1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1069155: libreswan: TCP encapsulation fails for lack of support in

    From Mathieu Baudier@21:1/5 to All on Wed Apr 17 10:10:01 2024
    Package: libreswan
    Version: 4.10-2+deb12u1
    Severity: normal

    Dear Maintainer,

    * What led up to the situation?

    Trying to use TCP encapsulation (enable-tcp=yes) between two Debian 12 hosts, in order to work around the connection freezing after a while when using defaults.

    On the client (initiator, roaming) we get:

    ERROR setsockopt(SOL_TCP, TCP_ULP) failed (connect_to_tcp_endpoint() +546 /programs/pluto/iface_tcp.c): No such file or directory (errno 2)

    On the server (responder, online server) we get:

    IKETCP ACCEPTED: socket 14: accepted connection
    IKETCP ACCEPTED: socket 14: closing socket; setsockopt(14, SOL_TCP, TCP_ULP, "espintcp") failed: No such file or directory (errno 2)

    * What exactly did you do (or not do) that was effective (or
    ineffective)?

    Issue raised to libreswan developers https://github.com/libreswan/libreswan/issues/1681

    who helped with the analysis.

    * What was the outcome of this action?

    It appears that the following config parameters are required when building the kernel:

    CONFIG_XFRM_ESPINTCP=y
    CONFIG_INET_ESPINTCP=y

    But they are not available in the config file:

    $ cat /boot/config-$(uname -r) | grep ESPINTCP
    # CONFIG_INET_ESPINTCP is not set
    # CONFIG_INET6_ESPINTCP is not set

    $ cat /boot/config-$(uname -r) | grep CONFIG_XFRM_ESPINTCP
    <empty>

    Is it thinkable to ask for these kernel build config parameters to be enabled in Debian Stable at some point, or is it a no-go?


    -- System Information:
    Debian Release: 12.5
    APT prefers stable-updates
    APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
    Architecture: amd64 (x86_64)
    Foreign Architectures: i386

    Kernel: Linux 6.1.0-20-amd64 (SMP w/16 CPU threads; PREEMPT)
    Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
    Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
    Shell: /bin/sh linked to /usr/bin/dash
    Init: systemd (via /run/systemd/system)
    LSM: AppArmor: enabled

    Versions of packages libreswan depends on:
    ii bind9-host [host] 1:9.18.24-1
    ii debconf [debconf-2.0] 1.5.82
    ii dns-root-data 2023010101
    ii iproute2 6.1.0-3
    ii iptables 1.8.9-2
    ii libaudit1 1:3.0.9-1
    ii libc6 2.36-9+deb12u4
    ii libcap-ng0 0.8.3-1+b3
    ii libcrypt1 1:4.4.33-2
    ii libcurl3-nss 7.88.1-10+deb12u5
    ii libevent-core-2.1-7 2.1.12-stable-8
    ii libevent-pthreads-2.1-7 2.1.12-stable-8
    ii libldap-2.5-0 2.5.13+dfsg-5
    ii libldns3 1.8.3-1+b1
    ii libnspr4 2:4.35-1
    ii libnss3 2:3.87.1-1
    ii libnss3-tools 2:3.87.1-1
    ii libpam0g 1.5.2-6+deb12u1
    ii libselinux1 3.4-1+b6
    ii libsystemd0 252.22-1~deb12u1
    ii libunbound8 1.17.1-2+deb12u2

    Versions of packages libreswan recommends:
    ii python3 3.11.2-1+b1

    libreswan suggests no packages.

    -- Configuration Files:
    /etc/ipsec.conf changed [not included]

    -- no debconf information

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)