<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>More info from kern.log:<br><br>Nov  7 13:21:52 nas kernel: [ 2246.765665] alg: aead: Test 1 failed on encryption for authenc(hmac(sha1-asm),mv-cbc-aes)<br>Nov  7 13:21:52 nas kernel: [ 2246.773932] 00000000: e3 53 77 9c 10 79 ae b8 27 08 94 2d be 77 18 1a<br>Nov  7 13:21:52 nas kernel: [ 2246.780926] 00000010: f2 7e 6a 69 ca 81 66 aa f3 9e 19 41 ab 87 1d 8e<br>Nov  7 13:21:52 nas kernel: [ 2246.787777] 00000020: f6 6e 29 44<br>Nov  7 13:21:52 nas kernel: [ 2246.803949] alg: aead: Test 1 failed on encryption for authenc(hmac(sha1-asm),mv-cbc-aes)<br>Nov  7 13:21:52 nas kernel: [ 2246.812641] 00000000: e3 53 77 9c 10 79 ae b8 27 08 94 2d be 77 18 1a<br>Nov  7 13:21:52 nas kernel: [ 2246.819462] 00000010: 13 4b bd 7c c2 97 9b b6 ae 08 6a 6c 46 f0 6e fd<br>Nov  7 13:21:52 nas kernel: [ 2246.826278] 00000020: 93 02 25 a3<br><br><br><div><hr id="stopSpelling">From: gawd0wns@hotmail.com<br>To: users@lists.strongswan.org<br>Subject: Netlink and SAD entry error<br>Date: Thu, 7 Nov 2013 15:04:32 -0300<br><br>

<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}

.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}

--></style>
<div dir="ltr">My strongswan server is failing following a kernel upgrade.  What is the issue?  <br><br><br>My config in ipsec.conf:<br><br>config setup<br>        strictcrlpolicy=no<br>        uniqueids=yes<br>        charondebug="cfg 4"<br><br>conn %default<br>        ikelifetime=60m<br>        keylife=20m<br>        rekeymargin=3m<br>        keyingtries=1<br>        keyexchange=ikev2<br>        leftfirewall=yes<br>        dpddelay=30<br>        dpdtimeout=120<br>        dpdaction=clear<br><br>conn bb10<br>        mobike=yes<br>        ike=aes256-sha1-sha1-modp1024!<br>        esp=aes256-modp1024-sha1!<br>        left=%defaultroute<br>        leftid="C=CA, O=none, CN=192.168.1.100"<br>        leftcert=serverCert.pem<br>        right=%any<br>        rightsourceip=10.11.12.1<br>        rightid="C=CA, O=none, CN=bb10"<br>        rightauth=pubkey<br>        leftauth=pubkey<br>        auto=add<br><br><br>Errors logged in daemon.log:<br><br>Nov  7 13:21:52 nas charon: 09[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ<br>Nov  7 13:21:52 nas charon: 09[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ<br>Nov  7 13:21:52 nas charon: 09[CFG] selecting traffic selectors for us:<br>Nov  7 13:21:52 nas charon: 09[CFG]  config: 192.168.1.100/32, received: 0.0.0.0/0 => match: 192.168.1.100/32<br>Nov  7 13:21:52 nas charon: 09[CFG] selecting traffic selectors for other:<br>Nov  7 13:21:52 nas charon: 09[CFG]  config: 10.11.12.1/32, received: 0.0.0.0/0 => match: 10.11.12.1/32<br>Nov  7 13:21:52 nas charon: 09[KNL] received netlink error: No such file or directory (2)<br>Nov  7 13:21:52 nas charon: 09[KNL] unable to add SAD entry with SPI ca55d1a0<br>Nov  7 13:21:52 nas charon: 09[KNL] received netlink error: No such file or directory (2)<br>Nov  7 13:21:52 nas charon: 09[KNL] unable to add SAD entry with SPI aaeff1d8<br>Nov  7 13:21:52 nas charon: 09[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel<br>Nov  7 13:21:52 nas charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA<br>Nov  7 13:21:52 nas charon: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR) N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]<br>Nov  7 13:21:52 nas charon: 09[NET] sending packet: from 192.168.1.100[4500] to 24.114.73.80[45231] (1276 bytes)<br>Nov  7 13:22:02 nas charon: 10[NET] received packet: from 24.114.73.80[45231] to 192.168.1.100[4500] (1436 bytes)<br><br><br>I thought the new kernel was a missing module, though check.sh doesn't report any errors and lsmod seems to have