From: Charles L. <lib...@gm...> - 2008-04-29 07:29:50
|
Hi, When I update and add pfkey, it prompt this: Apr 29 15:12:53 Azi racoon: DEBUG: get pfkey UPDATE message Apr 29 15:12:53 Azi racoon: DEBUG2: 02025d03 02000000 c6b05e61 de6e0000 Apr 29 15:12:53 Azi racoon: ERROR: pfkey UPDATE failed: Protocol not supported Apr 29 15:12:53 Azi racoon: DEBUG: get pfkey ADD message Apr 29 15:12:53 Azi racoon: DEBUG2: 02035d03 02000000 c6b05e61 de6e0000 Apr 29 15:12:53 Azi racoon: ERROR: pfkey ADD failed: Protocol not supported Long time later, it print "pfkey_open: Operation not permitted". -- Sincerely Yours, Charles Li http://cn.opensuse.org |
From: Timo T. <tim...@ik...> - 2008-04-29 07:38:23
|
Charles Li wrote: > When I update and add pfkey, it prompt this: > > Apr 29 15:12:53 Azi racoon: DEBUG: get pfkey UPDATE message > Apr 29 15:12:53 Azi racoon: DEBUG2: 02025d03 02000000 c6b05e61 de6e0000 > Apr 29 15:12:53 Azi racoon: ERROR: pfkey UPDATE failed: Protocol not supported > Apr 29 15:12:53 Azi racoon: DEBUG: get pfkey ADD message > Apr 29 15:12:53 Azi racoon: DEBUG2: 02035d03 02000000 c6b05e61 de6e0000 > Apr 29 15:12:53 Azi racoon: ERROR: pfkey ADD failed: Protocol not supported > > Long time later, it print "pfkey_open: Operation not permitted". Is this on Linux or some BSD? At least on Linux this could happen if esp4 kernel module is not loaded. Cheers, Timo |
From: Charles L. <lib...@gm...> - 2008-04-29 08:00:30
|
Timo, Thanks! I use the openSUSE 11.0, and there are no esp4 module loaded, after I modprobe esp4, it's still the same issue. On Tue, Apr 29, 2008 at 3:38 PM, Timo Teräs <tim...@ik...> wrote: > > Charles Li wrote: > > When I update and add pfkey, it prompt this: > > > > Apr 29 15:12:53 Azi racoon: DEBUG: get pfkey UPDATE message > > Apr 29 15:12:53 Azi racoon: DEBUG2: 02025d03 02000000 c6b05e61 de6e0000 > > Apr 29 15:12:53 Azi racoon: ERROR: pfkey UPDATE failed: Protocol not supported > > Apr 29 15:12:53 Azi racoon: DEBUG: get pfkey ADD message > > Apr 29 15:12:53 Azi racoon: DEBUG2: 02035d03 02000000 c6b05e61 de6e0000 > > Apr 29 15:12:53 Azi racoon: ERROR: pfkey ADD failed: Protocol not supported > > > > Long time later, it print "pfkey_open: Operation not permitted". > > Is this on Linux or some BSD? > > At least on Linux this could happen if esp4 kernel module is not loaded. > > Cheers, > Timo > -- Sincerely Yours, Charles Li http://cn.opensuse.org |
From: Timo T. <tim...@ik...> - 2008-04-29 08:04:01
|
Charles Li wrote: > Timo, > Thanks! > > I use the openSUSE 11.0, and there are no esp4 module loaded, after I > modprobe esp4, it's still the same issue. What kind of SPDs you are using? That is what is the contents of ipsec.conf with the spdadd rules. Or alternatively the output of 'ip xfrm policy'. Also list of loaded modules is helpful. Cheers, Timo |
From: Charles L. <lib...@gm...> - 2008-04-29 08:12:27
|
