Bug#1069155: libreswan: TCP encapsulation fails for lack of support in kernel build config

Wed, 17 Apr 2024 01:00:17 -0700 

Package: libreswan
Version: 4.10-2+deb12u1
Severity: normal

Dear Maintainer,

   * What led up to the situation?

Trying to use TCP encapsulation (enable-tcp=yes) between two Debian 12 hosts,
in order to work around the connection freezing after a while when using
defaults.

On the client (initiator, roaming) we get:

ERROR setsockopt(SOL_TCP, TCP_ULP) failed (connect_to_tcp_endpoint() +546
/programs/pluto/iface_tcp.c): No such file or directory (errno 2)

On the server (responder, online server) we get:

IKETCP ACCEPTED: socket 14: accepted connection
IKETCP ACCEPTED: socket 14: closing socket; setsockopt(14, SOL_TCP, TCP_ULP,
"espintcp") failed: No such file or directory (errno 2)

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

Issue raised to libreswan developers
https://github.com/libreswan/libreswan/issues/1681

who helped with the analysis.

   * What was the outcome of this action?

It appears that the following config parameters are required when building the
kernel:

CONFIG_XFRM_ESPINTCP=y
CONFIG_INET_ESPINTCP=y

But they are not available in the config file:

$ cat /boot/config-$(uname -r) | grep ESPINTCP
# CONFIG_INET_ESPINTCP is not set
# CONFIG_INET6_ESPINTCP is not set

$ cat /boot/config-$(uname -r) | grep CONFIG_XFRM_ESPINTCP
<empty>

Is it thinkable to ask for these kernel build config parameters to be enabled
in Debian Stable at some point, or is it a no-go?


-- System Information:
Debian Release: 12.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-20-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, 
TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libreswan depends on:
ii  bind9-host [host]        1:9.18.24-1
ii  debconf [debconf-2.0]    1.5.82
ii  dns-root-data            2023010101
ii  iproute2                 6.1.0-3
ii  iptables                 1.8.9-2
ii  libaudit1                1:3.0.9-1
ii  libc6                    2.36-9+deb12u4
ii  libcap-ng0               0.8.3-1+b3
ii  libcrypt1                1:4.4.33-2
ii  libcurl3-nss             7.88.1-10+deb12u5
ii  libevent-core-2.1-7      2.1.12-stable-8
ii  libevent-pthreads-2.1-7  2.1.12-stable-8
ii  libldap-2.5-0            2.5.13+dfsg-5
ii  libldns3                 1.8.3-1+b1
ii  libnspr4                 2:4.35-1
ii  libnss3                  2:3.87.1-1
ii  libnss3-tools            2:3.87.1-1
ii  libpam0g                 1.5.2-6+deb12u1
ii  libselinux1              3.4-1+b6
ii  libsystemd0              252.22-1~deb12u1
ii  libunbound8              1.17.1-2+deb12u2

Versions of packages libreswan recommends:
ii  python3  3.11.2-1+b1

libreswan suggests no packages.

-- Configuration Files:
/etc/ipsec.conf changed [not included]

-- no debconf information

Reply via email to