While attempting to setup OpenSwan on OpenWRT, I encountered the following message in my system log (heavily redacted):
date machinename authpriv.warn pluto[pid]: "connname" #4: ERROR: netlink response for Add SA esp.uid@xxx.xxx.xxx.xxx included errno 2: No such file or directory
003 "connname" #2: ERROR: netlink response for Add SA esp.uid@xxx.xxx.xxx.xxx included errno 2: No such file or directory
After a lot of digging, I found that the in-kernel netlink code is returning -ENOENT in response to the ADD_SA request. This is being propagated from crypto_larval_wait at crypto/api.c:171 as a result of the following call chain:
xfrm_add_sa in net/xfrm/xfrm_user.c
xfrm_state_construct in net/xfrm/xfrm_user.c
xfrm_init_state in net/xfrm/xfrm_state.c
esp_init_state in net/ipv4/esp4.c
esp_init_authenc in net/ipv4/esp4.c
crypto_alloc_aead in crypto/aead.c
crypto_lookup_aead in crypto/aead.c
crypto_alg_mod_lookup in crypto/api.c
crypto_larval_wait in crypto/api.c
This is due to the kernel failing to load a requested crypto module (obviously...). To figure out which modules are failing to load, do the following (taken from Documentation/debugging-modules.txt in the Linux kernel source tree):
echo '#! /bin/sh' > /tmp/modprobeecho 'echo "$@" >> /tmp/modprobe.log' >> /tmp/modprobeecho 'exec /sbin/modprobe "$@"' >> /tmp/modprobechmod a+x /tmp/modprobeecho /tmp/modprobe > /proc/sys/kernel/modprobe
Then try the connection (or do whatever provokes the error message) and read /tmp/modprobe.log to determine which modules failed to load.
I'm hoping to get a few patches into the OpenWRT source tree to allow selecting the necessary modules (hopefully with a meta-option for all typical IPSec modules). But until then, and on non-OpenWRT systems, the above process should work to figure out which modules are failing to load. Best of luck!
Update: This same problem can also manifest with the following message:
003 "connname" #2: ERROR: netlink response for Add SA esp.uid@xxx.xxx.xxx.xxx included errno 89: Function not implemented
