<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>More info from kern.log:<br><br>Nov 7 13:21:52 nas kernel: [ 2246.765665] alg: aead: Test 1 failed on encryption for authenc(hmac(sha1-asm),mv-cbc-aes)<br>Nov 7 13:21:52 nas kernel: [ 2246.773932] 00000000: e3 53 77 9c 10 79 ae b8 27 08 94 2d be 77 18 1a<br>Nov 7 13:21:52 nas kernel: [ 2246.780926] 00000010: f2 7e 6a 69 ca 81 66 aa f3 9e 19 41 ab 87 1d 8e<br>Nov 7 13:21:52 nas kernel: [ 2246.787777] 00000020: f6 6e 29 44<br>Nov 7 13:21:52 nas kernel: [ 2246.803949] alg: aead: Test 1 failed on encryption for authenc(hmac(sha1-asm),mv-cbc-aes)<br>Nov 7 13:21:52 nas kernel: [ 2246.812641] 00000000: e3 53 77 9c 10 79 ae b8 27 08 94 2d be 77 18 1a<br>Nov 7 13:21:52 nas kernel: [ 2246.819462] 00000010: 13 4b bd 7c c2 97 9b b6 ae 08 6a 6c 46 f0 6e fd<br>Nov 7 13:21:52 nas kernel: [ 2246.826278] 00000020: 93 02 25 a3<br><br><br><div><hr id="stopSpelling">From: gawd0wns@hotmail.com<br>To: users@lists.strongswan.org<br>Subject: Netlink and SAD entry error<br>Date: Thu, 7 Nov 2013 15:04:32 -0300<br><br>
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}
--></style>
<div dir="ltr">My strongswan server is failing following a kernel upgrade. What is the issue? <br><br><br>My config in ipsec.conf:<br><br>config setup<br> strictcrlpolicy=no<br> uniqueids=yes<br> charondebug="cfg 4"<br><br>conn %default<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> keyingtries=1<br> keyexchange=ikev2<br> leftfirewall=yes<br> dpddelay=30<br> dpdtimeout=120<br> dpdaction=clear<br><br>conn bb10<br> mobike=yes<br> ike=aes256-sha1-sha1-modp1024!<br> esp=aes256-modp1024-sha1!<br> left=%defaultroute<br> leftid="C=CA, O=none, CN=192.168.1.100"<br> leftcert=serverCert.pem<br> right=%any<br> rightsourceip=10.11.12.1<br> rightid="C=CA, O=none, CN=bb10"<br> rightauth=pubkey<br> leftauth=pubkey<br> auto=add<br><br><br>Errors logged in daemon.log:<br><br>Nov 7 13:21:52 nas charon: 09[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ<br>Nov 7 13:21:52 nas charon: 09[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ<br>Nov 7 13:21:52 nas charon: 09[CFG] selecting traffic selectors for us:<br>Nov 7 13:21:52 nas charon: 09[CFG] config: 192.168.1.100/32, received: 0.0.0.0/0 => match: 192.168.1.100/32<br>Nov 7 13:21:52 nas charon: 09[CFG] selecting traffic selectors for other:<br>Nov 7 13:21:52 nas charon: 09[CFG] config: 10.11.12.1/32, received: 0.0.0.0/0 => match: 10.11.12.1/32<br>Nov 7 13:21:52 nas charon: 09[KNL] received netlink error: No such file or directory (2)<br>Nov 7 13:21:52 nas charon: 09[KNL] unable to add SAD entry with SPI ca55d1a0<br>Nov 7 13:21:52 nas charon: 09[KNL] received netlink error: No such file or directory (2)<br>Nov 7 13:21:52 nas charon: 09[KNL] unable to add SAD entry with SPI aaeff1d8<br>Nov 7 13:21:52 nas charon: 09[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel<br>Nov 7 13:21:52 nas charon: 09[IKE] failed to establish CHILD_SA, keeping IKE_SA<br>Nov 7 13:21:52 nas charon: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CP(ADDR) N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]<br>Nov 7 13:21:52 nas charon: 09[NET] sending packet: from 192.168.1.100[4500] to 24.114.73.80[45231] (1276 bytes)<br>Nov 7 13:22:02 nas charon: 10[NET] received packet: from 24.114.73.80[45231] to 192.168.1.100[4500] (1436 