Bonjour,
J’ai un problème qui me semble lié à ipcomp.
Lorsque j’active compress=yes dans la configuration de mes vpn sous OpenSwan ceux si refuse de monter.
Je me retrouve avec des erreurs:
ERROR: netlink response for Add SA comp.9005@XX.XX.XX.XX included errno 22: Invalid argument
add_sa ipcomp failed
Voici les configurations:
Fichier de configuration d’un VPN:
conn vpn-name
auth=esp
ike=aes128-md5-modp1024
authby=secret
auto=route
#compress=no
pfs=no
type=tunnel
keylife=24h
esp=null-md5
left=public-ip-A
leftid=public-ip-A
leftsubnet=subnet-A
right=public-ip-B
rightid=public-ip-B
rightsubnet=subnet-B
Fichier /etc/ipsec.d/examples/no_oe.conf
[code]conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear-or-private
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore[/code]
Fichier /etc/ipsec.conf
[code]# /etc/ipsec.conf - Openswan IPsec configuration file
RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $
This file: /usr/share/doc/openswan/ipsec.conf-sample
Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
basic configuration
config setup
forwardcontrol=yes
nat_traversal=yes
uniqueids=no
nhelpers=0
Add connections here
sample VPN connections, see /etc/ipsec.d/examples/
#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf
include /etc/ipsec.d/sites/*.conf[/code]
Fichier ipsec.secrets:
Résultat du lsmod:
Module Size Used by
xfrm_user 16134 2
ah6 3677 0
ah4 3011 0
esp6 3781 0
xfrm4_mode_beet 1519 0
xfrm4_tunnel 1201 0
xfrm4_mode_transport 982 0
xfrm6_mode_transport 1002 0
xfrm6_mode_ro 870 0
xfrm6_mode_beet 1358 0
ipcomp 1356 0
ipcomp6 1336 0
xfrm6_tunnel 4033 1 ipcomp6
af_key 23286 0
esp4 3985 3504
xfrm4_mode_tunnel 1264 7008
xfrm6_mode_tunnel 1196 3504
iptable_filter 1790 0
ip_tables 7706 1 iptable_filter
x_tables 8327 1 ip_tables
authenc 4746 3504
deflate 1315 0
zlib_deflate 15822 1 deflate
ctr 2703 0
camellia 16843 0
cast5 15593 0
rmd160 9448 0
sha1_generic 1395 0
hmac 2033 7008
crypto_null 1876 3504
tunnel4 1469 1 xfrm4_tunnel
xfrm_ipcomp 2855 2 ipcomp,ipcomp6
tunnel6 1364 1 xfrm6_tunnel
rng_core 2178 0
ccm 6017 0
serpent 16187 0
blowfish 7252 0
twofish 5665 0
twofish_common 12560 1 twofish
ecb 1405 0
xcbc 1925 0
cbc 2047 0
sha256_generic 10748 0
sha512_generic 8009 0
des_generic 15027 0
aes_i586 6816 0
aes_generic 25738 1 aes_i586
loop 9729 0
radeon 511356 0
ttm 33258 1 radeon
drm_kms_helper 18533 1 radeon
drm 111844 3 radeon,ttm,drm_kms_helper
i3200_edac 2311 0
i2c_i801 6462 0
container 1833 0
i2c_algo_bit 3497 1 radeon
i2c_core 12751 5 radeon,drm_kms_helper,drm,i2c_i801,i2c_algo_bit
edac_core 23121 2 i3200_edac
snd_pcm 47226 0
snd_timer 12258 1 snd_pcm
snd 34387 2 snd_pcm,snd_timer
soundcore 3450 1 snd
snd_page_alloc 4977 1 snd_pcm
pcspkr 1207 0
evdev 5609 2
parport_pc 15799 0
parport 22554 1 parport_pc
button 3598 0
shpchp 21220 0
pci_hotplug 18065 1 shpchp
video 14605 0
output 1204 1 video
psmouse 44777 0
serio_raw 2916 0
processor 26259 0
ext3 93944 6
jbd 31965 1 ext3
mbcache 3762 1 ext3
sd_mod 25937 8
crc_t10dif 1012 1 sd_mod
usbhid 27872 0
hid 50841 1 usbhid
uhci_hcd 15989 0
ata_generic 2247 0
ata_piix 17704 0
it8213 1996 0
floppy 40923 0
ide_core 59306 1 it8213
3w_xxxx 18465 7
libata 115617 2 ata_generic,ata_piix
thermal 9206 0
thermal_sys 9378 3 video,processor,thermal
scsi_mod 104593 3 sd_mod,3w_xxxx,libata
