<div dir="ltr">Hi all,<br><br><p>I am trying to setup an IPsec tunnel to a Juniper security gateway
using a strongswan client on a Linux machine and preshared keys.</p>
<p>This is what I get when trying to bring the connection up:</p><pre><code>root@localhost:/etc# ipsec up home
initiating IKE_SA home[32] to 192.168.226.1
generating IKE_SA_INIT request 0 [ SA KE No N(HASH_ALG) ]
sending packet: from 192.168.226.132[500] to 192.168.226.1[500] (1092 bytes)
received packet: from 192.168.226.1[500] to 192.168.226.132[500] (408 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V ]
received unknown vendor ID: xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
authentication of '192.168.226.132' (myself) with pre-shared key
establishing CHILD_SA home
WARNING: No stream registered yet
unable to allocate SPIs from kernel
establishing connection 'home' failed<br><br></code></pre><p>I'm guessing it fails because of the "<em>unable to allocate SPIs from kernel</em>" error. </p>
<p>My <code>ipsec.conf</code> file looks like this:</p><pre><code>root@localhost:/etc# cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
#plutostart=yes
charondebug="chd 2, knl 3, ike 2, cfg 2, enc 2, esp 2, net 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn home
left=192.168.226.132
leftsourceip=10.67.238.132
leftfirewall=yes
right=192.168.226.1
auto=add<br><br></code><span style="font-family:arial,helvetica,sans-serif">The status:</span><br></pre><pre><code>root@localhost:/# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.1, Linux 3.10.55-xxxx, xxxx):
uptime: 16 minutes, since Feb 23 14:26:15 2016
malloc: sbrk 2699264, mmap 6164480, used 233640, free 2465624
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 pubkey pkcs1 pkcs7 pkcs8 pkcs12 sshkey pem openssl xcbc cmac hmac attr ike-kernel-ipsec kernel-netlink resolve socket-default stroke ike_config
Listening IP addresses:
169.254.2.2
10.67.225.132
192.168.226.132
Connections:
home: 192.168.226.132...192.168.226.1 IKEv2
home: local: [192.168.226.132] uses pre-shared key authentication
home: remote: [192.168.226.1] uses pre-shared key authentication
home: child: dynamic === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none<br><br></code><span style="font-family:arial,helvetica,sans-serif">I understand there could be a number of reasons why the SA could not be established from the kernel point of view, but any help on how to actually troubleshoot these kind of errors would be greatly appreciated.<br><br>Thanks in advance.<br><br></span></pre><pre><span style="font-family:arial,helvetica,sans-serif">Regards,<br>Marko<br></span></pre></div>