FOR TIPS, gUIDES & TUTORIALS

Question

Hi,

any IPSEC connection is not connecting on RUTX11 with up2date firmware. You can see the kernel errors here:

Tue Nov 5 22:31:01 2019 daemon.info ipsec: 06[CFG] received stroke: add connection 'peer-LTE01MGMT-tunnel-0'
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 06[CFG] added configuration 'peer-LTE01MGMT-tunnel-0'
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 07[CFG] received stroke: initiate 'peer-LTE01MGMT-tunnel-0'
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 07[IKE] initiating IKE_SA peer-LTE01MGMT-tunnel-0[1] to 1.2.3.4
Tue Nov 5 22:31:01 2019 authpriv.info ipsec: 07[IKE] initiating IKE_SA peer-LTE01MGMT-tunnel-0[1] to 1.2.3.4
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 07[NET] sending packet: from 2.3.4.5[500] to 1.2.3.4[500] (398 bytes)
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 08[NET] received packet: from 1.2.3.4[500] to 2.3.4.5[500] (400 bytes)
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 08[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 08[IKE] authentication of 'LTE01MGMT' (myself) with pre-shared key
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 08[IKE] establishing CHILD_SA peer-LTE01MGMT-tunnel-0{1}
Tue Nov 5 22:31:01 2019 authpriv.info ipsec: 08[IKE] establishing CHILD_SA peer-LTE01MGMT-tunnel-0{1}
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 08[NET] sending packet: from 2.3.4.5[4500] to 1.2.3.4[4500] (368 bytes)
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[NET] received packet: from 1.2.3.4[4500] to 2.3.4.5[4500] (352 bytes)
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[IKE] authentication of 'AR-DUS01-01' with pre-shared key successful
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[IKE] IKE_SA peer-LTE01MGMT-tunnel-0[1] established between 2.3.4.5[LTE01MGMT]...1.2.3.4[AR-DUS01-01]
Tue Nov 5 22:31:01 2019 authpriv.info ipsec: 11[IKE] IKE_SA peer-LTE01MGMT-tunnel-0[1] established between 2.3.4.5[LTE01MGMT]...1.2.3.4[AR-DUS01-01]
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_512_256/NO_EXT_SEQ
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[KNL] received netlink error: Function not implemented (38)
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[KNL] unable to add SAD entry with SPI cb8806fc (FAILED)
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[KNL] received netlink error: Function not implemented (38)
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[KNL] unable to add SAD entry with SPI c3db2ffb (FAILED)
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[IKE] failed to establish CHILD_SA, keeping IKE_SA
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[IKE] peer supports MOBIKE
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[IKE] sending DELETE for ESP CHILD_SA with SPI cb8806fc
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[ENC] generating INFORMATIONAL request 2 [ D ]
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 11[NET] sending packet: from 2.3.4.5[4500] to 1.2.3.4[4500] (96 bytes)
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 09[NET] received packet: from 1.2.3.4[4500] to 2.3.4.5[4500] (96 bytes)
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 09[ENC] parsed INFORMATIONAL response 2 [ D ]
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 09[KNL] deleting policy 172.16.22.15/32 === 100.64.60.0/24 in failed, not found
Tue Nov 5 22:31:01 2019 daemon.info ipsec: 09[KNL] deleting policy 172.16.22.15/32 === 100.64.60.0/24 fwd failed, not found

xfrm and enc modules are correctly loaded:

xfrm_algo              16384 7 esp6,ah6,esp4,ah4,af_key,xfrm_user,xfrm_ipcomp
xfrm_ipcomp            16384 2 ipcomp6,ipcomp
xfrm_user              32768 2
xfrm4_mode_beet        16384 0
xfrm4_mode_transport   16384 0
xfrm4_mode_tunnel      16384 0
xfrm4_tunnel           16384 0
xfrm6_mode_beet        16384 0
xfrm6_mode_transport   16384 0
xfrm6_mode_tunnel      16384 0
xfrm6_tunnel           16384 1 ipcomp

...

authenc                16384 0

This is also strange, some packages are missing kernel modules:

root@lte01:~# opkg files kmod-crypto-rng
Package kmod-crypto-rng (4.14.131-1) is installed on root and has the following files:
/etc/modules.d/09-crypto-rng
root@lte01:~# opkg files kmod-crypto-iv
Package kmod-crypto-iv (4.14.131-1) is installed on root and has the following files:
/etc/modules.d/10-crypto-iv

Please let me know when this will be addressed, as IPSEC is unusable on RUTX11. I'm willing to test a beta firmware.

Thanks.

Cheers,

stardust

Answer 1 · 2019-11-06T07:28:21+0000

commented Nov 6, 2019 by anonymous

FOR TIPS, gUIDES & TUTORIALS

Most popular tags

IPSEC on RUTX11 with RUTX_R_00.02.00.2 broken

Please log in or register to add a comment.

Please log in or register to answer this question.

1 Answer

Please log in or register to add a comment.