FAQ: Difference between revisions

From Libreswan
Jump to navigation Jump to search
mNo edit summary
Line 31: Line 31:
</pre>
</pre>


This happens when libreswan is stopped or restarted. Libreswan supports the alternative KLIPS IPsec stack. This can be configured using ''protostack=netkey'' or ''protostack=klips''. See ''man ipsec.conf'' for details
This has been fixed in libreswan-3.9. Please upgrade
 
The error happens when sockets in the kernel are still holding deleted IPsec SA's. There is no way to "force delete" these. Processes might be holding open sockets that have pinned down those deleted SA's. Although our IKE daemon (pluto) process has ended, these might still be lingering on the system.
 
The kernel people's answer is ''don't delete the modules'', which is not an option for us because we want to support switching IPsec stacks. An alternative is to use '''rmmod -w''' which will cause us to wait, but we have no idea how long that might be.
 
Regardless, the deleted IPsec SA's are not interfering with the operation of the the XFRM/NETKEY and this error can be ignored as long as you are not switching stacks.

Revision as of 01:31, 29 March 2014

FAQ

( we will sort this in categories once we have more )

Which IKE Exchange modes does libreswan support?

The IANA Registry lists all official Exchange Modes. There are a few IKEv1 Modes that are very common despite never gotten past the draft stage.

Supported:

Not supported

Module unloading error on shutdown or restart: Module esp4 is in use

A common error to see is:

ERROR: Module xfrm4_mode_tunnel is in use
ERROR: Module esp4 is in use
FAILURE to unload NETKEY esp4/esp6 module

This has been fixed in libreswan-3.9. Please upgrade