctr(aes-generic)
name         : ctr(aes)
driver       : ctr(aes-generic)
name         : cbc(aes)
driver       : cbc(aes-generic)
name         : aes
driver       : aes-generic

And this is cat /proc/crypto | grep sha256:

driver       : drbg_nopr_hmac_sha256
driver       : drbg_pr_hmac_sha256
name         : hmac(sha256)
driver       : hmac(sha256-generic)
module       : sha256_generic
name         : sha256
driver       : sha256-generic
module       : sha256_generic

From what I have gathered everything looks fine ...

#10 Updated by Tobias Brunner about 6 years ago

And this is cat /proc/crypto | grep sha256:

Actually, you need to look for sha1 as that's what the daemon tries to install, according to the log you posted. Otherwise, change your config so that the proposal string in ike/esp end with ! (see ConnSection).

#11 Updated by Thomas S about 6 years ago

That looks okay, too.

Running cat /proc/crypto | grep sha1 yields:

driver       : drbg_nopr_hmac_sha1
driver       : drbg_pr_hmac_sha1
name         : hmac(sha1)
driver       : hmac(sha1-neon)
name         : sha1
driver       : sha1-generic
module       : sha1_generic
name         : sha1
driver       : sha1-neon
module       : sha1_arm_neon
name         : sha1
driver       : sha1-asm
module       : sha1_arm

#12 Updated by Tobias Brunner about 6 years ago

Is the config you posted complete or are there settings in conn %default? What kernel version do you use? What strongSwan version? Is there an IPv6 NAT between the hosts or does the peer perhaps force UDP encapsulation (more of the log might help)?

#13 Updated by Thomas S about 6 years ago

There is no default section, uname -r produces 4.4.38-v7+ and yes, UDP encapsulation is forced by the responder.

#14 Updated by Thomas S about 6 years ago

The information above are based on a Raspberry Pi 3 running Raspbian, but I can reproduce these issues on a Ubiquity EdgeMax router as well.

#15 Updated by Tobias Brunner about 6 years ago

and yes, UDP encapsulation is forced by the responder.

Then this won't work. The Linux kernel currently doesn't support UDP encapsulation for IPv6.

#16 Updated by Tobias Brunner about 6 years ago

Related to Issue #939: UDP Encapsulation for IPv6 Traffic on Linux added

#17 Updated by Thomas S about 6 years ago

Ahhhh, okay. Thanks for the answer.

#18 Updated by Noel Kuntze almost 6 years ago

Status changed from Feedback to Closed
Resolution set to No change required

Also available in: Atom PDF

Project

General

Profile

strongSwan

Issues