On Tue, Apr 29, 2008 at 4:04 PM, Timo Teräs <tim...@ik...> wrote: > Charles Li wrote: > > Timo, > > Thanks! > > > > I use the openSUSE 11.0, and there are no esp4 module loaded, after I > > modprobe esp4, it's still the same issue. > > What kind of SPDs you are using? That is what is the contents of > ipsec.conf with the spdadd rules. Or alternatively the output of > 'ip xfrm policy'. src 127.0.0.0/8 dst 127.0.0.0/8 dir in priority 2147483648 src 0.0.0.0/0 dst 147.2.207.221/32 dir in priority 2147483648 tmpl src 61.14.130.209 dst 147.2.207.94 proto esp reqid 0 mode tunnel src 127.0.0.0/8 dst 127.0.0.0/8 dir out priority 2147483648 src 147.2.207.221/32 dst 0.0.0.0/0 dir out priority 2147483648 tmpl src 147.2.207.94 dst 61.14.130.209 proto esp reqid 0 mode tunnel 61.14.130.209 is my vpn server. 147.2.207.94 is my laptop's ip. > Also list of loaded modules is helpful. Module Size Used by xfrm_user 42624 0 aead 24960 0 xfrm4_mode_tunnel 19200 14 deflate 20224 0 zlib_deflate 34920 1 deflate ctr 21760 0 twofish_i586 22016 0 twofish_common 29568 1 twofish_i586 camellia 34944 0 serpent 35712 0 blowfish 24832 0 des_generic 33280 0 cbc 20736 0 aes_i586 24704 0 aes_generic 44072 1 aes_i586 xcbc 22024 0 sha256_generic 28800 0 sha1_generic 18944 0 md5 20480 0 crypto_null 19840 0 af_key 54932 2 vboxdrv 79488 0 nls_utf8 18432 0 nfs 278868 0 xt_tcpudp 19584 23 xt_pkttype 18304 3 xt_physdev 18960 1 ipt_LOG 22788 19 xt_limit 19076 19 snd_pcm_oss 64256 0 snd_mixer_oss 33408 1 snd_pcm_oss nfsd 237980 19 lockd 84472 3 nfs,nfsd snd_seq 73664 0 nfs_acl 19968 2 nfs,nfsd auth_rpcgss 59528 1 nfsd snd_seq_device 25100 1 snd_seq sunrpc 209660 23 nfs,nfsd,lockd,nfs_acl,auth_rpcgss exportfs 21376 1 nfsd binfmt_misc 28040 1 i915 46464 2 drm 98200 3 i915 af_packet 38656 18 bridge 71576 1 bnep 32000 2 ipt_REJECT 20352 3 xt_state 18944 13 iptable_mangle 19712 0 iptable_nat 23688 0 nf_nat 35736 1 iptable_nat cpufreq_conservative 24456 0 iptable_filter 19840 1 cpufreq_userspace 22660 0 cpufreq_powersave 18176 0 acpi_cpufreq 26380 1 nf_conntrack_netbios_ns 19200 0 speedstep_lib 21508 0 nf_conntrack_ipv4 27652 16 iptable_nat,nf_nat nf_conntrack 79188 5 xt_state,iptable_nat,nf_nat,nf_conntrack_netbios_ns,nf_conntrack_ipv4 ip_tables 30224 3 iptable_mangle,iptable_nat,iptable_filter ip6_tables 31376 0 x_tables 33668 10 xt_tcpudp,xt_pkttype,xt_physdev,ipt_LOG,xt_limit,ipt_REJECT,xt_state,iptable_nat,ip_tables,ip6_tables microcode 30608 0 fuse 66204 3 loop 35332 0 dm_mod 78676 0 pcmcia 55924 0 rfcomm 57488 2 l2cap 41344 12 bnep,rfcomm arc4 18432 2 ecb 20096 2 snd_hda_intel 368412 2 crypto_blkcipher 36228 4 ctr,cbc,crypto_null,ecb yenta_socket 43020 1 snd_pcm 100100 2 snd_pcm_oss,snd_hda_intel iTCO_wdt 28580 0 iwl3945 106332 0 firmware_class 25984 3 microcode,pcmcia,iwl3945 snd_timer 40712 2 snd_seq,snd_pcm rsrc_nonstatic 29696 1 yenta_socket video 39312 0 snd_page_alloc 27400 2 snd_hda_intel,snd_pcm hci_usb 31900 2 iTCO_vendor_support 20228 1 iTCO_wdt mac80211 190356 1 iwl3945 pcmcia_core 55188 3 