Discussion:
[Ipsec-tools-devel] Phase 2 failure (pfkey) Protocol Not Supported
Ronan Mullally
2009-09-29 11:34:11 UTC
Permalink
Hi,

I've tried this on the ipsec-tools-users list but got no response.

I'm trying to set up an IPSEC tunnel from an OpenWRT box (2.6.28.10) to a
cisco router. Phase 1 goes fine, Phase 2 dies with:

...
2009-09-24 18:54:02: DEBUG: KEYMAT computed.
2009-09-24 18:54:02: DEBUG: call pk_sendupdate
2009-09-24 18:54:02: DEBUG: encryption(des)
2009-09-24 18:54:02: DEBUG: hmac(md5)
2009-09-24 18:54:02: DEBUG: call pfkey_send_update2
2009-09-24 18:54:02: DEBUG: pfkey update sent.
2009-09-24 18:54:02: DEBUG: encryption(des)
2009-09-24 18:54:02: DEBUG: hmac(md5)
2009-09-24 18:54:02: DEBUG: call pfkey_send_add2 (NAT flavor)
2009-09-24 18:54:02: DEBUG: call pfkey_send_add2
2009-09-24 18:54:02: DEBUG: pfkey add sent.
2009-09-24 18:54:02: DEBUG: pk_recv: retry[0] recv()
2009-09-24 18:54:02: DEBUG: get pfkey UPDATE message
* 2009-09-24 18:54:02: ERROR: pfkey UPDATE failed: Protocol not supported
2009-09-24 18:54:02: DEBUG: pk_recv: retry[0] recv()
2009-09-24 18:54:02: DEBUG: get pfkey ADD message
* 2009-09-24 18:54:03: ERROR: pfkey ADD failed: Protocol not supported
2009-09-24 18:54:32: ERROR: 94.199.225.134 give up to get IPsec-SA due to time up to wait.
2009-09-24 18:54:32: DEBUG: IV freed
2009-09-24 18:54:32: DEBUG: pk_recv: retry[0] recv()
2009-09-24 18:54:32: DEBUG: get pfkey EXPIRE message
2009-09-24 18:54:32: INFO: IPsec-SA expired: ESP/Tunnel 1.2.3.4[0]->4.5.6.7[0] spi=69502535(0x4248647)
2009-09-24 18:54:32: DEBUG: no such a SA found: ESP/Tunnel 1.2.3.4[0]->4.5.6.7[0] spi=69502535(0x4248647)

I've tried this on an OpenWRT box running 2.6.28.10. I've tried it on a
Debian Lenny box running 2.6.26.2 to double check and had the same
problem. I've upgraded the OpenWRT box to 2.6.30.8 to no avail.
Everything works fine on a Ubuntu 9.04 server running 2.6.28-15-server, so
I know my racoon / setkey config works.

I've tried loading various modules (esp4 (obviously!),
xfrm4_mode_tunnel.ko, etc) on the OpenWRT box and get slightly different
failure modes depending on the modules loaded:

2009-09-25 18:18:39: DEBUG: get pfkey UPDATE message
* 2009-09-25 18:18:39: ERROR: pfkey UPDATE failed: No such file or directory
2009-09-25 18:18:39: DEBUG: pk_recv: retry[0] recv()
2009-09-25 18:18:39: DEBUG: get pfkey ADD message
* 2009-09-25 18:18:39: ERROR: pfkey ADD failed: No such file or directory

