[strongSwan-dev] How to disable Extended sequence number support from SS5 code

Martin Willi martin at strongswan.org
Fri Aug 24 08:52:59 CEST 2012

Hi Jordan,

> 00[KNL] XFRM_PPLICY_OUT sol = 0, ipsec_policy = 17, policy.sel.dport 0
> 00[NET] installing IKE bypass policy failed
> Ok, so you're doing  a setsockopt SO_PEERCRED call.

No. This setsockopt() works on the SOL_IP level, where 17 stands for

The call installs a bypass IPsec policy for the IKE socket, forcing all
IKE communication to stay outside of any established IPsec tunnel.

> Do you have any other hints for me what this could be happening?

As already said, most likely is that your kernel (configuration) misses
support for XFRM. If that doesn't help, you might have to dig into the
kernel source and find out where and why Linux returns "not supported"
for this setsockopt operation.


More information about the Dev mailing list