Modify

Opened 7 years ago

Closed 6 years ago

Last modified 3 years ago

#7164 closed defect (worksforme)

Opennhrp and/or ipsectools package does not seem to install required kernel modules

Reported by: thenighthawk@… Owned by: developers
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: racoon ipsec-tools opennhrp af_key.ko Cc: rth@…

Description

Installed Backfire 10.03
Installed opennhrp package
opennhrp installs ipsec-tools as dependency

running opennhrp, fails with message:
libipsec failed pfkey open (Address not supported by protocol)

Research suggests that af_key.ko, ah.ko and esp.ko modules should be present (http://www.linux-ipv6.org/ml/usagi-users/msg02406.html) with this error.

/lib/modules
af_key, ah and esp modules not present in

Possibly didn't load with racoon? I see something about af_key in the control file, but not sure how to resolve

Attachments (0)

Change History (7)

comment:1 Changed 7 years ago by nico

  • Resolution set to fixed
  • Status changed from new to closed

Fixed in [20868], note that you will have to manually install kmod-ipsec4/kmod-ipsec6 to use IPsec over IPv4/IPv6.

comment:2 Changed 7 years ago by thenighthawk@…

  • Resolution fixed deleted
  • Status changed from closed to reopened

Started testing by installing kmod-ipsec4 (only running with ipv4 anyway...)
Fails : setkey commands return

pfkey_open: Address family not supported by protocol

suggestions say "modprobe af_key" - modprobe not present.
/lib/modules/2.6.32.10/ak_key.ko present

Continued attempting to install:
kmod-ipsec and kmod-ipsec6 - no change

Added kmod-crypto-misc - no change

Presently installed:

kmod-crypto-aes
kmod-crypto-arc4
kmod-crypto-core
kmod-crypto-des
kmod-crypto-hmac
kmod-crypto-md5
kmod-crypto-misc
kmod-crypto-sha1
kmod-gre
kmod-ipsec
kmod-ipsec4
kmod-ipsec6

Removed kmod-ipsec, and it removed multiple entries; readded kmod-ipsec4

New entries:
kmod-crypto-aes
kmod-crypto-arc4
kmod-crypto-core
kmod-crypto-des
kmod-crypto-hmac
kmod-crypto-md5
kmod-crypto-sha1
kmod-gre
kmod-ipsec
kmod-ipsec4

Command to check:
setkey -D

pfkey_open: Address family not supported by protocol

comment:3 Changed 7 years ago by anonymous

Progress:

Running insmod af_key before launching setkey-d produces new results:

No SAD entries

I proceeded to insmod esp and ah.

racoon -f /etc/racoon.conf -Fd is now making further progress!

hmac(modp1024)
compression algorithm cannot be checked because sadb message doesn't support it.
getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0
getsainfo pass #2
bind(sockname:/var/racoon/racoon.sock): No such file or directory

Resolved this by creating /var/racoon
mkdir /var/racoon

upon reboot, insmod and mkdir /var/racoon needed to be executed again:

pfkey X_SPDDUMP failed:no such file or directory.

comment:4 Changed 7 years ago by anonymous

Prior to running the racoon, one must initialize the setkey environment:
setkey -f /etc/setkey.conf

my setkey.conf is very simple:

#!/usr/sbin/setkey -f
spdflush;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P out ipsec esp/transportrequire;
spdadd 0.0.0.0/0 0.0.0.0/0 gre -P in ipsec esp/transport
require;

On install, I did not see anything for this.
I have created the file /etc/setkey.conf for this purpose.

racoon -f /etc/racoon.conf -Fd seems to initialize now

however, opennhrp and it's related call to racoonctl still seems to be failing:
racoonctl establish-sa -w isakmp inet 10.1.1.33 a.b.c.d (my public side ip)
send:Bad file descriptor

comment:5 Changed 7 years ago by nico

Auto-loading of modules from kmod-ipsec, kmod-ipsec4 & kmod-ipsec6 has been fixed in [20893], thanks for spotting this !

comment:6 Changed 6 years ago by nico

  • Resolution set to worksforme
  • Status changed from reopened to closed

comment:7 Changed 3 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.