Package: libreswan
Version: 4.10-2+deb12u1
Severity: normal
Dear Maintainer,
* What led up to the situation?
Trying to use TCP encapsulation (enable-tcp=yes) between two Debian 12 hosts, in order to work around the connection freezing after a while when using defaults.
On the client (initiator, roaming) we get:
ERROR setsockopt(SOL_TCP, TCP_ULP) failed (connect_to_tcp_endpoint() +546 /programs/pluto/iface_tcp.c): No such file or directory (errno 2)
On the server (responder, online server) we get:
IKETCP ACCEPTED: socket 14: accepted connection
IKETCP ACCEPTED: socket 14: closing socket; setsockopt(14, SOL_TCP, TCP_ULP, "espintcp") failed: No such file or directory (errno 2)
* What exactly did you do (or not do) that was effective (or
ineffective)?
Issue raised to libreswan developers
https://github.com/libreswan/libreswan/issues/1681
who helped with the analysis.
* What was the outcome of this action?
It appears that the following config parameters are required when building the kernel:
CONFIG_XFRM_ESPINTCP=y
CONFIG_INET_ESPINTCP=y
But they are not available in the config file:
$ cat /boot/config-$(uname -r) | grep ESPINTCP
# CONFIG_INET_ESPINTCP is not set
# CONFIG_INET6_ESPINTCP is not set
$ cat /boot/config-$(uname -r) | grep CONFIG_XFRM_ESPINTCP
<empty>
Is it thinkable to ask for these kernel build config parameters to be enabled in Debian Stable at some point, or is it a no-go?
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-20-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages libreswan depends on:
ii bind9-host [host] 1:9.18.24-1
ii debconf [debconf-2.0] 1.5.82
ii dns-root-data 2023010101
ii iproute2 6.1.0-3
ii iptables 1.8.9-2
ii libaudit1 1:3.0.9-1
ii libc6 2.36-9+deb12u4
ii libcap-ng0 0.8.3-1+b3
ii libcrypt1 1:4.4.33-2
ii libcurl3-nss 7.88.1-10+deb12u5
ii libevent-core-2.1-7 2.1.12-stable-8
ii libevent-pthreads-2.1-7 2.1.12-stable-8
ii libldap-2.5-0 2.5.13+dfsg-5
ii libldns3 1.8.3-1+b1
ii libnspr4 2:4.35-1
ii libnss3 2:3.87.1-1
ii libnss3-tools 2:3.87.1-1
ii libpam0g 1.5.2-6+deb12u1
ii libselinux1 3.4-1+b6
ii libsystemd0 252.22-1~deb12u1
ii libunbound8 1.17.1-2+deb12u2
Versions of packages libreswan recommends:
ii python3 3.11.2-1+b1
libreswan suggests no packages.
-- Configuration Files:
/etc/ipsec.conf changed [not included]
-- no debconf information
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)