strongswan 无法启动嵌入式 Linux

strongswan 无法启动嵌入式 Linux

你好,当我使用 strongswan 启动 ipsec 时,我遇到了 Digi ccimx6ul(嵌入式 Linux - yocto 项目)的一些问题。我收到以下错误

p/s:我已经在 ubuntu 18.04 上成功运行了这样的 ipsec,但是 Digi ccimx6ul 与 linxu 4.14 出现错误,请帮帮我...谢谢。

Starting strongSwan 5.7.1 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
00[DMN] Starting IKE charon daemon (strongSwan 5.7.1, Linux 4.14.141-dey+g0f5a740ab5b8, armv7l)
00[KNL] unable to create netlink socket: Protocol not supported (93)
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: CUSTOM:kernel-ipsec
00[KNL] received netlink error: Operation not supported (95)
00[KNL] unable to create IPv4 routing table rule
00[KNL] received netlink error: Operation not supported (95)
00[KNL] unable to create IPv6 routing table rule
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG]   loaded ca certificate "CN=VPN root CA" from '/etc/ipsec.d/cacerts/ca-cert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded EAP secret for vpn
00[LIB] failed to load 1 critical plugin feature
00[DMN] initialization failed - aborting charon
00[KNL] received netlink error: Operation not supported (95)
00[KNL] received netlink error: Operation not supported (95)
charon has quit: initialization failed
charon refused to be started
ipsec starter stopped

文件 ipsec.conf

config setup

conn ikev2-rw
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    right=192.168.234.146
    # This should match the `leftid` value on your server's configuration
    rightid=192.168.234.146
    rightsubnet=0.0.0.0/0
    rightauth=pubkey
    leftsourceip=%config
    leftid=vpn
    leftauth=eap-mschapv2
    eap_identity=%identity
    auto=start

文件 ipsec.secrets

vpn : EAP "vpn"

文件 /etc/strongswan.d/charon : ls

root@ccimx6ulstarter:/etc/strongswan.d/charon# ls
aes.conf              md5.conf              revocation.conf
attr.conf             nonce.conf            sha1.conf
cmac.conf             openssl.conf          sha2.conf
constraints.conf      pem.conf              socket-default.conf
curl.conf             pgp.conf              sqlite.conf
curve25519.conf       pkcs1.conf            sshkey.conf
des.conf              pkcs12.conf           stroke.conf
dnskey.conf           pkcs7.conf            updown.conf
gmp.conf              pkcs8.conf            vici.conf
hmac.conf             pubkey.conf           x509.conf
random.conf           xauth-generic.conf    resolve.conf
kernel-netlink.conf   rc2.conf              xcbc.conf     

strongswan.conf

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

标题

答案1

您的问题属于内核级别:

00[KNL] unable to create netlink socket: Protocol not supported (93)
00[KNL] received netlink error: Operation not supported (95)

可能是你缺少xfrm_*内核模块。你可以尝试,例如:

modprobe xfrm_user

但它很可能会失败。

您需要使用以下命令重新编译内核所需内核模块列表来自 StrongSwan 的 wiki。

相关内容