Thanks for your reply, Aaron. Since I log into these hosts from VNC, when I copied out the screen from the VNC, some strings messed up on VNC(I have manually edited them, but it seems I didn't correct them all) , but I'm sure that is not a error. The Plugins are loaded successfully from the log, and CHILD SA set up successfully, the data transmitting between this 2 peers are also wrapped in ESP protocol, it seems IPsec works well, but I'm not sure whether this "netlink error" is absolute harmless.
I checked the kernel modules dependence info from http://wiki.strongswan.org/wiki/1/KernelModules, I found my hosts doesn't build with CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES, I wonder whether this is the reason. I grep some info from Internet, says that CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES are for "Tunnel" mode, but if I doesn't suppose to support "Tunnel" mode, I just wish to support "Transport" mode, whether is still need to build kernel with CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES? Whether the "netlink error" caused by missing these modules? 2010/4/1 Aaron Zhang <[email protected]> > strongswan.conf: > charon { > > # number of worker threads in charon > threads = 16 > > # plugins to load in charon > load =curl aes des sha1 md5 sha2 pem pkcs1 gmp random x509 hmac > stroke kk > ernel-netlink updown > } > > > > kk > ernel-netlink may be kernel-netlink not kkernel-netlink > > > > > > > > *From:* [email protected] [mailto: > users-bounces+bzhang <users-bounces%2Bbzhang>=sonicwall.com@ > lists.strongswan.org] *On Behalf Of *MingM Xia > *Sent:* 2010年4月1日 14:43 > *To:* [email protected] > *Subject:* [strongSwan] On PPC: netlink error, unable to create IPv4 > routing table rule > > > > Hi, > > I'm Running strongSwan 4.3.6rc2 on 2 PPC hosts to accomplish IKEv2 using > Charon (transport mode). > > # uname -a > Linux hapWibbSc2 2.6.27.39 #5 SMP PREEMPT Fri Feb 26 18:33:03 CST 2010 ppc > ppc ppc GNU/Linux > > > I met 2 issues: > > 1. There are some “netlink error" info: > > Feb 19 15:37:00 localhost charon: 00[KNL] received netlink error: Operation > not > supported (95) > Feb 19 15:37:00 localhost charon: 00[KNL] unable to create IPv4 routing > table ruu > le > Feb 19 15:37:00 localhost charon: 00[KNL] received netlink error: Operation > not > supported (95) > Feb 19 15:37:00 localhost charon: 00[KNL] unable to create IPv6 routing > table ruu > le > Feb 19 15:37:00 localhost charon: 00[LIB] plugin 'kernel-netlink': loaded > success > sfully > > 2. > root#ipsec up host-host > initiating IKE_SA host-host[2] to 10.19.156.194 > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > sending packet: from 10.19.156.242[500] to 10.19.156.194[500] > received packet: from 10.19.156.194[500] to 10.19.156.242[500] > parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] > authentication of '10.19.156.242' (myself) with pre-shared key > establishing CHILD_SA host-host > generating IKE_AUTH request 1 [ IDi IDr AUTH N(USE_TRANSP) SA TSi TSr > N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) > N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ] > sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500] > retransmit 1 of request with message ID 1 > sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500] > retransmit 2 of request with message ID 1 > sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500] > retransmit 3 of request with message ID 1 > sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500] > retransmit 4 of request with message ID 1 > sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500] > retransmit 5 of request with message ID 1 > sending packet: from 10.19.156.242[4500] to 10.19.156.194[4500] > giving up after 5 retransmits > peer not responding, trying again (2/3) > root# netstat -nlp | grep 4500 > udp 0 0 0.0.0.0:4500 0.0.0.0:* > 7698/charon > root# netstat -nlp | grep 500 > udp 0 0 0.0.0.0:4500 0.0.0.0:* > 7698/charon > udp 0 0 0.0.0.0:500 0.0.0.0:* > 7698/charon > > I find it has something to do with my Firewall, when I disable the firewall > for both hosts, Child SA is created successfully even it's still with the > “netlink error" mentioned above. > > > I'm kindly confused about "leftfirewall=yes" configuration and > "charon.routing_table”, > > About "left|rightfirewall=yes", I used to think, with this configuration, > strongSwan will insert the rule to IPTABLES for the connection at the very > beginning, obviously I'm wrong, from the log of successful case, I find the > firewall script "_updown" is for CHILD SA, it will be implemented after > CHILD SA set up, not at the very beginning. So we still need to make sure > the port used IKE is not blocked on both peers, for IKE v2, by default, > there will be UDP port 500 and 4500, we need make sure our firewall open UDP > port 500 and UDP port 4500, am I right? > > About "charon.routing_table”, is this by default enabled for IKEv2? I > checked the code of "kernel_netlink_net_create", the print of "netlink > error" tells me "this->routing_table" is true, but actually I didn't > configure it in strongswan.conf. I'm not so clear about the purpose of this > "routing table", anybody can give some explanation about this "routing > table" purpose? And anybody have some idea with this "unable to create > IPv4 routing table rule" on my PPC hosts? > > It seems like even with this "unable to create IPv4 routing table rule", > the IPsec (transport mode) works well on my 2 PPC hosts, is there any > potential failure I haven't realized with "netlink error" ? > > > ipsec.conf: > config setup > # plutodebug=all > # crlcheckinterval=600 > # strictcrlpolicy=yes > # cachecrls=yes > # nat_traversal=yes > # charonstart=no > # plutostart=no > plutostart=no > plutodebug=all > charonstart=yes > charondebug="dmn 3,mgr 3,ike 3,chd 3,job 3,cfg 3,knl 3,net 3,enc > 1,lib 3" > > conn host-host-bcu3 > authby=psk > left=10.19.156.194 > leftfirewall=yes > right=10.19.156.242 > type=transport > ike=aes128-sha256-modp2048! > keyexchange=ikev2 > esp=aes128-sha256-modp2048! > auto=add > > strongswan.conf: > charon { > > # number of worker threads in charon > threads = 16 > > # plugins to load in charon > load =curl aes des sha1 md5 sha2 pem pkcs1 gmp random x509 hmac > stroke kk > ernel-netlink updown > } > > > Best regards, > > Mac >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