2009-09-25 19:15:01: DEBUG: hash validated.
2009-09-25 19:15:01: DEBUG: begin.
2009-09-25 19:15:01: DEBUG: seen nptype=8(hash)
2009-09-25 19:15:01: DEBUG: seen nptype=12(delete)
2009-09-25 19:15:01: DEBUG: succeed.
2009-09-25 19:15:01: DEBUG: delete payload for protocol ESP
2009-09-25 19:15:01: DEBUG: call pfkey_send_dump
2009-09-25 19:15:01: DEBUG: pk_recv: retry[0] recv()
2009-09-25 19:15:01: DEBUG: discarding non-sadb dump msg 0x4a1338, our pid=4773
2009-09-25 19:15:01: DEBUG: type 1, pid 4773
2009-09-25 19:15:01: DEBUG: pk_recv: retry[0] recv()
2009-09-25 19:15:01: DEBUG: pk_recv: retry[0] recv()
2009-09-25 19:15:01: DEBUG: purged SAs.
2009-09-25 19:15:01: DEBUG: pk_recv: retry[0] recv()
2009-09-25 19:15:01: DEBUG: pk_recv: retry[1] recv()
2009-09-25 19:15:01: DEBUG: pk_recv: retry[2] recv()
* 2009-09-25 19:15:01: ERROR: failed to recv from pfkey (Resource temporarily unavailable)

I've seen a thread on this list (or the devel one) saying that loading
ipv6 or esp4 solve the problem, but not for me. I've tried numerous
variations and had no luck. At this stage I think I'm nearly there, but
missing something (probably) obvious.

Can anybody shed any light on the problem? I've been trying to get to the
bottom of it for a couple of days but have run out of ideas.

Thanks in advance,


-Ronan
Timo Teräs
2009-10-01 05:49:19 UTC
Permalink
Post by Ronan Mullally
I've tried this on an OpenWRT box running 2.6.28.10. I've tried it on a
Debian Lenny box running 2.6.26.2 to double check and had the same
problem. I've upgraded the OpenWRT box to 2.6.30.8 to no avail.
Everything works fine on a Ubuntu 9.04 server running 2.6.28-15-server, so
I know my racoon / setkey config works.
I've tried loading various modules (esp4 (obviously!),
xfrm4_mode_tunnel.ko, etc) on the OpenWRT box and get slightly different
Sounds definitely like you are missing modules. I guess your modprobe
configuration is not right. My guess is that you first need esp4 etc.
Then you need all the kernel mode encryption algorithms loaded. Make
sure lsmod lists all the algorithms you are using for your IPsec SA.

- Timo
Ronan Mullally
2009-10-01 17:53:06 UTC
Permalink
Hi Timo,
Post by Timo Teräs
Sounds definitely like you are missing modules. I guess your modprobe
configuration is not right. My guess is that you first need esp4 etc.
Then you need all the kernel mode encryption algorithms loaded. Make
sure lsmod lists all the algorithms you are using for your IPsec SA.
Modprobe unfortunately isn't an option on the version of OpenWRT I'm
running. Modules are loaded individually.

Ignoring the various iptables / PPP / etc modules, I've got the follow in
place:

ah4 3200 0
sha1_generic 1520 0
md5 4432 0
hmac 2752 0
des_generic 18688 0
arc4 816 0
aes_generic 28832 0
deflate 1376 0
ecb 1312 0
cbc 2000 0
esp4 4384 0
af_key 27280 2

The Racoon Phase 2 config is:

lifetime time 14400 seconds;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;

Having IPv6 loaded or unloaded makes no difference.

The only oddity I can see is the compression algorithm - the cisco end of
things isn't doing compression. That said, I'm running similar config on
a couple of other devices and it's not a problem.

The results of the above are consistently:

2009-10-01 16:58:29: ERROR: pfkey UPDATE failed: Protocol not supported
2009-10-01 16:58:29: ERROR: pfkey ADD failed: Protocol not supported

When I insmod xfrm4_mode_tunnel that changes to:

2009-10-01 17:13:10: ERROR: pfkey UPDATE failed: No such file or directory
2009-10-01 17:13:10: ERROR: pfkey ADD failed: No such file or directory

Are there any further modules I need?


