[strongSwan-dev] Unable to setup child SA with ESN on kernel 3.0.101-0.15-xen

Sriram Yagnaraman sriram.yagnaraman at ericsson.com
Mon Dec 28 14:36:53 CET 2015 

Hi,

I am trying to setup an IPSEC tunnel on a linux machine with kernel (3.0.101-0.15) with extended sequence numbers, but it seems Linux rejects the XFRM_MSG_UPDSA because ESN is on.
It works fine with ESN off. Has anyone seen this problem?

Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> received proposals: ESP:AES_CBC_128/HMAC_MD5_96/EXT_SEQ/NO_EXT_SEQ
Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> configured proposals: ESP:AES_CBC_128/HMAC_MD5_96/EXT_SEQ/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> selected proposal: ESP:AES_CBC_128/HMAC_MD5_96/EXT_SEQ
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> getting SPI for reqid {2}
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> got SPI c489df14 for reqid {2}
Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> selecting traffic selectors for us:
Dec 27 17:43:43 14[CFG] <dut-STP_H54|2>  config: 10.91.154.0/28, received: 0.0.0.0/0 => match: 10.91.154.0/28
Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> selecting traffic selectors for other:
Dec 27 17:43:43 14[CFG] <dut-STP_H54|2>  config: 10.91.54.66/32, received: 10.91.54.66/32 => match: 10.91.54.66/32
Dec 27 17:43:43 14[CHD] <dut-STP_H54|2>   using AES_CBC for encryption
Dec 27 17:43:43 14[CHD] <dut-STP_H54|2>   using HMAC_MD5_96 for integrity
Dec 27 17:43:43 14[CHD] <dut-STP_H54|2> adding inbound ESP SA
Dec 27 17:43:43 14[CHD] <dut-STP_H54|2>   SPI 0xc489df14, src 10.91.54.82 dst 10.91.54.85
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> adding SAD entry with SPI c489df14 and reqid {2}  (mark 0/0x00000000)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using encryption algorithm AES_CBC with key size 128
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using integrity algorithm HMAC_MD5_96 with key size 128
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using replay window of 32 packets
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using extended sequence numbers (ESN)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> received netlink error: No such file or directory (2)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> unable to add SAD entry with SPI c489df14
Dec 27 17:43:43 14[CHD] <dut-STP_H54|2> adding outbound ESP SA
Dec 27 17:43:43 14[CHD] <dut-STP_H54|2>   SPI 0x393bf12c, src 10.91.54.85 dst 10.91.54.82
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> adding SAD entry with SPI 393bf12c and reqid {2}  (mark 0/0x00000000)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using encryption algorithm AES_CBC with key size 128
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using integrity algorithm HMAC_MD5_96 with key size 128
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using replay window of 32 packets
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using extended sequence numbers (ESN)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> received netlink error: No such file or directory (2)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> unable to add SAD entry with SPI 393bf12c
Dec 27 17:43:43 14[IKE] <dut-STP_H54|2> unable to install inbound and outbound IPsec SA (SAD) in kernel
Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> added payload of type NOTIFY to message
Dec 27 17:43:43 14[IKE] <dut-STP_H54|2> failed to establish CHILD_SA, keeping IKE_SA
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> deleting SAD entry with SPI c489df14  (mark 0/0x00000000)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> deleted SAD entry with SPI c489df14 (mark 0/0x00000000)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> deleting SAD entry with SPI 393bf12c  (mark 0/0x00000000)
Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> added payload of type ID_RESPONDER to message
Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> added payload of type AUTHENTICATION to message
Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> added payload of type NOTIFY to message
Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> generating IKE_AUTH response 1 [ IDr AUTH N(NO_PROP) ]

Contents of ipsec.conf
==================
rth15:/boot # cat /usr/local/etc/ipsec.conf
conn %default
                ikelifetime=1440m
                lifetime=1440m
                margintime=4320s
                reauth=no
                rekey=yes
                rekeyfuzz=0%

conn dut-STP_H54
                ike=aes128-aesxcbc-aesxcbc-modp1024
                esp=aes128-md5-esn-noesn
                authby=secret
                left=10.91.54.85
                leftsubnet=10.91.154.0/28
                leftfirewall=yes
                right=10.91.54.82
                rightsubnet=10.91.54.66/32
                dpdaction=clear
                dpddelay=0s
                auto=add

rth15:/usr/local/etc # uname -a
Linux rth15 3.0.101-0.15-xen #1 SMP Wed Jan 22 15:49:03 UTC 2014 (5c01f4e) i686 i686 i386 GNU/Linux

BR,
/Sriram
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20151228/3afa2a65/attachment.html>

More information about the Dev mailing list