bytes)<br><br><br>I thought the new kernel was a missing module, though check.sh doesn't report any errors and lsmod seems to have everything that I need already loaded:<br><br>lsmod output:<br><br>Module Size Used by<br>authenc 5858 0<br>xfrm6_mode_tunnel 1552 0<br>xfrm4_mode_tunnel 2184 0<br>xfrm_user 20613 2<br>xfrm4_tunnel 1478 0<br>tunnel4 2047 1 xfrm4_tunnel<br>ipcomp 1665 0<br>xfrm_ipcomp 3257 1 ipcomp<br>esp4 5593 0<br>ah4 4797 0<br>ctr 3433 0<br>twofish_generic 7239 0<br>twofish_common 12858 1 twofish_generic<br>camellia_generic 19582 0<br>serpent_generic 19827 0<br>blowfish_generic 3625 0<br>blowfish_common 6513 1 blowfish_generic<br>cast5_generic 11096 0<br>cast_common 4605 1 cast5_generic<br>des_generic 16820 0<br>cbc 2267 0<br>cmac 2492 0<br>xcbc 2202 0<br>rmd160 7244 0<br>sha512_generic 7457 0<br>sha256_generic 8589 0<br>crypto_null 2089 0<br>af_key 32934 0<br>xfrm_algo 4401 5 ah4,esp4,af_key,xfrm_user,xfrm_ipcomp<br>xt_tcpudp 1976 2<br>ipv6 282327 28 xfrm6_mode_tunnel<br>iptable_filter 1143 1<br>ip_tables 9770 1 iptable_filter<br>x_tables 11279 3 ip_tables,xt_tcpudp,iptable_filter<br>orion_wdt 2869 0<br>hmac 2433 0<br>sha1_generic 1752 0<br>sha1_arm 3389 0<br>mv_cesa 10557 0<br>ext2 57351 2<br>mbcache 5128 1 ext2<br>netconsole 6138 0<br>configfs 21555 2 netconsole<br>sg 20167 0<br>sd_mod 33934 5<br>crc_t10dif 1110 1 sd_mod<br>sata_mv 24313 1<br>usb_storage 36513 2<br>libata 143640 1 sata_mv<br>marvell 7083 0<br>mvmdio 3128 0<br>scsi_mod 150844 4 sg,usb_storage,libata,sd_mod<br>mv643xx_eth 22129 0<br>libphy 16687 3 marvell,mvmdio,mv643xx_eth<br><br><br>Module check with check.sh:<br><br>CONFIG_XFRM_USER=m<br>CONFIG_NET_KEY=m<br>CONFIG_NET_KEY_MIGRATE=y<br>CONFIG_INET=y<br>CONFIG_INET_AH=m<br>CONFIG_INET_ESP=m<br>CONFIG_INET_IPCOMP=m<br>CONFIG_INET_XFRM_TUNNEL=m<br>CONFIG_INET_TUNNEL=m<br>CONFIG_INET_XFRM_MODE_TRANSPORT=m<br>CONFIG_INET_XFRM_MODE_TUNNEL=m<br>CONFIG_INET_XFRM_MODE_BEET=m<br>CONFIG_INET_LRO=m<br>CONFIG_INET_DIAG=m<br>CONFIG_INET_TCP_DIAG=m<br>CONFIG_INET_UDP_DIAG=m<br>CONFIG_INET6_AH=m<br>CONFIG_INET6_ESP=m<br>CONFIG_INET6_IPCOMP=m<br>CONFIG_INET6_XFRM_TUNNEL=m<br>CONFIG_INET6_TUNNEL=m<br>CONFIG_INET6_XFRM_MODE_TRANSPORT=m<br>CONFIG_INET6_XFRM_MODE_TUNNEL=m<br>CONFIG_INET6_XFRM_MODE_BEET=m<br>CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m<br>CONFIG_INET_DCCP_DIAG=m<br>CONFIG_IP_ADVANCED_ROUTER=y<br>CONFIG_IP_MULTIPLE_TABLES=y<br>CONFIG_INET_AH=m<br>CONFIG_INET_ESP=m<br>CONFIG_INET_IPCOMP=m<br>CONFIG_INET_XFRM_MODE_TRANSPORT=m<br>CONFIG_INET_XFRM_MODE_TUNNEL=m<br>CONFIG_INET_XFRM_MODE_BEET=m<br>CONFIG_IPV6=m<br>CONFIG_IPV6_PRIVACY=y<br>CONFIG_IPV6_ROUTER_PREF=y<br>CONFIG_IPV6_ROUTE_INFO=y<br>CONFIG_IPV6_OPTIMISTIC_DAD=y<br>CONFIG_IPV6_MIP6=m<br>CONFIG_IPV6_SIT=m<br>CONFIG_IPV6_SIT_6RD=y<br>CONFIG_IPV6_NDISC_NODETYPE=y<br>CONFIG_IPV6_TUNNEL=m<br># CONFIG_IPV6_GRE is not