Details
-
Type:
Bug
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Fix Version/s: OpenVZ-legacy
-
Component/s: Containers::Kernel
-
Security Level: Public
-
Environment:RHEL6
Description
User has reported IPSec with Strongswan not working. We've tried 108.x and 111.12 kernels, without luck. All required modules are loaded, capability NET_ADMIN for given CT is allowed.
Oct 05 22:29:52 vps charon[13170]: 09[KNL] received netlink error:
Protocol not supported (93)
Oct 05 22:29:52 vps charon[13170]: 09[KNL] unable to add SAD entry with
SPI cc798fc6
Oct 05 22:29:52 vps charon[13170]: 09[KNL] received netlink error:
Protocol not supported (93)
Oct 05 22:29:52 vps charon[13170]: 09[KNL] unable to add SAD entry with
SPI c34bd13c
Oct 05 22:29:52 vps charon[13170]: 09[IKE] unable to install inbound and
outbound IPsec SA (SAD) in kernel
Oct 05 22:29:52 vps charon[13170]: 09[IKE] failed to establish CHILD_SA,
keeping IKE_SA
[root@node4.prg.vpsfree.cz]
~ # lsmod | grep xfrm
xfrm6_mode_tunnel 1915 0
xfrm4_mode_tunnel 2011 0
ipv6 339829 5585
xfrm6_mode_tunnel,esp6,ip6table_mangle,ip6t_REJECT,vzrst,vzcpt,ip6_queue,nf_conntrack_ipv6,nf_defrag_ipv6,bonding
[root@node4.prg.vpsfree.cz]
~ # lsmod | grep esp
esp6 4987 0
esp4 5398 0
ipv6 339829 5619
xfrm6_mode_tunnel,esp6,ip6table_mangle,ip6t_REJECT,vzrst,vzcpt,ip6_queue,nf_conntrack_ipv6,nf_defrag_ipv6,bonding
[root@node4.prg.vpsfree.cz]
~ # lsmod | grep af_key
af_key 30067 0
[root@node4.prg.vpsfree.cz]
~ # cat /etc/vz/conf/4387.conf | grep CAP
CAPABILITY=" NET_ADMIN:on"
Oct 05 22:29:52 vps charon[13170]: 09[KNL] received netlink error:
Protocol not supported (93)
Oct 05 22:29:52 vps charon[13170]: 09[KNL] unable to add SAD entry with
SPI cc798fc6
Oct 05 22:29:52 vps charon[13170]: 09[KNL] received netlink error:
Protocol not supported (93)
Oct 05 22:29:52 vps charon[13170]: 09[KNL] unable to add SAD entry with
SPI c34bd13c
Oct 05 22:29:52 vps charon[13170]: 09[IKE] unable to install inbound and
outbound IPsec SA (SAD) in kernel
Oct 05 22:29:52 vps charon[13170]: 09[IKE] failed to establish CHILD_SA,
keeping IKE_SA
[root@node4.prg.vpsfree.cz]
~ # lsmod | grep xfrm
xfrm6_mode_tunnel 1915 0
xfrm4_mode_tunnel 2011 0
ipv6 339829 5585
xfrm6_mode_tunnel,esp6,ip6table_mangle,ip6t_REJECT,vzrst,vzcpt,ip6_queue,nf_conntrack_ipv6,nf_defrag_ipv6,bonding
[root@node4.prg.vpsfree.cz]
~ # lsmod | grep esp
esp6 4987 0
esp4 5398 0
ipv6 339829 5619
xfrm6_mode_tunnel,esp6,ip6table_mangle,ip6t_REJECT,vzrst,vzcpt,ip6_queue,nf_conntrack_ipv6,nf_defrag_ipv6,bonding
[root@node4.prg.vpsfree.cz]
~ # lsmod | grep af_key
af_key 30067 0
[root@node4.prg.vpsfree.cz]
~ # cat /etc/vz/conf/4387.conf | grep CAP
CAPABILITY=" NET_ADMIN:on"