ehci_hcd 28453 0
e1000e 97529 0
usbcore 98613 4 usbhid,uhci_hcd,ehci_hcd
nls_base 4541 1 usbcore
Si je dé-commente compress=yes losque je monte un VPN j’obtiens:
002 "vpn-name" #17749880: initiating Main Mode
104 "vpn-name" #17749880: STATE_MAIN_I1: initiate
003 "vpn-name" #17749880: ignoring unknown Vendor ID payload [0048e2270bea8395ed778d343cc2a076]
003 "vpn-name" #17749880: ignoring unknown Vendor ID payload [5cbeb399eb835a7d7a2eb495905db061]
003 "vpn-name" #17749880: ignoring unknown Vendor ID payload [810fa565f8ab14369105d706fbd57279]
003 "vpn-name" #17749880: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] method set to=108
003 "vpn-name" #17749880: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 108
003 "vpn-name" #17749880: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
003 "vpn-name" #17749880: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
003 "vpn-name" #17749880: received Vendor ID payload [XAUTH]
003 "vpn-name" #17749880: received Vendor ID payload [Dead Peer Detection]
002 "vpn-name" #17749880: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05
002 "vpn-name" #17749880: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "vpn-name" #17749880: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpn-name" #17749880: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
002 "vpn-name" #17749880: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "vpn-name" #17749880: STATE_MAIN_I3: sent MI3, expecting MR3
002 "vpn-name" #17749880: Main mode peer ID is ID_IPV4_ADDR: 'public-ip-B'
002 "vpn-name" #17749880: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "vpn-name" #17749880: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
002 "vpn-name" #17749883: initiating Quick Mode PSK+ENCRYPT+COMPRESS+TUNNEL+UP+IKEv2ALLOW {using isakmp#17749880 msgid:dc40bc72 proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}
117 "vpn-name" #17749883: STATE_QUICK_I1: initiate
003 "vpn-name" #17749883: You should NOT use insecure ESP algorithms [ESP_NULL (0)]!
003 "vpn-name" #17749883: ERROR: netlink response for Add SA comp.51750002@public-ip-B included errno 22: Invalid argument
032 "vpn-name" #17749883: STATE_QUICK_I1: internal error
003 "vpn-name" #17749883: discarding duplicate packet; already STATE_QUICK_I1
003 "vpn-name" #17749883: discarding duplicate packet; already STATE_QUICK_I1
003 "vpn-name" #17749883: discarding duplicate packet; already STATE_QUICK_I1
Se que je ne comprend pas c’est que le module ipcomp est bien charger mais tout se passe comme s’il n’était pas charger.
Question idiote, est il nécessaire de redémarrer la machine un fois qu’un module a été chargé ?
En historique de la machine:
C’est une réinstalle neuve sur squeeze suite à un problème de système de fichier, les fichiers de configuration d’Ipsec ont été récupérés, et complétés car il manquait certaine configuration de VPN. Les fichiers récupérés on été les fichiers des différents VPN, le ipsec.secrets et l’ipsec.conf. L’ancienne machine était un Lenny.
Voila les info. J’ai l’impression que le problème est lié à ipcomp ou du moins à l’interaction entre openswan et celui-ci.
Avez vous des idées ?
Est ce que quelqu’un a déjà rencontrer ce problème ? Et une solution à tel été trouver ? 
Merci bien
Totorux