On Mon, 27 May 2019, Computerisms Corporation wrote:
_stackmanager[523]: FAILURE in loading XFRM IPsec stack
I traced it down in the code to a file called _stackmanager.in, and it
appears the error is generated because of a missing file:
/proc/net/xfrm_stat
Here is where I have been spinning my wheels for a bit too long, I am not
sure if that is supposed to be created as a result of iproute2 or some other
package, or maybe it's a kernel module (I did install and then remove dkms
trying to xtables-addons working) issue and I need to modprobe something, or
if Libreswan was supposed to create it and didn't.
It is part of the kernel, and is created by enabling CONFIG_XFRM_STATISTICS.
We used to check XFRM using /proc/net/pf_key but that was really the
PFKEYv2 API, not the netlink/xfrm API, and work is happening in the
kernel to completely disable the PFKEYv2 API. So we needed another test.
We thought most distributions had CONFIG_XFRM_STATISTICS enabled, so it
was the easiest for us to detect XFRM support in the kernel. But some
people don't seem to have this enabled.
Does your system have /proc/sys/net/core/xfrm_acq_expires ? Maybe we
need to switch to that to test whether XFRM support is available.
So, did I find a real problem, or am I just in need of someone to point out a
glaringly obvious error on my part?
It's not you, it's us :)
Although, /proc/net/xfrm_stat is your _only_ way of getting any
debugging of the kernel level IPsec related events, so you really
do want it enabled in your custom kernels too :)
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
