Project

General

Profile

Issue #3303

5.8.2 regression: "netlink error: Invalid argument" on the peer (still running 5.8.1)

Added by Harald Dunkel 7 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Affected version:
5.8.2
Resolution:
No change required

Description

After moving a road warrior (Sid, "cecil", kernel 5.4.6) from 5.8.1 to 5.8.2 it cannot establish a connection to the IPsec gateway (Buster, "hippogate") anymore. The local log file say NO_PROPOSAL_CHOSEN for the child SA. The logfile on the gateway says

Dec 30 20:37:03 18[CFG] <IPSec-IKEv2|5> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Dec 30 20:37:03 18[KNL] <IPSec-IKEv2|5> received netlink error: Invalid argument (22)
Dec 30 20:37:03 18[KNL] <IPSec-IKEv2|5> unable to add SAD entry with SPI c02373bd (FAILED)
Dec 30 20:37:03 18[KNL] <IPSec-IKEv2|5> received netlink error: Invalid argument (22)
Dec 30 20:37:03 18[KNL] <IPSec-IKEv2|5> unable to add SAD entry with SPI 82e95ccf (FAILED)
Dec 30 20:37:03 18[IKE] <IPSec-IKEv2|5> unable to install inbound and outbound IPsec SA (SAD) in kernel
Dec 30 20:37:03 18[IKE] <IPSec-IKEv2|5> failed to establish CHILD_SA, keeping IKE_SA

Moving back to 5.8.1 makes the problem disappear.

I would be glad to help resolving this problem.

charon.cecil.log (10 KB) charon.cecil.log log file road warrior running 5.8.2 Harald Dunkel, 30.12.2019 21:01
charon.hippogate.log (8.75 KB) charon.hippogate.log log file IPsec gateway running 5.8.1 Harald Dunkel, 30.12.2019 21:01

History

#1 Updated by Harald Dunkel 7 months ago

PS: The gateway is running 5.8.1 all the time. I hesitate to upgrade it due to the interoperability issue.

#2 Updated by Noel Kuntze 7 months ago

Make sure the configuration specifies the same algorithms. Different strongSwan versions build different default proposals (the code for building it changed).

#3 Updated by Harald Dunkel 7 months ago

Thanx for the hint.

Using the new official Debian package for 5.8.2 I cannot reproduce this problem anymore.

#4 Updated by Tobias Brunner 7 months ago

  • Tracker changed from Bug to Issue
  • Status changed from New to Closed
  • Assignee set to Noel Kuntze
  • Start date deleted (30.12.2019)
  • Resolution set to No change required

Also available in: Atom PDF