From: Ronan M. <ro...@io...> - 2009-09-25 20:13:00
|
I'm trying to set up an IPSEC tunnel from an OpenWRT box (2.6.28.10) to a cisco router. Phase 1 goes fine, Phase 2 dies with: ... 2009-09-24 18:54:02: DEBUG: KEYMAT computed. 2009-09-24 18:54:02: DEBUG: call pk_sendupdate 2009-09-24 18:54:02: DEBUG: encryption(des) 2009-09-24 18:54:02: DEBUG: hmac(md5) 2009-09-24 18:54:02: DEBUG: call pfkey_send_update2 2009-09-24 18:54:02: DEBUG: pfkey update sent. 2009-09-24 18:54:02: DEBUG: encryption(des) 2009-09-24 18:54:02: DEBUG: hmac(md5) 2009-09-24 18:54:02: DEBUG: call pfkey_send_add2 (NAT flavor) 2009-09-24 18:54:02: DEBUG: call pfkey_send_add2 2009-09-24 18:54:02: DEBUG: pfkey add sent. 2009-09-24 18:54:02: DEBUG: pk_recv: retry[0] recv() 2009-09-24 18:54:02: DEBUG: get pfkey UPDATE message * 2009-09-24 18:54:02: ERROR: pfkey UPDATE failed: Protocol not supported 2009-09-24 18:54:02: DEBUG: pk_recv: retry[0] recv() 2009-09-24 18:54:02: DEBUG: get pfkey ADD message * 2009-09-24 18:54:03: ERROR: pfkey ADD failed: Protocol not supported 2009-09-24 18:54:32: ERROR: 94.199.225.134 give up to get IPsec-SA due to time up to wait. 2009-09-24 18:54:32: DEBUG: IV freed 2009-09-24 18:54:32: DEBUG: pk_recv: retry[0] recv() 2009-09-24 18:54:32: DEBUG: get pfkey EXPIRE message 2009-09-24 18:54:32: INFO: IPsec-SA expired: ESP/Tunnel 1.2.3.4[0]->4.5.6.7[0] spi=69502535(0x4248647) 2009-09-24 18:54:32: DEBUG: no such a SA found: ESP/Tunnel 1.2.3.4[0]->4.5.6.7[0] spi=69502535(0x4248647) I've tried this on an OpenWRT box running 2.6.28.10. I've tried it on a Debian Lenny box running 2.6.26.2 to double check and had the same problem. I've upgraded the OpenWRT box to 2.6.30.8 to no avail. Everything works fine on a Ubuntu 9.04 server running 2.6.28-15-server, so I know my racoon / setkey config works. I've tried loading various modules (esp4 (obviously!), xfrm4_mode_tunnel.ko, etc) on the OpenWRT box and get slightly different failure modes depending on the modules loaded: 2009-09-25 18:18:39: DEBUG: get pfkey UPDATE message * 2009-09-25 18:18:39: ERROR: pfkey UPDATE failed: No such file or directory 2009-09-25 18:18:39: DEBUG: pk_recv: retry[0] recv() 2009-09-25 18:18:39: DEBUG: get pfkey ADD message * 2009-09-25 18:18:39: ERROR: pfkey ADD failed: No such file or directory 2009-09-25 19:15:01: DEBUG: hash validated. 2009-09-25 19:15:01: DEBUG: begin. 2009-09-25 19:15:01: DEBUG: seen nptype=8(hash) 2009-09-25 19:15:01: DEBUG: seen nptype=12(delete) 2009-09-25 19:15:01: DEBUG: succeed. 2009-09-25 19:15:01: DEBUG: delete payload for protocol ESP 2009-09-25 19:15:01: DEBUG: call pfkey_send_dump 2009-09-25 19:15:01: DEBUG: pk_recv: retry[0] recv() 2009-09-25 19:15:01: DEBUG: discarding non-sadb dump msg 0x4a1338, our pid=4773 2009-09-25 19:15:01: DEBUG: type 1, pid 4773 2009-09-25 19:15:01: DEBUG: pk_recv: retry[0] recv() 2009-09-25 19:15:01: DEBUG: pk_recv: retry[0] recv() 2009-09-25 19:15:01: DEBUG: purged SAs. 2009-09-25 19:15:01: DEBUG: pk_recv: retry[0] recv() 2009-09-25 19:15:01: DEBUG: pk_recv: retry[1] recv() 2009-09-25 19:15:01: DEBUG: pk_recv: retry[2] recv() * 2009-09-25 19:15:01: ERROR: failed to recv from pfkey (Resource temporarily unavailable) I've seen a thread on this list (or the devel one) saying that loading ipv6 or esp4 solve the problem, but not for me. I've tried numerous variations and had no luck. At this stage I think I'm nearly there, but missing something (probably) obvious. Can anybody shed any light on the problem? I've been trying to get to the bottom of it for a couple of days but have run out of ideas. Thanks in advance, -Ronan |