[strongSwan-dev] Unable to setup child SA with ESN on kernel 3.0.101-0.15-xen

Mon Dec 28 15:40:11 CET 2015

As i known, this error always caused by kernel,  your vpn config wasn't
supported by your kernel
2015年12月28日 21:36，"Sriram Yagnaraman" <sriram.yagnaraman at ericsson.com>写道：

> Hi,
>
>
>
> I am trying to setup an IPSEC tunnel on a linux machine with kernel
> (3.0.101-0.15) with extended sequence numbers, but it seems Linux rejects
> the XFRM_MSG_UPDSA because ESN is on.
>
> It works fine with ESN off. Has anyone seen this problem?
>
>
>
> Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> received proposals:
> ESP:AES_CBC_128/HMAC_MD5_96/EXT_SEQ/NO_EXT_SEQ
>
> Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> configured proposals:
> ESP:AES_CBC_128/HMAC_MD5_96/EXT_SEQ/NO_EXT_SEQ,
> ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
>
> Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> selected proposal:
> ESP:AES_CBC_128/HMAC_MD5_96/EXT_SEQ
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> getting SPI for reqid {2}
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> got SPI c489df14 for reqid {2}
>
> Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> selecting traffic selectors for us:
>
> Dec 27 17:43:43 14[CFG] <dut-STP_H54|2>  config: 10.91.154.0/28,
> received: 0.0.0.0/0 => match: 10.91.154.0/28
>
> Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> selecting traffic selectors for
> other:
>
> Dec 27 17:43:43 14[CFG] <dut-STP_H54|2>  config: 10.91.54.66/32,
> received: 10.91.54.66/32 => match: 10.91.54.66/32
>
> Dec 27 17:43:43 14[CHD] <dut-STP_H54|2>   using AES_CBC for encryption
>
> Dec 27 17:43:43 14[CHD] <dut-STP_H54|2>   using HMAC_MD5_96 for integrity
>
> Dec 27 17:43:43 14[CHD] <dut-STP_H54|2> adding inbound ESP SA
>
> Dec 27 17:43:43 14[CHD] <dut-STP_H54|2>   SPI 0xc489df14, src 10.91.54.82
> dst 10.91.54.85
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> adding SAD entry with SPI c489df14
> and reqid {2}  (mark 0/0x00000000)
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using encryption algorithm
> AES_CBC with key size 128
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using integrity algorithm
> HMAC_MD5_96 with key size 128
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using replay window of 32 packets
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using extended sequence numbers
> (ESN)
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> received netlink error: No such
> file or directory (2)
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> unable to add SAD entry with SPI
> c489df14
>
> Dec 27 17:43:43 14[CHD] <dut-STP_H54|2> adding outbound ESP SA
>
> Dec 27 17:43:43 14[CHD] <dut-STP_H54|2>   SPI 0x393bf12c, src 10.91.54.85
> dst 10.91.54.82
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> adding SAD entry with SPI 393bf12c
> and reqid {2}  (mark 0/0x00000000)
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using encryption algorithm
> AES_CBC with key size 128
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using integrity algorithm
> HMAC_MD5_96 with key size 128
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using replay window of 32 packets
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using extended sequence numbers
> (ESN)
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> received netlink error: No such
> file or directory (2)
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> unable to add SAD entry with SPI
> 393bf12c
>
> Dec 27 17:43:43 14[IKE] <dut-STP_H54|2> unable to install inbound and
> outbound IPsec SA (SAD) in kernel
>
> Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> added payload of type NOTIFY to
> message
>
> Dec 27 17:43:43 14[IKE] <dut-STP_H54|2> failed to establish CHILD_SA,
> keeping IKE_SA
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> deleting SAD entry with SPI
> c489df14  (mark 0/0x00000000)
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> deleted SAD entry with SPI
> c489df14 (mark 0/0x00000000)
>
> Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> deleting SAD entry with SPI
> 393bf12c  (mark 0/0x00000000)
>
> Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> added payload of type ID_RESPONDER
> to message
>
> Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> added payload of type
> AUTHENTICATION to message
>
> Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> added payload of type NOTIFY to
> message
>
> Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> generating IKE_AUTH response 1 [
> IDr AUTH N(NO_PROP) ]
>
>
>
> Contents of ipsec.conf
>
> ==================
>
> rth15:/boot # cat /usr/local/etc/ipsec.conf
>
> conn %default
>
>                 ikelifetime=1440m
>
>                 lifetime=1440m
>
>                 margintime=4320s
>
>                 reauth=no
>
>                 rekey=yes
>
>                 rekeyfuzz=0%
>
>
>
> conn dut-STP_H54
>
>                 ike=aes128-aesxcbc-aesxcbc-modp1024
>
>                 esp=aes128-md5-esn-noesn
>
>                 authby=secret
>
>                 left=10.91.54.85
>
>                 leftsubnet=10.91.154.0/28
>
>                 leftfirewall=yes
>
>                 right=10.91.54.82
>
>                 rightsubnet=10.91.54.66/32
>
>                 dpdaction=clear
>
>                 dpddelay=0s
>
>                 auto=add
>
>
>
> rth15:/usr/local/etc # uname -a
>
> Linux rth15 3.0.101-0.15-xen #1 SMP Wed Jan 22 15:49:03 UTC 2014 (5c01f4e)
> i686 i686 i386 GNU/Linux
>
>
>
> BR,
>
> /Sriram
>
> _______________________________________________
> Dev mailing list
> Dev at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20151228/1f84461e/attachment-0001.html>