Solve OpenSwan(Ipsec) L2tp netlink XFRM_MSG_DELPOLICY error

Jan 24, 2013

#Setup VPN Recently I bought a vps to setup VPN. The OS is Debian 6. Well I’m using OpenSwan(IPsec) + L2tp and follow the instructions from this website:How To Set Up A L2TP/IPSec VPN In A VPS.

Everthing works fine.

ipsec verify

Prints shows that everything works good.

But I often get this error in /var/log/auth.log and I can’t connect to VPN server:

ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory	

I do search on google and openswan forum. But there isn’t any clear/direct answer to this quesiton.

#XFRM_MSG_DELPOLICY? WTF!!! Until I saw the this post on OpenSwan forum : What’s xl2tpd’s ‘ERROR: netlink XFRM_MSG_DELPOLICY …’ about?

The answer is really brief.

> 2) I have all along been experiencing the behavior in OpenSwan that I think is a documented bug:  When I disconnect my iPhone from the VPN, I need to restart it with /etc/init.d/ipsec restart before I'm able to reconnect.  Is there a known fix to this?  I actually have an idea on how I can set up a password-protected URL to remotely restart it, so in a pinch, I can get that working, but obviously a proper fix would be ideal.
That's a known apple bug, and should be resolved if you use openswan 2.6.33 and xl2tpd 1.2.8

Here is solution: make sure you have correct version of OpenSwan and Xl2tpd.

sudo ipsec --version	

Then you get following info:

Linux Openswan U2.6.34/K3.0.0-12-generic (netkey)
See `ipsec --copyright' for copyright information.

Check Xl2tpd version by running:

sudo xl2tpd --version

Then you get:

xl2tpd version:  xl2tpd-1.2.8

So make sure you get OpenSwan 2.6.33 installed.

cd /usr/src
tar zxvf openswan-2.6.33.tar.gz
cd openswan-2.6.33
make programs install

But failed. Because that version is not compatible with current kernel version.

Then I try version 2.6.34 and it got isntalled.

Then you config the /etc/ipsec.conf and ipsec.secrets.

Do remember to reboot to make ipsec work.

After reboot, try /etc/init.d/ipsec restart and ipsec verify and it should work.