-Ronan
Timo Teräs
2009-10-01 18:21:01 UTC
Permalink
Post by Ronan Mullally
Post by Timo Teräs
Sounds definitely like you are missing modules. I guess your modprobe
configuration is not right. My guess is that you first need esp4 etc.
Then you need all the kernel mode encryption algorithms loaded. Make
sure lsmod lists all the algorithms you are using for your IPsec SA.
Modprobe unfortunately isn't an option on the version of OpenWRT I'm
running. Modules are loaded individually.
Well that's the problem then. Normally kernel calls modprobe to
autoload required modules. If modprobe is broke, you need special
care to ensure everything is in.
Post by Ronan Mullally
Ignoring the various iptables / PPP / etc modules, I've got the follow in
ah4 3200 0
sha1_generic 1520 0
md5 4432 0
hmac 2752 0
des_generic 18688 0
arc4 816 0
aes_generic 28832 0
deflate 1376 0
ecb 1312 0
cbc 2000 0
esp4 4384 0
af_key 27280 2
lifetime time 14400 seconds;
encryption_algorithm des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
Having IPv6 loaded or unloaded makes no difference.
The only oddity I can see is the compression algorithm - the cisco end of
things isn't doing compression. That said, I'm running similar config on
a couple of other devices and it's not a problem.
Maybe it would be an idea to do 'lsmod' on the working system and check
what it uses.
Post by Ronan Mullally
2009-10-01 16:58:29: ERROR: pfkey UPDATE failed: Protocol not supported
2009-10-01 16:58:29: ERROR: pfkey ADD failed: Protocol not supported
2009-10-01 17:13:10: ERROR: pfkey UPDATE failed: No such file or directory
2009-10-01 17:13:10: ERROR: pfkey ADD failed: No such file or directory
Are there any further modules I need?
Try one or more of the following:
xfrm4_mode_transport
xfrm4_mode_tunnel
xcbc
authenc
deflate
zlib_deflate

- Timo
Ronan Mullally
2009-10-02 09:15:55 UTC
Permalink
Hi Timo,
Post by Timo Teräs
Well that's the problem then. Normally kernel calls modprobe to
autoload required modules. If modprobe is broke, you need special
care to ensure everything is in.
Modprobe isn't broke, it's just not there. With 8MB of flash available
there's very limited space.

I'd been relying on the package manager to pull in the right dependencies,
but it's clear that's not the case.
Post by Timo Teräs
xfrm4_mode_transport
xfrm4_mode_tunnel
xcbc
authenc
deflate
zlib_deflate
Thanks for the pointers. After trial, error and much re-compiling it
turns out the missing modules I need are:

authenc
ah4
esp4 (already known)
xfrm4_mode_tunnel

These either aren't pulled in by the package manager, or aren't loaded by
the standard boot scripts.

Thanks again for your help.


-Ronan

Ronan Mullally
2009-10-01 15:21:42 UTC
Permalink
Folks,

Has anybody got any pointers on this? I've run out of ideas and could
do with a few suggestions.