pcmcia,yenta_socket,rsrc_nonstatic usbhid 60260 0 i2c_i801 26128 0 rtc_cmos 27168 0 output 20224 1 video snd_hwdep 26372 1 snd_hda_intel bay 22912 0 sr_mod 33320 0 rtc_core 37148 1 rtc_cmos bluetooth 74212 8 bnep,rfcomm,l2cap,hci_usb snd 76856 12 snd_pcm_oss,snd_mixer_oss,snd_seq,snd_seq_device,snd_hda_intel,snd_pcm,snd_timer,snd_hwdep wmi 24488 0 cfg80211 35720 1 mac80211 button 25360 0 battery 31108 0 ac 22916 0 tg3 127364 0 cdrom 50588 1 sr_mod rtc_lib 19456 1 rtc_core hid 53708 1 usbhid dcdbas 25252 0 i2c_core 41108 1 i2c_i801 intel_agp 43460 1 soundcore 24264 1 snd agpgart 50868 3 drm,intel_agp joydev 28224 0 ff_memless 21896 1 usbhid sg 52020 0 ehci_hcd 52492 0 sd_mod 45208 5 uhci_hcd 40848 0 usbcore 164556 5 hci_usb,usbhid,ehci_hcd,uhci_hcd edd 26440 0 ext3 155656 3 mbcache 25348 1 ext3 jbd 73376 1 ext3 fan 22660 0 ata_piix 38148 4 libata 174812 1 ata_piix scsi_mod 168308 4 sr_mod,sg,sd_mod,libata dock 27536 2 bay,libata thermal 39452 0 processor 68400 4 acpi_cpufreq,thermal > Cheers, > Timo > -- Sincerely Yours, Charles Li http://cn.opensuse.org |
From: VANHULLEBUS Y. <va...@fr...> - 2008-04-29 08:06:22
|
On Tue, Apr 29, 2008 at 03:29:56PM +0800, Charles Li wrote: > Hi, Hi. > When I update and add pfkey, it prompt this: > > Apr 29 15:12:53 Azi racoon: DEBUG: get pfkey UPDATE message > Apr 29 15:12:53 Azi racoon: DEBUG2: 02025d03 02000000 c6b05e61 de6e0000 > Apr 29 15:12:53 Azi racoon: ERROR: pfkey UPDATE failed: Protocol not supported > Apr 29 15:12:53 Azi racoon: DEBUG: get pfkey ADD message > Apr 29 15:12:53 Azi racoon: DEBUG2: 02035d03 02000000 c6b05e61 de6e0000 > Apr 29 15:12:53 Azi racoon: ERROR: pfkey ADD failed: Protocol not supported > > Long time later, it print "pfkey_open: Operation not permitted". This means "you're missing at least some parts of IPSec support in your kernel"..... Yvan. |
From: Charles L. <lib...@gm...> - 2008-04-29 08:15:40
|
On Tue, Apr 29, 2008 at 4:06 PM, VANHULLEBUS Yvan <va...@fr...> wrote: > > This means "you're missing at least some parts of IPSec support in > your kernel"..... And my kernel's version: Linux Azi 2.6.25-rc9-17-pae #1 SMP 2008-04-15 22:54:53 +0200 i686 i686 i386 GNU/Linux from my lsmod, do you have any idea about it? > > Yvan. > -- Sincerely Yours, Charles Li http://cn.opensuse.org |
From: Timo T. <tim...@ik...> - 2008-04-29 08:27:55
|
Charles Li wrote: > On Tue, Apr 29, 2008 at 4:06 PM, VANHULLEBUS Yvan <va...@fr...> wrote: >> This means "you're missing at least some parts of IPSec support in >> your kernel"..... > And my kernel's version: > > Linux Azi 2.6.25-rc9-17-pae #1 SMP 2008-04-15 22:54:53 +0200 i686 i686 > i386 GNU/Linux > > from my lsmod, do you have any idea about it? Do you have CRYPTO_AUTHENC enabled? I think there was some breakage in the build deps around 2.6.25-rc:s. See: http://marc.info/?l=linux-netdev&m=120463312216707&w=2 - Timo |
From: Charles L. <lib...@gm...> - 2008-04-29 08:47:46
|