set<br>CONFIG_IPV6_MULTIPLE_TABLES=y<br>CONFIG_IPV6_SUBTREES=y<br>CONFIG_IPV6_MROUTE=y<br>CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y<br>CONFIG_IPV6_PIMSM_V2=y<br>CONFIG_INET6_AH=m<br>CONFIG_INET6_ESP=m<br>CONFIG_INET6_IPCOMP=m<br>CONFIG_INET6_XFRM_MODE_TRANSPORT=m<br>CONFIG_INET6_XFRM_MODE_TUNNEL=m<br>CONFIG_INET6_XFRM_MODE_BEET=m<br>CONFIG_IPV6_MULTIPLE_TABLES=y<br>CONFIG_NETFILTER=y<br>CONFIG_NETFILTER_DEBUG=y<br>CONFIG_NETFILTER_ADVANCED=y<br>CONFIG_NETFILTER_NETLINK=m<br>CONFIG_NETFILTER_NETLINK_ACCT=m<br>CONFIG_NETFILTER_NETLINK_QUEUE=m<br>CONFIG_NETFILTER_NETLINK_LOG=m<br>CONFIG_NETFILTER_NETLINK_QUEUE_CT=y<br>CONFIG_NETFILTER_TPROXY=m<br>CONFIG_NETFILTER_XTABLES=m<br>CONFIG_NETFILTER_XT_MARK=m<br>CONFIG_NETFILTER_XT_CONNMARK=m<br>CONFIG_NETFILTER_XT_SET=m<br>CONFIG_NETFILTER_XT_TARGET_AUDIT=m<br>CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m<br>CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m<br>CONFIG_NETFILTER_XT_TARGET_CONNMARK=m<br>CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m<br>CONFIG_NETFILTER_XT_TARGET_CT=m<br>CONFIG_NETFILTER_XT_TARGET_DSCP=m<br>CONFIG_NETFILTER_XT_TARGET_HL=m<br>CONFIG_NETFILTER_XT_TARGET_HMARK=m<br>CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m<br>CONFIG_NETFILTER_XT_TARGET_LED=m<br>CONFIG_NETFILTER_XT_TARGET_LOG=m<br>CONFIG_NETFILTER_XT_TARGET_MARK=m<br>CONFIG_NETFILTER_XT_TARGET_NETMAP=m<br>CONFIG_NETFILTER_XT_TARGET_NFLOG=m<br>CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m<br>CONFIG_NETFILTER_XT_TARGET_NOTRACK=m<br>CONFIG_NETFILTER_XT_TARGET_RATEEST=m<br>CONFIG_NETFILTER_XT_TARGET_REDIRECT=m<br>CONFIG_NETFILTER_XT_TARGET_TEE=m<br>CONFIG_NETFILTER_XT_TARGET_TPROXY=m<br>CONFIG_NETFILTER_XT_TARGET_TRACE=m<br>CONFIG_NETFILTER_XT_TARGET_SECMARK=m<br>CONFIG_NETFILTER_XT_TARGET_TCPMSS=m<br>CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m<br>CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m<br>CONFIG_NETFILTER_XT_MATCH_BPF=m<br>CONFIG_NETFILTER_XT_MATCH_CLUSTER=m<br>CONFIG_NETFILTER_XT_MATCH_COMMENT=m<br>CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m<br>CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m<br>CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m<br>CONFIG_NETFILTER_XT_MATCH_CONNMARK=m<br>CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m<br>CONFIG_NETFILTER_XT_MATCH_CPU=m<br>CONFIG_NETFILTER_XT_MATCH_DCCP=m<br>CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m<br>CONFIG_NETFILTER_XT_MATCH_DSCP=m<br>CONFIG_NETFILTER_XT_MATCH_ECN=m<br>CONFIG_NETFILTER_XT_MATCH_ESP=m<br>CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m<br>CONFIG_NETFILTER_XT_MATCH_HELPER=m<br>CONFIG_NETFILTER_XT_MATCH_HL=m<br>CONFIG_NETFILTER_XT_MATCH_IPRANGE=m<br>CONFIG_NETFILTER_XT_MATCH_IPVS=m<br>CONFIG_NETFILTER_XT_MATCH_LENGTH=m<br>CONFIG_NETFILTER_XT_MATCH_LIMIT=m<br>CONFIG_NETFILTER_XT_MATCH_MAC=m<br>CONFIG_NETFILTER_XT_MATCH_MARK=m<br>CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m<br>CONFIG_NETFILTER_XT_MATCH_NFACCT=m<br>CONFIG_NETFILTER_XT_MATCH_OSF=m<br>CONFIG_NETFILTER_XT_MATCH_OWNER=m<br>CONFIG_NETFILTER_XT_MATCH_POLICY=m<br>CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m<br>CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m<br>CONFIG_NETFILTER_XT_MATCH_QUOTA=m<br>CONFIG_NETFILTER_XT_MATCH_RATEEST=m<br>CONFIG_NETFILTER_XT_MATCH_REALM=m<br>CONFIG_NETFILTER_XT_MATCH_RECENT=m<br>CONFIG_NETFILTER_XT_MATCH_SCTP=m<br>CONFIG_NETFILTER_XT_MATCH_SOCKET=m<br>CONFIG_NETFILTER_XT_MATCH_STATE=m<br>CONFIG_NETFILTER_XT_MATCH_STATISTIC=m<br>CONFIG_NETFILTER_XT_MATCH_STRING=m<br>CONFIG_NETFILTER_XT_MATCH_TCPMSS=m<br>CONFIG_NETFILTER_XT_MATCH_TIME=m<br>CONFIG_NETFILTER_XT_MATCH_U32=m<br>CONFIG_NETFILTER_XTABLES=m<br>CONFIG_NETFILTER_XT_MATCH_POLICY=m<br>root@nas:/home/nas#<br><br> </div></div> </div></body>
</html>