[strongSwan-dev] How to disable Extended sequence number support from SS5 code
yordanos beyene
yordanosb at gmail.com
Thu Aug 23 07:59:29 CEST 2012
Hi Martin,
Thanks for your reply.
I've enabled all the kernel options set as described here:
http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
Despite this the setsockopt doesn't work.
I added some more debugging output at the setsockopt function and this is
what i get:
00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported
00[KNL] file
strongswan/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c,
function bypass_socket
00[KNL] XFRM_PPLICY_OUT sol = 0, ipsec_policy = 17, policy.sel.dport = 0
00[NET] installing IKE bypass policy failed
Ok, so you're doing a setsockopt SO_PEERCRED call.
Do you have any other hints for me what this could be happening?
I am running linux 2.6.34 kernel for x86_64.
Thanks,
Jordan.
On Mon, Aug 20, 2012 at 11:03 PM, Martin Willi <martin at strongswan.org>wrote:
> Hi Jordan,
>
> > 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported.
>
> This error is triggered at [1] while installing IPsec bypass policy for
> the IKE socket. I don't think it is related to ESN, but something else
> is missing in your kernel configuration. Please check that you have all
> options included as seen in [2].
>
> > I prefer to disable ESN instead of patching my kernel to limited other
> > side effects to other code
>
> ESN is used only if you include it in your "esp" proposal in ipsec.conf,
> otherwise ESN is disabled.
>
> Regards
> Martin
>
> [1]
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=73d29005#l2583
> [2]http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120822/c3b0d1c0/attachment.html>
More information about the Dev
mailing list