strongswan no start embedder linux

Question

hi there i have some problem with Digi ccimx6ul(embedded linux - yocto project) when i start ipsec using strongswan. I get the following error

p/s: i have run success ipsec like this on ubuntu 18.04, but Digi ccimx6ul with linxu 4.14, it error, Please help me... thank you.

Starting strongSwan 5.7.1 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
00[DMN] Starting IKE charon daemon (strongSwan 5.7.1, Linux 4.14.141-dey+g0f5a740ab5b8, armv7l)
00[KNL] unable to create netlink socket: Protocol not supported (93)
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: CUSTOM:kernel-ipsec
00[KNL] received netlink error: Operation not supported (95)
00[KNL] unable to create IPv4 routing table rule
00[KNL] received netlink error: Operation not supported (95)
00[KNL] unable to create IPv6 routing table rule
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "CN=VPN root CA" from '/etc/ipsec.d/cacerts/ca-cert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded EAP secret for vpn
00[LIB] failed to load 1 critical plugin feature
00[DMN] initialization failed - aborting charon
00[KNL] received netlink error: Operation not supported (95)
00[KNL] received netlink error: Operation not supported (95)
charon has quit: initialization failed
charon refused to be started
ipsec starter stopped

file ipsec.conf

config setup

conn ikev2-rw
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    right=192.168.234.146
    # This should match the `leftid` value on your server's configuration
    rightid=192.168.234.146
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftid=vpn
    leftauth=eap-mschapv2
    eap_identity=%identity
    auto=start

file ipsec.secrets

vpn : EAP "vpn"

file /etc/strongswan.d/charon : ls

root@ccimx6ulstarter:/etc/strongswan.d/charon# ls
aes.conf              md5.conf              revocation.conf
attr.conf             nonce.conf            sha1.conf
cmac.conf             openssl.conf          sha2.conf
constraints.conf      pem.conf              socket-default.conf
curl.conf             pgp.conf              sqlite.conf
curve25519.conf       pkcs1.conf            sshkey.conf
des.conf              pkcs12.conf           stroke.conf
dnskey.conf           pkcs7.conf            updown.conf
gmp.conf              pkcs8.conf            vici.conf
hmac.conf             pubkey.conf           x509.conf
random.conf           xauth-generic.conf    resolve.conf
kernel-netlink.conf   rc2.conf              xcbc.conf

strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

Heading

file strongswan.bb https://git.congatec.com/yocto/meta-openembedded/blob/1dbb1ff9b15e42ace9ac12c8e0630b9e520e17cd/meta-networking/recipes-support/strongswan/strongswan_5.3.2.bb — Quang Anh Trần Đỗ, Jan 07 '20 at 04:24

score 1 · Answer 1 · answered Dec 28 '19 at 11:10

1

Your problem is at a kernel level:

00[KNL] unable to create netlink socket: Protocol not supported (93)
00[KNL] received netlink error: Operation not supported (95)

Probably you are missing the xfrm_* kernel modules. You can try, e.g.:

modprobe xfrm_user

but it will probably fail.

You need to recompile the kernel with the list of required kernel modules from StrongSwan's wiki.

answered Dec 28 '19 at 11:10

Piotr P. Karwasz

5,748
2
11
21

Hi Piotr, where is xfrm_* and how i need try with "modprobe xfrm_user" Another, i think i config complete modules from Strongswan's, you can tell me clearly. Thanks – Quang Anh Trần Đỗ Dec 31 '19 at 05:01
By `xfrm_*` I mean all kernel module whose name starts with `xfrm`, as in the [link I provided](https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules). Normally they are loaded automatically, but you can try `modprobe` in a console. Most probably you need to recompile the kernel with those modules: to save space they where not compiled into the kernel. – Piotr P. Karwasz Dec 31 '19 at 05:34
thank for support, i have some suscces but i have problem server requested EAP_IDENTITY (id 0x00), sending 'vpn' EAP_IDENTITY not supported, sending EAP_NAK i know kernel mising plugin . Doyou have ideal – Quang Anh Trần Đỗ Jan 02 '20 at 03:41
That is not a kernel error, but strongswan's. You are missing some [strongswan plugin](https://wiki.strongswan.org/projects/strongswan/wiki/PluginList), depending on your configuration. On embedded distributions like **OpenWRT** each plugin is in a separate package to save space on the device. – Piotr P. Karwasz Jan 02 '20 at 05:37
i know and i try find recipe on yocto but no exist, how to install plugin-eap-mschapv2 ( libcharon-extra-plugins) on yocto ? I have posted the file strongswan.bb under – Quang Anh Trần Đỗ Jan 06 '20 at 04:29
file strongswan.bb : https://github.com/openembedded/meta-openembedded/blob/master/meta-networking/recipes-support/strongswan/strongswan_5.8.2.bb – Quang Anh Trần Đỗ Jan 07 '20 at 09:24
any ideas help me, please – Quang Anh Trần Đỗ Jan 10 '20 at 08:54
I have no experience with Yocto. – Piotr P. Karwasz Jan 10 '20 at 10:24