-Ronan
Post by Ronan Mullally
Hi,
I've tried this on the ipsec-tools-users list but got no response.
I'm trying to set up an IPSEC tunnel from an OpenWRT box (2.6.28.10) to a
...
2009-09-24 18:54:02: DEBUG: KEYMAT computed.
2009-09-24 18:54:02: DEBUG: call pk_sendupdate
2009-09-24 18:54:02: DEBUG: encryption(des)
2009-09-24 18:54:02: DEBUG: hmac(md5)
2009-09-24 18:54:02: DEBUG: call pfkey_send_update2
2009-09-24 18:54:02: DEBUG: pfkey update sent.
2009-09-24 18:54:02: DEBUG: encryption(des)
2009-09-24 18:54:02: DEBUG: hmac(md5)
2009-09-24 18:54:02: DEBUG: call pfkey_send_add2 (NAT flavor)
2009-09-24 18:54:02: DEBUG: call pfkey_send_add2
2009-09-24 18:54:02: DEBUG: pfkey add sent.
2009-09-24 18:54:02: DEBUG: pk_recv: retry[0] recv()
2009-09-24 18:54:02: DEBUG: get pfkey UPDATE message
* 2009-09-24 18:54:02: ERROR: pfkey UPDATE failed: Protocol not supported
2009-09-24 18:54:02: DEBUG: pk_recv: retry[0] recv()
2009-09-24 18:54:02: DEBUG: get pfkey ADD message
* 2009-09-24 18:54:03: ERROR: pfkey ADD failed: Protocol not supported
2009-09-24 18:54:32: ERROR: 94.199.225.134 give up to get IPsec-SA due to time up to wait.
2009-09-24 18:54:32: DEBUG: IV freed
2009-09-24 18:54:32: DEBUG: pk_recv: retry[0] recv()
2009-09-24 18:54:32: DEBUG: get pfkey EXPIRE message
2009-09-24 18:54:32: INFO: IPsec-SA expired: ESP/Tunnel 1.2.3.4[0]->4.5.6.7[0] spi=69502535(0x4248647)
2009-09-24 18:54:32: DEBUG: no such a SA found: ESP/Tunnel 1.2.3.4[0]->4.5.6.7[0] spi=69502535(0x4248647)
I've tried this on an OpenWRT box running 2.6.28.10. I've tried it on a
Debian Lenny box running 2.6.26.2 to double check and had the same
problem. I've upgraded the OpenWRT box to 2.6.30.8 to no avail.
Everything works fine on a Ubuntu 9.04 server running 2.6.28-15-server, so
I know my racoon / setkey config works.
I've tried loading various modules (esp4 (obviously!),
xfrm4_mode_tunnel.ko, etc) on the OpenWRT box and get slightly different
2009-09-25 18:18:39: DEBUG: get pfkey UPDATE message
* 2009-09-25 18:18:39: ERROR: pfkey UPDATE failed: No such file or directory
2009-09-25 18:18:39: DEBUG: pk_recv: retry[0] recv()
2009-09-25 18:18:39: DEBUG: get pfkey ADD message
* 2009-09-25 18:18:39: ERROR: pfkey ADD failed: No such file or directory
2009-09-25 19:15:01: DEBUG: hash validated.
2009-09-25 19:15:01: DEBUG: begin.
2009-09-25 19:15:01: DEBUG: seen nptype=8(hash)
2009-09-25 19:15:01: DEBUG: seen nptype=12(delete)
2009-09-25 19:15:01: DEBUG: succeed.
2009-09-25 19:15:01: DEBUG: delete payload for protocol ESP
2009-09-25 19:15:01: DEBUG: call pfkey_send_dump
2009-09-25 19:15:01: DEBUG: pk_recv: retry[0] recv()
2009-09-25 19:15:01: DEBUG: discarding non-sadb dump msg 0x4a1338, our pid=4773
2009-09-25 19:15:01: DEBUG: type 1, pid 4773
2009-09-25 19:15:01: DEBUG: pk_recv: retry[0] recv()
2009-09-25 19:15:01: DEBUG: pk_recv: retry[0] recv()
2009-09-25 19:15:01: DEBUG: purged SAs.
2009-09-25 19:15:01: DEBUG: pk_recv: retry[0] recv()
2009-09-25 19:15:01: DEBUG: pk_recv: retry[1] recv()
2009-09-25 19:15:01: DEBUG: pk_recv: retry[2] recv()
* 2009-09-25 19:15:01: ERROR: failed to recv from pfkey (Resource temporarily unavailable)
I've seen a thread on this list (or the devel one) saying that loading
ipv6 or esp4 solve the problem, but not for me. I've tried numerous
variations and had no luck. At this stage I think I'm nearly there, but
missing something (probably) obvious.
Can anybody shed any light on the problem? I've been trying to get to the
bottom of it for a couple of days but have run out of ideas.
Thanks in advance,
-Ronan
Loading...