On Tue, Apr 29, 2008 at 4:27 PM, Timo Teräs <tim...@ik...> wrote: > Charles Li wrote: > > On Tue, Apr 29, 2008 at 4:06 PM, VANHULLEBUS Yvan <va...@fr...> wrote: > >> This means "you're missing at least some parts of IPSec support in > >> your kernel"..... > > And my kernel's version: > > > > Linux Azi 2.6.25-rc9-17-pae #1 SMP 2008-04-15 22:54:53 +0200 i686 i686 > > i386 GNU/Linux > > > > from my lsmod, do you have any idea about it? > > Do you have CRYPTO_AUTHENC enabled? I think there was some breakage in > the build deps around 2.6.25-rc:s. > > See: > http://marc.info/?l=linux-netdev&m=120463312216707&w=2 Thanks! I'll try it. > - Timo > > -- Sincerely Yours, Charles Li http://cn.opensuse.org |
From: Charles L. <lib...@gm...> - 2008-04-29 08:53:28
|
On Tue, Apr 29, 2008 at 4:27 PM, Timo Teräs <tim...@ik...> wrote: > Charles Li wrote: > > On Tue, Apr 29, 2008 at 4:06 PM, VANHULLEBUS Yvan <va...@fr...> wrote: > >> This means "you're missing at least some parts of IPSec support in > >> your kernel"..... > > And my kernel's version: > > > > Linux Azi 2.6.25-rc9-17-pae #1 SMP 2008-04-15 22:54:53 +0200 i686 i686 > > i386 GNU/Linux > > > > from my lsmod, do you have any idea about it? > > Do you have CRYPTO_AUTHENC enabled? I think there was some breakage in > the build deps around 2.6.25-rc:s. > > See: > http://marc.info/?l=linux-netdev&m=120463312216707&w=2 I viewed my kernel source, and found the net/ipv4/Kconfig config INET_ESP tristate "IP: ESP transformation" select XFRM select CRYPTO select CRYPTO_AUTHENC select CRYPTO_HMAC select CRYPTO_MD5 select CRYPTO_CBC so it already have the CRYPTO_AUTHENC flags. A weird problem, any other idea? > - Timo > > -- Sincerely Yours, Charles Li http://cn.opensuse.org |
From: Timo T. <tim...@ik...> - 2008-04-29 08:55:13
|
Charles Li wrote: > I viewed my kernel source, and found the net/ipv4/Kconfig > config INET_ESP > tristate "IP: ESP transformation" > select XFRM > select CRYPTO > select CRYPTO_AUTHENC > select CRYPTO_HMAC > select CRYPTO_MD5 > select CRYPTO_CBC > > so it already have the CRYPTO_AUTHENC flags. How about loading that module? I didn't see it on the lsmod list. - Timo |
From: Charles L. <lib...@gm...> - 2008-04-29 09:00:29
|
On Tue, Apr 29, 2008 at 4:55 PM, Timo Teräs <tim...@ik...> wrote: > Charles Li wrote: > > I viewed my kernel source, and found the net/ipv4/Kconfig > > config INET_ESP > > tristate "IP: ESP transformation" > > select XFRM > > select CRYPTO > > select CRYPTO_AUTHENC > > select CRYPTO_HMAC > > select CRYPTO_MD5 > > select CRYPTO_CBC > > > > so it already have the CRYPTO_AUTHENC flags. > > How about loading that module? I didn't see it on the lsmod list. after I add esp4, it's still the same issue, $ lsmod | grep esp esp4 24576 0 aead 24960 1 esp4 and also I add ah4 for testing, it doesn't work. > - Timo > -- Sincerely Yours, Charles Li http://cn.opensuse.org |
From: Timo T. <tim...@ik...> - 2008-04-29 09:36:53
|
