<P> Hello,<BR><BR>I used strongSwan 4.5 on my Linux 2.6.28 device.<BR>I get the following output:</P>
<P> </P>
<P><BR><A href="mailto:root@picopc7802">root@picopc7802</A>:~# ipsec start<BR>Starting strongSwan 4.5.0 IPsec [starter]...<BR>Initializing XFRM netlink socket</P>
<P> </P>
<P><BR><A href="mailto:root@picopc7802">root@picopc7802</A>:~# ipsec up panda<BR>initiating IKE_SA panda[1] to 211.136.114.107<BR>generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<BR>sending packet: from 192.168.1.198[500] to 211.136.114.107[500]<BR>received packet: from 211.136.114.107[500] to 192.168.1.198[500]<BR>parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]<BR>local host is behind NAT, sending keep alives<BR>establishing CHILD_SA panda<BR>generating IKE_AUTH request 1 [ IDi IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N((40960)) ]<BR>sending packet: from 192.168.1.198[4500] to 211.136.114.107[4500]<BR>retransmit 1 of request with message ID 1<BR>sending packet: from 192.168.1.198[4500] to 211.136.114.107[4500]<BR>retransmit 2 of request with message ID 1<BR>sending packet: from 192.168.1.198[4500] to 211.136.114.107[4500]<BR>received packet: from 211.136.114.107[4500] to 192.168.1.198[4500]<BR>parsed IKE_AUTH response 1 [ IDr EAP/REQ/AKA ]<BR>server requested EAP_AKA authentication<BR>allow mutual EAP-only authentication<BR>generating IKE_AUTH request 2 [ EAP/RES/AKA ]<BR>sending packet: from 192.168.1.198[4500] to 211.136.114.107[4500]<BR>retransmit 1 of request with message ID 2<BR>sending packet: from 192.168.1.198[4500] to 211.136.114.107[4500]<BR>received packet: from 211.136.114.107[4500] to 192.168.1.198[4500]<BR>parsed IKE_AUTH response 2 [ EAP/SUCC ]<BR>EAP method EAP_AKA succeeded, MSK established<BR>authentication of <A href="mailto:'460006000000219@strongswan.org'">'460006000000219@strongswan.org'</A> (myself) with EAP<BR>generating IKE_AUTH request 3 [ AUTH ]<BR>sending packet: from 192.168.1.198[4500] to 211.136.114.107[4500]<BR>received packet: from 211.136.114.107[4500] to 192.168.1.198[4500]<BR>parsed IKE_AUTH response 3 [ AUTH CP(ADDR) SA TSi TSr ]<BR>authentication of 'strongswan.org' with EAP successful<BR>IKE_SA panda[1] established between 192.168.1.198[460006000000219@strongswan.org]...211.136.114.107[strongswan.org]<BR>scheduling reauthentication in 3323s<BR>maximum IKE_SA lifetime 3503s<BR>installing new virtual IP 172.16.64.58<BR>received netlink error: Protocol not supported (93)<BR>unable to add SAD entry with SPI c7684d6b<BR>received netlink error: Protocol not supported (93)<BR>unable to add SAD entry with SPI 08003ed1<BR>unable to install inbound and outbound IPsec SA (SAD) in kernel.</P>
<P> </P>
<P> </P>
<P><A href="mailto:root@picopc7802">root@picopc7802</A>:~# ipsec statusall<BR>Status of IKEv2 charon daemon (strongSwan 4.5.0):<BR> uptime: 4 minutes, since Jan 01 00:01:08 1970<BR> malloc: sbrk 135168, mmap 0, used 69408, free 65760<BR> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3<BR> loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown eap-aka eap-aka-3gpp2 <BR>Listening IP addresses:<BR> 192.168.1.198<BR>Connections:<BR> panda: 192.168.1.198...211.136.114.107<BR> panda: local: [460006000000219@strongswan.org] uses EAP_AKA authentication with EAP identity '460006000000219'<BR> panda: remote: [strongswan.org] uses any authentication<BR> panda: child: dynamic === 172.16.64.0/24 <BR>Security Associations:<BR> panda[1]: ESTABLISHED 3 minutes ago, 192.168.1.198[460006000000219@strongswan.org]...211.136.114.107[strongswan.org]<BR> panda[1]: IKE SPIs: 58a66da49298e7ac_i* d1000007165230c8_r, EAP reauthentication in 51 minutes<BR> panda[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</P>
<P> </P>
<P> </P>
<P> </P>
<P>I have config kernel as:</P>
<P><A href="http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules"><EM>http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules</EM></A></P>
<P> </P>
<P> Ipsec.config as follow:<BR>config setup<BR> # plutodebug=all<BR> # crlcheckinterval=600<BR> # strictcrlpolicy=yes<BR> # cachecrls=yes<BR> # nat_traversal=yes<BR> # charonstart=no<BR> plutostart=no</P>
<P>conn %default<BR> ikelifetime=60m<BR> keylife=20m<BR> rekeymargin=3m<BR> keyingtries=1<BR> keyexchange=ikev2</P>
<P>conn panda<BR> keyexchange=ikev2<BR> left=%defaultroute<BR> leftsourceip=%config<BR> #leftcert=panda.pem<BR> #leftnexthop=%direct<BR> <A href="mailto:leftid=460006000000219@strongswan.org">leftid=460006000000219@strongswan.org</A><BR> #leftid=460006000000280<BR> eap_identity=460006000000219<BR> #eap_identity=460006000000280<BR> leftauth=eap-aka<BR> #leftfirewall=yes<BR> right=211.136.114.107<BR> rightid=strongswan.org<BR> #rightsubnet=172.16.64.0/24<BR> #rightauth=pubkey<BR> ike=3des-sha-modp1024<BR> esp=3des-sha1<BR> pfs=yes<BR> auto=add</P>