[strongSwan-dev] How to disable Extended sequence number support from SS5 code

yordanos beyene yordanosb at gmail.com
Tue Sep 4 03:21:22 CEST 2012


Martin,

Thank you for the tips. It helped me focus on the key issue - XFRM- and
resolved it.

Thanks!
Jordan.

On Thu, Aug 23, 2012 at 11:52 PM, Martin Willi <martin at strongswan.org>wrote:

> Hi Jordan,
>
> > 00[KNL] XFRM_PPLICY_OUT sol = 0, ipsec_policy = 17, policy.sel.dport 0
> > 00[NET] installing IKE bypass policy failed
> >
> > Ok, so you're doing  a setsockopt SO_PEERCRED call.
>
> No. This setsockopt() works on the SOL_IP level, where 17 stands for
> IP_XFRM_POLICY.
>
> The call installs a bypass IPsec policy for the IKE socket, forcing all
> IKE communication to stay outside of any established IPsec tunnel.
>
> > Do you have any other hints for me what this could be happening?
>
> As already said, most likely is that your kernel (configuration) misses
> support for XFRM. If that doesn't help, you might have to dig into the
> kernel source and find out where and why Linux returns "not supported"
> for this setsockopt operation.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120903/751640ca/attachment.html>


More information about the Dev mailing list