Bug 388623

Summary: PF_KEY can't work without ipv6 enable
Product: [openSUSE] openSUSE 11.0 Reporter: Bin Li <bili>
Component: KernelAssignee: Karsten Keil <karsten.keil>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium    
Version: Beta 2   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Bin Li 2008-05-09 09:41:10 UTC 
I use the novell-ipsec-tools for connecting the vpn server.

https://bugzilla.novell.com//show_bug.cgi?id=381769

It works fine in 10.3 without ipv6 enable.

In 11.0 beta2, it couldn't work when ipv6 disabled.
It call the send api send to a PF_KEY socket.

so = socket(PF_KEY, SOCK_RAW, PF_KEY_V2)

    if ((len = send(so, (void *)msg, (socklen_t)len, 0)) < 0) {
        __ipsec_set_strerror(strerror(errno));
        return -1;
    }

send is ok, but it receive the msg:

Apr 29 18:32:18 Azi racoon: DEBUG: pfkey.c:232:pfkey_handler(): get pfkey UPDATE message
Apr 29 18:32:18 Azi racoon: DEBUG2: plog.c:208:plogdump():  02025d03 02000000 f561330f a5170000
Apr 29 18:32:18 Azi racoon: ERROR: pfkey.c:247:pfkey_handler(): pfkey UPDATE failed: Protocol not supported
Apr 29 18:32:18 Azi racoon: DEBUG: pfkey.c:232:pfkey_handler(): get pfkey ADD message
Apr 29 18:32:18 Azi racoon: DEBUG2: plog.c:208:plogdump():  02035d03 02000000 f561330f a5170000
Apr 29 18:32:18 Azi racoon: ERROR: pfkey.c:247:pfkey_handler(): pfkey ADD failed: Protocol not supported

and the pfkey_handler() call the recv,

 *lenp = recv(so, (caddr_t)&buf, sizeof(buf), MSG_PEEK);

the recv's messsage structure from /usr/include/linux/pfkeyv2.h

struct sadb_msg {
    uint8_t     sadb_msg_version;
    uint8_t     sadb_msg_type;
    uint8_t     sadb_msg_errno;
    uint8_t     sadb_msg_satype;
    uint16_t    sadb_msg_len;
    uint16_t    sadb_msg_reserved;
    uint32_t    sadb_msg_seq;
    uint32_t    sadb_msg_pid;
} __attribute__((packed));

so from "02025d03 02000000 f561330f a5170000", the errno is 0x5d, it means EPROTONOSUPPORT.

It's related to the esp4.ko, when I removed the esp4.ko in 10.3, then it prompt
the same message:
Protocol not support.

When I enable the ipv6 in yast it works fine. And I found kernel load the esp4
and xfrm6_mode_tunnel, if disable ipv6, the kernel couldn't load the esp4, in my opinion it caused by not loading the xfrm6_mode_tunnel, so it received the error message.
Comment 1 Karsten Keil 2008-05-09 11:47:18 UTC 
Hmm Does it work, if you load the esp4 module manually ?
esp4.ko has no dependency at any ipv6 stuff, I can load it if IPv6 is disabled.
Question is still why it is not loaded automatically.
Comment 2 Bin Li 2008-05-12 02:54:49 UTC 
It also didn't work when I load the esp4 module manually.

Question is still why it is not loaded automatically, I can't view any debug info in the log. Even I remove the esp4.ko, it doesn't prompt any error message in log, but in 10.3 it prompt :

May 12 10:54:00 Gooogle modprobe: FATAL: Could not open '/lib/modules/2.6.22.5-31-default/kernel/net/ipv4/esp4.ko': No such file or directory
Comment 3 Bin Li 2008-05-27 03:17:17 UTC 
*** Bug 394547 has been marked as a duplicate of this bug. ***
Comment 4 Karsten Keil 2008-10-24 15:04:00 UTC 
Does it work on 11.1 ?
Comment 5 Bin Li 2008-10-24 16:13:50 UTC 
My pc is still in office, so I'll test it after weekend.
Comment 6 Bin Li 2008-11-18 06:58:17 UTC 
It works fine in 11.1 now.
Comment 7 Karsten Keil 2009-02-26 10:35:31 UTC 
so its fixed in next version