[strongSwan-dev] How to disable Extended sequence number support from SS5 code

yordanos beyene yordanosb at gmail.com
Thu Aug 23 07:59:29 CEST 2012

Hi Martin,

Thanks for your reply.
I've enabled all the kernel options set as described here:


Despite this the setsockopt doesn't work.
I added some more debugging output at the setsockopt function and this is
what i get:

00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported
00[KNL] file
function bypass_socket
00[KNL] XFRM_PPLICY_OUT sol = 0, ipsec_policy = 17, policy.sel.dport = 0
00[NET] installing IKE bypass policy failed

Ok, so you're doing  a setsockopt SO_PEERCRED call.
Do you have any other hints for me what this could be happening?
I am running linux 2.6.34 kernel for x86_64.


On Mon, Aug 20, 2012 at 11:03 PM, Martin Willi <martin at strongswan.org>wrote:

> Hi Jordan,
> > 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported.
> This error is triggered at [1] while installing IPsec bypass policy for
> the IKE socket. I don't think it is related to ESN, but something else
> is missing in your kernel configuration. Please check that you have all
> options included as seen in [2].
> > I prefer to disable ESN instead of patching my kernel to limited other
> > side effects to other code
> ESN is used only if you include it in your "esp" proposal in ipsec.conf,
> otherwise ESN is disabled.
> Regards
> Martin
> [1]
> http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;h=73d29005#l2583
> [2]http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120822/c3b0d1c0/attachment.html>

More information about the Dev mailing list