#4 pfkey UPDATE failed: No buffer space available

racoon
closed
5
2004-05-18
2004-05-17
Brian Raccuglia
No

I am attempting to configure a server to server IPSec
connection using racoon and pre-shared keys. I am
receiving the following failure during the phase 2
negotiation and I can't seem to find where the problem
is.

pkkey.c:210:pfkey_handler(): pfkey UPDATE failed: No
buffer space available

Can somebody please tell me what may be causing this
problem?

I am currently using ipsec-tools-0.2.4-1.

Thanks,
Brian
brian.raccuglia@tais.com

Discussion

  • Aidas Kasparas
    Aidas Kasparas
    2004-05-18

    Logged In: YES
    user_id=39627

    Brian,

    What is your kernel version? From what distribution?

    From message you're citing, I suspect that your kernel is
    old (recomended 2.6.6; backport to 2.4.x still does not have
    code which will give more descriptive error messages).

    If you could not upgrade kernel for some reason, please make
    sure, that ipsec modules for protocols and algorithms you
    use are present in kernel -- either compiled in or loaded as
    modules (esp4, ah4, ipcomp, sha512, sha256, aes, ...)

    You should upgrade ipsec-tools to 0.3.1 also (due to
    security fixes).

     
  • Logged In: YES
    user_id=1043971

    I have been using kernel version 2.6.3-2 build 229 from the
    Fedora Core 2 distribution. I believe I have all the kernel
    modules loaded that I need including af_key, des, md5,
    defalate, zlib_deflate. I will switch to the 0.3.1 version of
    the tools to see if anything changes. I will also be changing
    to the final Fedora Core 2 release as soon as I get it
    downloaded. Has anybody come across this error though?
    The errno that is being returned is ENOBUFS which looks like
    it is only returned from update_myaddrs() in grabmyaddr.c
    line 604.

    I am running the same kernel and tools using certificates and
    Windows clients and I have no problems. I thought the pre-
    shared key configuration would be easier to setup and get
    running. I turned on full debugging in the racoon daemon and
    it spits out more debug information. I will try to attach this
    file.

    Thanks,
    Brian

     
  • Logged In: YES
    user_id=1043971

    I have been using kernel version 2.6.3-2 build 229 from the
    Fedora Core 2 distribution. I believe I have all the kernel
    modules loaded that I need including af_key, des, md5,
    defalate, zlib_deflate. I will switch to the 0.3.1 version of
    the tools to see if anything changes. I will also be changing
    to the final Fedora Core 2 release as soon as I get it
    downloaded. Has anybody come across this error though?
    The errno that is being returned is ENOBUFS which looks like
    it is only returned from update_myaddrs() in grabmyaddr.c
    line 604.

    I am running the same kernel and tools using certificates and
    Windows clients and I have no problems. I thought the pre-
    shared key configuration would be easier to setup and get
    running. I turned on full debugging in the racoon daemon and
    it spits out more debug information. I will try to attach this
    file.

    Thanks,
    Brian

     
  • Debug capture from tunnel initiation sequence.

     
    Attachments
  • Aidas Kasparas
    Aidas Kasparas
    2004-05-18

    Logged In: YES
    user_id=39627

    Do you have esp4 loaded/ compiled in?

     
  • Logged In: YES
    user_id=1043971

    I did not have esp4 loaded. After loading esp4 the errors
    went away. Thank you very much for your help.

    Brian

     
  • Aidas Kasparas
    Aidas Kasparas
    2004-05-18

    • assigned_to: nobody --> monas
    • status: open --> closed
     
  • Mike Robinson
    Mike Robinson
    2005-06-10

    Logged In: YES
    user_id=854356

    To clarify what to do here...

    If racoon says "network family not supported" or somesuch,
    it means that the "ah_key" kernel module is not loaded.

    If racoon says "no buffer space available," it actually
    means that the esp4/ah4 kernel modules are not loaded.

    So what do you, like, DO about it? 8-)
    "modprobe ah_key esp4 ah4"
    ... from the command line and the problem will go away.

    A kernel-module, in Linux, is an extension to the
    operating system kernel which can be loaded on-demand.
    But racoon doesn't automatically do it, nor does it give a
    decent error-message if the module isn't there.