Charles Li wrote: > On Tue, Apr 29, 2008 at 4:55 PM, Timo Teräs <tim...@ik...> wrote: >> Charles Li wrote: >> > I viewed my kernel source, and found the net/ipv4/Kconfig >> > config INET_ESP >> > tristate "IP: ESP transformation" >> > select XFRM >> > select CRYPTO >> > select CRYPTO_AUTHENC >> > select CRYPTO_HMAC >> > select CRYPTO_MD5 >> > select CRYPTO_CBC >> > >> > so it already have the CRYPTO_AUTHENC flags. >> >> How about loading that module? I didn't see it on the lsmod list. > after I add esp4, it's still the same issue, > $ lsmod | grep esp > esp4 24576 0 > aead 24960 1 esp4 > > and also I add ah4 for testing, it doesn't work. modprobe authenc You did do "make oldconfig" if you used config from older kernel, right? And do check that authenc.ko exists. Double check that CRYPTO_AUTHENC is selected in kernel configuration. - Timo |
From: Charles L. <lib...@gm...> - 2008-04-29 10:09:29
|
On Tue, Apr 29, 2008 at 5:36 PM, Timo Teräs <tim...@ik...> wrote: > > Charles Li wrote: > > On Tue, Apr 29, 2008 at 4:55 PM, Timo Teräs <tim...@ik...> wrote: > >> Charles Li wrote: > >> > I viewed my kernel source, and found the net/ipv4/Kconfig > >> > config INET_ESP > >> > tristate "IP: ESP transformation" > >> > select XFRM > >> > select CRYPTO > >> > select CRYPTO_AUTHENC > >> > select CRYPTO_HMAC > >> > select CRYPTO_MD5 > >> > select CRYPTO_CBC > >> > > >> > so it already have the CRYPTO_AUTHENC flags. > >> > >> How about loading that module? I didn't see it on the lsmod list. > > after I add esp4, it's still the same issue, > > $ lsmod | grep esp > > esp4 24576 0 > > aead 24960 1 esp4 > > > > and also I add ah4 for testing, it doesn't work. > > modprobe authenc > > You did do "make oldconfig" if you used config from older kernel, right? > And do check that authenc.ko exists. Double check that CRYPTO_AUTHENC is > selected in kernel configuration. charles@Azi:/lib> find . -name authenc.ko ./modules/2.6.25-rc9-17-pae/kernel/crypto/authenc.ko ./modules/2.6.25-rc9-17-default/kernel/crypto/authenc.ko it already have authenc.ko, so I modprobe this ko, charles@Azi:~> lsmod | grep auth authenc 11264 0 aead 12672 1 authenc auth_rpcgss 47240 1 nfsd sunrpc 197244 20 nfsd,lockd,nfs_acl,auth_rpcgss crypto_blkcipher 23940 2 authenc,ecb still the same problem. and the same code works fine in openSUSE 10.3, it's kernel is Linux Gooogle 2.6.22.5-31-default #1 SMP 2007/09/21 22:29:00 UTC i686 i686 i386 GNU/Linux > - Timo > > > -- Sincerely Yours, Charles Li http://cn.opensuse.org |
From: Timo T. <tim...@ik...> - 2008-04-29 10:31:52
|
Charles Li wrote: > it already have authenc.ko, so I modprobe this ko, > > charles@Azi:~> lsmod | grep auth > authenc 11264 0 > aead 12672 1 authenc > auth_rpcgss 47240 1 nfsd > sunrpc 197244 20 nfsd,lockd,nfs_acl,auth_rpcgss > crypto_blkcipher 23940 2 authenc,ecb > > still the same problem. > and the same code works fine in openSUSE 10.3, it's kernel is > > Linux Gooogle 2.6.22.5-31-default #1 SMP 2007/09/21 22:29:00 UTC i686 > i686 i386 GNU/Linux Which ciphers you are using? Check that the specified ciphers are enabled in kernel configuration too. - Timo |
