[strongSwan-dev] How to disable Extended sequence number support from SS5 code
Martin Willi
martin at strongswan.org
Fri Aug 24 08:52:59 CEST 2012
Hi Jordan,
> 00[KNL] XFRM_PPLICY_OUT sol = 0, ipsec_policy = 17, policy.sel.dport 0
> 00[NET] installing IKE bypass policy failed
>
> Ok, so you're doing a setsockopt SO_PEERCRED call.
No. This setsockopt() works on the SOL_IP level, where 17 stands for
IP_XFRM_POLICY.
The call installs a bypass IPsec policy for the IKE socket, forcing all
IKE communication to stay outside of any established IPsec tunnel.
> Do you have any other hints for me what this could be happening?
As already said, most likely is that your kernel (configuration) misses
support for XFRM. If that doesn't help, you might have to dig into the
kernel source and find out where and why Linux returns "not supported"
for this setsockopt operation.
Regards
Martin
More information about the Dev
mailing list