everything that I need already loaded:<br><br>lsmod output:<br><br>Module                  Size  Used by<br>authenc                 5858  0<br>xfrm6_mode_tunnel       1552  0<br>xfrm4_mode_tunnel       2184  0<br>xfrm_user              20613  2<br>xfrm4_tunnel            1478  0<br>tunnel4                 2047  1 xfrm4_tunnel<br>ipcomp                  1665  0<br>xfrm_ipcomp             3257  1 ipcomp<br>esp4                    5593  0<br>ah4                     4797  0<br>ctr                     3433  0<br>twofish_generic         7239  0<br>twofish_common         12858  1 twofish_generic<br>camellia_generic       19582  0<br>serpent_generic        19827  0<br>blowfish_generic        3625  0<br>blowfish_common         6513  1 blowfish_generic<br>cast5_generic          11096  0<br>cast_common             4605  1 cast5_generic<br>des_generic            16820  0<br>cbc                     2267  0<br>cmac                    2492  0<br>xcbc                    2202  0<br>rmd160                  7244  0<br>sha512_generic          7457  0<br>sha256_generic          8589  0<br>crypto_null             2089  0<br>af_key                 32934  0<br>xfrm_algo               4401  5 ah4,esp4,af_key,xfrm_user,xfrm_ipcomp<br>xt_tcpudp               1976  2<br>ipv6                  282327  28 xfrm6_mode_tunnel<br>iptable_filter          1143  1<br>ip_tables               9770  1 iptable_filter<br>x_tables               11279  3 ip_tables,xt_tcpudp,iptable_filter<br>orion_wdt               2869  0<br>hmac                    2433  0<br>sha1_generic            1752  0<br>sha1_arm                3389  0<br>mv_cesa                10557  0<br>ext2                   57351  2<br>mbcache                 5128  1 ext2<br>netconsole              6138  0<br>configfs               21555  2 netconsole<br>sg                     20167  0<br>sd_mod                 33934  5<br>crc_t10dif              1110  1 sd_mod<br>sata_mv                24313  1<br>usb_storage            36513  2<br>libata                143640  1 sata_mv<br>marvell                 7083  0<br>mvmdio                  3128  0<br>scsi_mod              150844  4 sg,usb_storage,libata,sd_mod<br>mv643xx_eth            22129  0<br>libphy                 16687  3 marvell,mvmdio,mv643xx_eth<br><br><br>Module check with check.sh:<br><br>CONFIG_XFRM_USER=m<br>CONFIG_NET_KEY=m<br>CONFIG_NET_KEY_MIGRATE=y<br>CONFIG_INET=y<br>CONFIG_INET_AH=m<br>CONFIG_INET_ESP=m<br>CONFIG_INET_IPCOMP=m<br>CONFIG_INET_XFRM_TUNNEL=m<br>CONFIG_INET_TUNNEL=m<br>CONFIG_INET_XFRM_MODE_TRANSPORT=m<br>CONFIG_INET_XFRM_MODE_TUNNEL=m<br>CONFIG_INET_XFRM_MODE_BEET=m<br>CONFIG_INET_LRO=m<br>CONFIG_INET_DIAG=m<br>CONFIG_INET_TCP_DIAG=m<br>CONFIG_INET_UDP_DIAG=m<br>CONFIG_INET6_AH=m<br>CONFIG_INET6_ESP=m<br>CONFIG_INET6_IPCOMP=m<br>CONFIG_INET6_XFRM_TUNNEL=m<br>CONFIG_INET6_TUNNEL=m<br>CONFIG_INET6_XFRM_MODE_TRANSPORT=m<br>CONFIG_INET6_XFRM_MODE_TUNNEL=m<br>CONFIG_INET6_XFRM_MODE_BEET=m<br>CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m<br>CONFIG_INET_DCCP_DIAG=m<br>CONFIG_IP_ADVANCED_ROUTER=y<br>CONFIG_IP_MULTIPLE_TABLES=y<br>CONFIG_INET_AH=m<br>CONFIG_INET_ESP=m<br>CONFIG_INET_IPCOMP=m<br>CONFIG_INET_XFRM_MODE_TRANSPORT=m<br>CONFIG_INET_XFRM_MODE_TUNNEL=m<br>CONFIG_INET_XFRM_MODE_BEET=m<br>CONFIG_IPV6=m<br>CONFIG_IPV6_PRIVACY=y<br>CONFIG_IPV6_ROUTER_PREF=y<br>CONFIG_IPV6_ROUTE_INFO=y<br>CONFIG_IPV6_OPTIMISTIC_DAD=y<br>CONFIG_IPV6_MIP6=m<br>CONFIG_IPV6_SIT=m<br>CONFIG_IPV6_SIT_6RD=y<br>CONFIG_IPV6_NDISC_NODETYPE=y<br>CONFIG_IPV6_TUNNEL=m<br># CONFIG_IPV6_GRE is not