From: Charles L. <lib...@gm...> - 2008-04-29 10:38:47
|
On Tue, Apr 29, 2008 at 6:31 PM, Timo Teräs <tim...@ik...> wrote: > Charles Li wrote: > > it already have authenc.ko, so I modprobe this ko, > > > > charles@Azi:~> lsmod | grep auth > > authenc 11264 0 > > aead 12672 1 authenc > > auth_rpcgss 47240 1 nfsd > > sunrpc 197244 20 nfsd,lockd,nfs_acl,auth_rpcgss > > crypto_blkcipher 23940 2 authenc,ecb > > > > still the same problem. > > and the same code works fine in openSUSE 10.3, it's kernel is > > > > Linux Gooogle 2.6.22.5-31-default #1 SMP 2007/09/21 22:29:00 UTC i686 > > i686 i386 GNU/Linux > > Which ciphers you are using? Check that the specified ciphers > are enabled in kernel configuration too. How to set it? :) > - Timo > > -- Sincerely Yours, Charles Li http://cn.opensuse.org |
From: Timo T. <tim...@ik...> - 2008-04-29 10:46:48
|
Charles Li wrote: > On Tue, Apr 29, 2008 at 6:31 PM, Timo Teräs <tim...@ik...> wrote: >> Charles Li wrote: >> > it already have authenc.ko, so I modprobe this ko, >> > >> > charles@Azi:~> lsmod | grep auth >> > authenc 11264 0 >> > aead 12672 1 authenc >> > auth_rpcgss 47240 1 nfsd >> > sunrpc 197244 20 nfsd,lockd,nfs_acl,auth_rpcgss >> > crypto_blkcipher 23940 2 authenc,ecb >> > >> > still the same problem. >> > and the same code works fine in openSUSE 10.3, it's kernel is >> > >> > Linux Gooogle 2.6.22.5-31-default #1 SMP 2007/09/21 22:29:00 UTC i686 >> > i686 i386 GNU/Linux >> >> Which ciphers you are using? Check that the specified ciphers >> are enabled in kernel configuration too. > How to set it? :) racoon negotiates ciphers based on the configuration in racoon.conf. There you specify the allowed protocols (in phase2 config sections). You could also turn more debugging in racoon to see which cipher was selected. Make sure kernel has all the ciphers enabled that you enable in racoon.conf. - Timo |
From: Charles L. <lib...@gm...> - 2008-04-29 11:09:35
|
On Tue, Apr 29, 2008 at 6:46 PM, Timo Teräs <tim...@ik...> wrote: > > racoon negotiates ciphers based on the configuration in racoon.conf. > There you specify the allowed protocols (in phase2 config sections). > You could also turn more debugging in racoon to see which cipher was > selected. > > Make sure kernel has all the ciphers enabled that you enable in > racoon.conf. Ok, thanks, I'll debug the racoon, and reply you later > - Timo > > -- Sincerely Yours, Charles Li http://cn.opensuse.org |
From: Charles L. <lib...@gm...> - 2008-05-07 09:13:47
|
Hi, When I enable the ipv6, it works fine. I don't know what's the reason. And the mode that loaded: authenc 23552 2 esp4 24704 2 aead 24960 2 authenc,esp4 xfrm6_mode_tunnel 19072 2 xfrm4_mode_tunnel 19840 4 Any one know about it? Thanks! -- Sincerely Yours, Charles Li http://cn.opensuse.org |