Strongswan IPsec failure / Kernel 4.x availability?

AndreasK · 29 December 2018 14:24

Hi,

when I try to start IPsec service on Vero 4K it tells me right before the service is failing:

ipsec start
Starting strongSwan 5.5.1 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!

Same configuration on Raspi with OSMC installed works like a charm. Thus assuming this is likely related to the backported 3.x kernel. If yes, is there a workaround available or is this going to be fixed with the 4.x kernel?

Thx a lot!
Andreas

Tom_Doyle · 29 December 2018 15:22

Hi,

Possibly stupid question here, but from some googling; this error message is quite common and normally safe to ignore.

How else have you confirmed that the ipsec tunnel is not up?

if you issue:

curl ipinfo.io/ip

Are you getting the ip provided by your ISP or the VPN one?

Thanks Tom.

AndreasK · 29 December 2018 16:27

Unfortunately the problem seems to be more general. systemctl status strongswan tells me after a restart:

<...>
osmc ipsec[7408]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
osmc ipsec[7408]: 00[CFG]   loaded EAP secret for vero
osmc ipsec[7408]: 00[CFG] loaded 0 RADIUS server configurations
osmc ipsec[7408]: 00[CFG] HA config misses local/remote address
osmc ipsec[7408]: 00[LIB] failed to load 1 critical plugin feature
osmc ipsec[7408]: 00[DMN] initialization failed - aborting charon
osmc ipsec[7408]: 00[KNL] received netlink error: Address family not supported by protocol (97)
osmc ipsec[7408]: charon has quit: initialization failed
<...>

Accordingly ipsec statusall doesn’t produce any output at all. What surprises me is the Address family not supported by protocol (97). Not sure if this could be related to having added IPv6-support to the network interfaces.

Thx
Andreas

Tom_Doyle · 29 December 2018 18:14

Hi,

What happens if you try to start ipsec manually, rather than starting with the systemd service.

Thanks Tom.

sam_nazarko · 29 December 2018 23:11

If there some CONFIG_ options or modules that need adding; we can investigate.

Cheers
Sam

AndreasK · 30 December 2018 16:57

That is the output included in the initial posting.

AndreasK · 30 December 2018 16:58

Thanks for offering support. Even after disabling IPv6 the error occurs. I will further investigate this during next weekend and keep you updated.

sam_nazarko · 30 December 2018 20:27

See Required Kernel Modules :: strongSwan Documentation

If you can, try mod probe each module. We will likely find something is missing

Sam

AndreasK · 30 December 2018 22:19

Thanks for offering help. It doesn’t look good, since essentially none of the 12 listed modules can be loaded:

modprobe: FATAL: Module ah4 not found in directory /lib/modules/3.14.29-126-osmc
modprobe: FATAL: Module ah6 not found in directory /lib/modules/3.14.29-126-osmc
modprobe: FATAL: Module esp4 not found in directory /lib/modules/3.14.29-126-osmc
modprobe: FATAL: Module esp6 not found in directory /lib/modules/3.14.29-126-osmc
modprobe: FATAL: Module xfrm4_tunnel not found in directory /lib/modules/3.14.29-126-osmc
modprobe: FATAL: Module xfrm6_tunnel not found in directory /lib/modules/3.14.29-126-osmc
modprobe: FATAL: Module xfrm_user not found in directory /lib/modules/3.14.29-126-osmc
modprobe: FATAL: Module tunnel not found in directory /lib/modules/3.14.29-126-osmc
modprobe: FATAL: Module tunnel6 not found in directory /lib/modules/3.14.29-126-osmc
modprobe: FATAL: Module xfrm4_mode_tunnel not found in directory /lib/modules/3.14.29-126-osmc
modprobe: FATAL: Module xfrm6_mode_tunnel not found in directory /lib/modules/3.14.29-126-osmc

Correspondingly the suggested script produces this:

# CONFIG_XFRM_USER is not set
# CONFIG_NET_KEY is not set
CONFIG_INET=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
# CONFIG_INET_AH is not set
# CONFIG_INET_ESP is not set
# CONFIG_INET_IPCOMP is not set
# CONFIG_INET_XFRM_MODE_TRANSPORT is not set
# CONFIG_INET_XFRM_MODE_TUNNEL is not set
# CONFIG_INET_XFRM_MODE_BEET is not set
CONFIG_IPV6=y
# CONFIG_INET6_AH is not set
# CONFIG_INET6_ESP is not set
# CONFIG_INET6_IPCOMP is not set
# CONFIG_INET6_XFRM_MODE_TRANSPORT is not set
# CONFIG_INET6_XFRM_MODE_TUNNEL is not set
# CONFIG_INET6_XFRM_MODE_BEET is not set
# CONFIG_IPV6_MULTIPLE_TABLES is not set
CONFIG_NETFILTER=y
CONFIG_NETFILTER_XTABLES=m

Any chance to have the missing modules included soon?

Thx again!
Andreas

sam_nazarko · 30 December 2018 23:50

Hi,

I think everything should be covered in:

To test this update:

Login via the command line
Edit the file /etc/apt/sources.list
Add the following line: deb http://apt.osmc.tv stretch-devel main
Run the following commands to update: sudo apt-get update && sudo apt-get dist-upgrade && reboot
Your system should have have received the update.

Please see if the issue is resolved.

I also recommend you edit /etc/apt/sources.list again and remove the line that you added after updating. This will return you to the normal update channel.

AndreasK · 31 December 2018 09:03

Hi Sam,

from a first glance it looks good, i.e. IPsec tunnel can be established manually.

Unfortunately auto start during boot still fails. Obviously (systemd) dependency to networking is still missing, as the initial DNS query for the VPN server fails.

Somewhat confusing is also still the output from modprobe and the config check:

modprobe: FATAL: Module tunnel not found <...>
CONFIG_NETFILTER_XT_MATCH_POLICY is not set

Anyhow thanks a lot for the very quick and competent support!

/Andreas

sam_nazarko · 3 January 2019 07:28

Hi,

Glad to hear this.
I got these changes in for the stable update released on 31/12.

I think you want to depend on connman-wait-for-network.

I’ve also set:

CONFIG_NETFILTER_XT_MATCH_POLICY=m for your in this commit and pushed a build to the staging repository.

Cheers

Sam

AndreasK · 3 January 2019 20:21

Hi Sam,

thanks for fixing the missing module. Most likely your are right that strongswan needs to depend on connman-wait-for-network.
Currently with strongswan enabled at boot time systemctl status strongswan tells me right after login

osmc charon[573]: 17[LIB] resolving '***.net' failed: Name or service not known
osmc charon[573]: 05[IKE] unable to resolve ***.net, initiate aborted

As expected following a systemctl restart strongswan everything works fine. Hence could you please also fix this dependency / let me know what needs to be done there?

Thx again & Happy new year!
Andreas

sam_nazarko · 3 January 2019 20:42

As we do not provide this package it wouldn’t make sense for us to fix the dependency

Instead you should use a systemd drop-in to override the systemd unit in a way that updates do not overwrite it

dillthedog · 3 January 2019 22:05

Shouldn’t it mirror mediacenter.service in this respect, which means it would include:

Wants = network-online.target
After = network-online.target

rather than depend on connman-wait-for-network?

sam_nazarko · 4 January 2019 09:22

That will work — you’ll need to then enable wait for network

AndreasK · 6 January 2019 12:17

OK. I see the point and will fix it myself accordingly.

Thx anyway
Andreas