set<br>CONFIG_IPV6_MULTIPLE_TABLES=y<br>CONFIG_IPV6_SUBTREES=y<br>CONFIG_IPV6_MROUTE=y<br>CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y<br>CONFIG_IPV6_PIMSM_V2=y<br>CONFIG_INET6_AH=m<br>CONFIG_INET6_ESP=m<br>CONFIG_INET6_IPCOMP=m<br>CONFIG_INET6_XFRM_MODE_TRANSPORT=m<br>CONFIG_INET6_XFRM_MODE_TUNNEL=m<br>CONFIG_INET6_XFRM_MODE_BEET=m<br>CONFIG_IPV6_MULTIPLE_TABLES=y<br>CONFIG_NETFILTER=y<br>CONFIG_NETFILTER_DEBUG=y<br>CONFIG_NETFILTER_ADVANCED=y<br>CONFIG_NETFILTER_NETLINK=m<br>CONFIG_NETFILTER_NETLINK_ACCT=m<br>CONFIG_NETFILTER_NETLINK_QUEUE=m<br>CONFIG_NETFILTER_NETLINK_LOG=m<br>CONFIG_NETFILTER_NETLINK_QUEUE_CT=y<br>CONFIG_NETFILTER_TPROXY=m<br>CONFIG_NETFILTER_XTABLES=m<br>CONFIG_NETFILTER_XT_MARK=m<br>CONFIG_NETFILTER_XT_CONNMARK=m<br>CONFIG_NETFILTER_XT_SET=m<br>CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br>CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m<br>CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m<br>CONFIG_NETFILTER_XT_TARGET_CONNMARK=m<br>CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m<br>CONFIG_NETFILTER_XT_TARGET_CT=m<br>CONFIG_NETFILTER_XT_TARGET_DSCP=m<br>CONFIG_NETFILTER_XT_TARGET_HL=m<br>CONFIG_NETFILTER_XT_TARGET_HMARK=m<br>CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m<br>CONFIG_NETFILTER_XT_TARGET_LED=m<br>CONFIG_NETFILTER_XT_TARGET_LOG=m<br>CONFIG_NETFILTER_XT_TARGET_MARK=m<br>CONFIG_NETFILTER_XT_TARGET_NETMAP=m<br>CONFIG_NETFILTER_XT_TARGET_NFLOG=m<br>CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m<br>CONFIG_NETFILTER_XT_TARGET_NOTRACK=m<br>CONFIG_NETFILTER_XT_TARGET_RATEEST=m<br>CONFIG_NETFILTER_XT_TARGET_REDIRECT=m<br>CONFIG_NETFILTER_XT_TARGET_TEE=m<br>CONFIG_NETFILTER_XT_TARGET_TPROXY=m<br>CONFIG_NETFILTER_XT_TARGET_TRACE=m<br>CONFIG_NETFILTER_XT_TARGET_SECMARK=m<br>CONFIG_NETFILTER_XT_TARGET_TCPMSS=m<br>CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m<br>CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m<br>CONFIG_NETFILTER_XT_MATCH_BPF=m<br>CONFIG_NETFILTER_XT_MATCH_CLUSTER=m<br>CONFIG_NETFILTER_XT_MATCH_COMMENT=m<br>CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m<br>CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m<br>CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m<br>CONFIG_NETFILTER_XT_MATCH_CONNMARK=m<br>CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m<br>CONFIG_NETFILTER_XT_MATCH_CPU=m<br>CONFIG_NETFILTER_XT_MATCH_DCCP=m<br>CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m<br>CONFIG_NETFILTER_XT_MATCH_DSCP=m<br>CONFIG_NETFILTER_XT_MATCH_ECN=m<br>CONFIG_NETFILTER_XT_MATCH_ESP=m<br>CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m<br>CONFIG_NETFILTER_XT_MATCH_HELPER=m<br>CONFIG_NETFILTER_XT_MATCH_HL=m<br>CONFIG_NETFILTER_XT_MATCH_IPRANGE=m<br>CONFIG_NETFILTER_XT_MATCH_IPVS=m<br>CONFIG_NETFILTER_XT_MATCH_LENGTH=m<br>CONFIG_NETFILTER_XT_MATCH_LIMIT=m<br>CONFIG_NETFILTER_XT_MATCH_MAC=m<br>CONFIG_NETFILTER_XT_MATCH_MARK=m<br>CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m<br>CONFIG_NETFILTER_XT_MATCH_NFACCT=m<br>CONFIG_NETFILTER_XT_MATCH_OSF=m<br>CONFIG_NETFILTER_XT_MATCH_OWNER=m<br>CONFIG_NETFILTER_XT_MATCH_POLICY=m<br>CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m<br>CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m<br>CONFIG_NETFILTER_XT_MATCH_QUOTA=m<br>CONFIG_NETFILTER_XT_MATCH_RATEEST=m<br>CONFIG_NETFILTER_XT_MATCH_REALM=m<br>CONFIG_NETFILTER_XT_MATCH_RECENT=m<br>CONFIG_NETFILTER_XT_MATCH_SCTP=m<br>CONFIG_NETFILTER_XT_MATCH_SOCKET=m<br>CONFIG_NETFILTER_XT_MATCH_STATE=m<br>CONFIG_NETFILTER_XT_MATCH_STATISTIC=m<br>CONFIG_NETFILTER_XT_MATCH_STRING=m<br>CONFIG_NETFILTER_XT_MATCH_TCPMSS=m<br>CONFIG_NETFILTER_XT_MATCH_TIME=m<br>CONFIG_NETFILTER_XT_MATCH_U32=m<br>CONFIG_NETFILTER_XTABLES=m<br>CONFIG_NETFILTER_XT_MATCH_POLICY=m<br>root@nas:/home/nas#<br><br>                                     </div></div>                                        </div></body>
</html>