<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">NM, it seems to be a server issue. Other services are fine via IPSec.<div class=""><br class=""></div><div class="">Thanks for the help. :)</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jun 25, 2015, at 3:11 PM, Glen Huang <<a href="mailto:curvedmark@gmail.com" class="">curvedmark@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">I toke a closer look at the messages. It seems the aes module is missing. I installed it and finally no error messages.<div class=""><br class=""></div><div class="">But after the SA is up, I ping right, no response at all. While pinging, I can see a bunch of "UDP-encap: ESP" messages from left to right showing up every second from tcpdump, but no right to left, except for occasional "isakmp-nat-keep-alive" (only right to left) and "NONESP-encap: isakmp: phase 2/others ? inf[E]" (bidirectional) messages.<div class=""><div class=""><br class=""></div><div class="">What I might have done wrong?</div><div class=""><br class=""></div><div class=""><div class=""><blockquote type="cite" class=""><div class="">On Jun 25, 2015, at 11:20 AM, Glen Huang <<a href="mailto:curvedmark@gmail.com" class="">curvedmark@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi Noel,<div class=""><br class=""></div><div class="">Thanks for the help. These are the log messages:</div><div class=""><a href="http://pastebin.com/QjsA0XW2" class="">http://pastebin.com/QjsA0XW2</a></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><div class=""><blockquote type="cite" class=""><div class="">On Jun 25, 2015, at 1:45 AM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de" class="">noel@familie-kuntze.de</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><br class="">-----BEGIN PGP SIGNED MESSAGE-----<br class="">Hash: SHA256<br class=""><br class="">Hello Glen,<br class=""><br class="">No, they are not. There are different key exchanges and algorithm negotiations for IKE and the subsequent SA pairs.<br class="">You need to configure a file logger[1] and look at the logs to figure out what algos are negotiated for the IPsec SAs.<br class=""><br class="">Use those options for the file logger:<br class="">                        default = 3<br class="">                        mgr = 1<br class="">                        ike = 1<br class="">                        net = 1<br class="">                        enc = 0<br class="">                        cfg = 2<br class="">                        asn = 1<br class="">                        job = 1                <br class="">                        knl = 1<br class=""><br class="">[1] <a href="https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration" class="">https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration</a><br class="">Mit freundlichen Grüßen/Kind Regards,<br class="">Noel Kuntze<br class=""><br class="">GPG Key ID: 0x63EC6658<br class="">Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br class=""><br class="">Am 24.06.2015 um 19:42 schrieb Glen Huang:<br class=""><blockquote type="cite" class="">Thank you. How do i check what algorithms are negotiated? Are those the "IKE proposal" from ipsec statusall?<br class=""><br class="">If so, they are "3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536", which ones do you think are missing from the lsmod list?<br class=""><br class=""><blockquote type="cite" class="">On Jun 25, 2015, at 1:36 AM, Noel Kuntze <<a href="mailto:noel@familie-kuntze.de" class="">noel@familie-kuntze.de</a>> wrote:<br class=""><br class=""><br class=""></blockquote>Hello Glen,<br class=""><br class="">You obviously also need kernel support for the algorithms<br class="">that are negotiated for the IPsec SAs.<br class="">Check what algorithms are negotitated and then load the corresponding<br class="">kernel module.<br class=""><br class="">Mit freundlichen Grüßen/Kind Regards,<br class="">Noel Kuntze<br class=""><br class="">GPG Key ID: 0x63EC6658<br class="">Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br class=""><br class="">Am 24.06.2015 um 19:30 schrieb Glen Huang:<br class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class="">Hi,<br class=""><br class="">I'm trying to establish a ikev1 transport SA, but it failed with error like "received netlink error: Function not implemented (89)", I guess it might be that some algo module or kernel module is missing?<br class=""><br class="">ipsec.conf<br class=""><a href="http://pastebin.com/WsBDWvCC" class="">http://pastebin.com/WsBDWvCC</a><br class=""><br class="">messages from ipsec up<br class=""><a href="http://pastebin.com/iDxisnVt" class="">http://pastebin.com/iDxisnVt</a><br class=""><br class="">ipsec statusall<br class=""><a href="http://pastebin.com/CH6bQGYL" class="">http://pastebin.com/CH6bQGYL</a><br class=""><br class="">output of lsmod<br class="">http://pastebin.com/7NJD0Mxa<br class=""><br class="">I have googled as hard as I can't, but didn't find any thing useful. I tried kernel-libipsec, but unfortunately it doesn't support transport mode. So I'm at my wits end. Could some one help me identify the missing part?<br class=""><br class="">Thanks in advance.<br class=""><br class=""><br class="">_______________________________________________<br class="">Users mailing list<br class="">Users@lists.strongswan.org<br class="">https://lists.strongswan.org/mailman/listinfo/users<br class=""></blockquote></blockquote></blockquote><br class=""><blockquote type="cite" class=""><br class="">_______________________________________________<br class="">Users mailing list<br class=""><a href="mailto:Users@lists.strongswan.org" class="">Users@lists.strongswan.org</a><br class=""><a href="https://lists.strongswan.org/mailman/listinfo/users" class="">https://lists.strongswan.org/mailman/listinfo/users</a><br class=""></blockquote><br class=""></blockquote><br class="">-----BEGIN PGP SIGNATURE-----<br class="">Version: GnuPG v2<br class=""><br class="">iQIcBAEBCAAGBQJViuzOAAoJEDg5KY9j7GZYpgcP/1DMKUt952SyFsSMOksR9CQJ<br class="">NUX0ieuBV/yVjW7N++28p7wlcCts1Mm143zAI3mjR2/YT2YujvjvItS1P1fHUyJ/<br class="">EtthBFqcqSvPAlGwJClCBqHvRfHP7k7NXi7GLF6pMTxtY3hPKBKQAn8m4wqaY+NU<br class="">G4OFoT0l/cCLbdQsrf87jJ01Xp74dkpncl3hexhTnyfFjJOysrvxC7BYYmYOYmu9<br class="">AiZW3YS9byXYDLTfwfo/H//m/GeCpQcQHp0uAXkGEVB77i9GIlFvAj0lGPb9/cuN<br class="">mcqHn9AFXiKr71jAVWOYX3eCN2WqbJOO1y9JJq9WD+syx3dGyKlVa/w6c+xE8tTm<br class="">w62fLUE0sXGdtRK4FOT+q4PtH2QuY5IP16l+Y93LQl9+f8nz6Pe3Rmn4X29h4maD<br class="">C9DIxc9Gecw/b9g/kxTyjCf41UxuLpRg0CZ1JYsVhaEEYgk7LcKlrAT9fc2QWhTK<br class="">Kp5tIOzeHkiQ9sWdyTIsLS8yJlHUXKmwXUQ3nfLRi1IJPkc+Sggs6nlebR+vW7zE<br class="">DrlUMMQnye69v+MAxMBHzHDDzH1PNGtbXbojwbtoPXDjnG2FGB7sPqJ2IY9qFf2J<br class="">fx2FRqocNPls20VQHWs9sQTOAweg9ptxKj1P7X5WZEYE7PC0FdKf3oZcqISfk5xw<br class="">o617eyUW0S3MVhW6I8TJ<br class="">=1Hvn<br class="">-----END PGP SIGNATURE-----<br class=""><br class=""></div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></div></div></div></div></blockquote></div><br class=""></div></body></html>