[strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue
andreas.steffen at strongswan.org
Tue Apr 20 15:13:19 CEST 2010
On 20.04.2010 12:11, shyamsundar.purkayastha at wipro.com wrote:
> But I have a new error when I try to bring up my configuration
> [root at localhost ~]# ipsec up 211TO60Tunnel
> initiating IKE_SA 211TO60Tunnel to 10.201.114.178
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> sending packet: from 10.201.114.211 to 10.201.114.178
> received packet: from 10.201.114.178 to 10.201.114.211
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(MULT_AUTH) ]
> received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
> sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
> authentication of 'C=CH, O=strongSwan, CN=211' (myself) with RSA
> signature successful
> sending end entity cert "C=CH, O=strongSwan, CN=211"
> establishing CHILD_SA 211TO60Tunnel
> unable to allocate SPIs from kernel
Some IPsec-relevant module (most probably xfrm_user) seems to be
missing in your Linux kernel. The following link shows which
kernel modules must be enabled:
> What could be the reason for this " unable to allocate SPIs from kernel"
> Also, Any idea why the openssl generated keys wouldn't work ? I used the
> latest openssl-1.0.0 version.
I cannot tell since I haven't used openssl-1.0.0 yet but I would be
very much surprised if anything would have changed in the output format.
I'm generating all my certificates with openssl-0.9.8.
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
More information about the Users