[strongSwan] Trying a basic peer to peer ipsec setup with strongswan and is failing due to some key related issue

shyamsundar.purkayastha at wipro.com shyamsundar.purkayastha at wipro.com
Tue Apr 20 15:16:18 CEST 2010 

On 20.04.2010 12:11, shyamsundar.purkayastha at wipro.com wrote:
>> But I have a new error when I try to bring up my configuration
>>
>> [root at localhost ~]# ipsec up 211TO60Tunnel
>> initiating IKE_SA 211TO60Tunnel[3] to 10.201.114.178
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
]
>> sending packet: from 10.201.114.211[500] to 10.201.114.178[500]
>> received packet: from 10.201.114.178[500] to 10.201.114.211[500]
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> CERTREQ N(MULT_AUTH) ]
>> received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
>> sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
>> authentication of 'C=CH, O=strongSwan, CN=211' (myself) with RSA
>> signature successful
>> sending end entity cert "C=CH, O=strongSwan, CN=211"
>> establishing CHILD_SA 211TO60Tunnel
>> unable to allocate SPIs from kernel
>>
> Some IPsec-relevant module (most probably xfrm_user) seems to be
> missing in your Linux kernel. The following link shows which
> kernel modules must be enabled:

> http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules

Thanks for the info. BTW after commenting the load statement in
strongswan.conf file I was able to setup the connection and it worked. 
So it seems the default load works for me.

Thanks for taking time to respond to my issues.  

Regards
Shyam

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Tuesday, April 20, 2010 6:43 PM
To: Shyamsundar Purkayastha (WT01 - Telecom Equipment)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Trying a basic peer to peer ipsec setup with
strongswan and is failing due to some key related issue

On 20.04.2010 12:11, shyamsundar.purkayastha at wipro.com wrote:
> But I have a new error when I try to bring up my configuration
>
> [root at localhost ~]# ipsec up 211TO60Tunnel
> initiating IKE_SA 211TO60Tunnel[3] to 10.201.114.178
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
]
> sending packet: from 10.201.114.211[500] to 10.201.114.178[500]
> received packet: from 10.201.114.178[500] to 10.201.114.211[500]
> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
> CERTREQ N(MULT_AUTH) ]
> received cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
> sending cert request for "C=CH, O=strongSwan, CN=strongSwan CA"
> authentication of 'C=CH, O=strongSwan, CN=211' (myself) with RSA
> signature successful
> sending end entity cert "C=CH, O=strongSwan, CN=211"
> establishing CHILD_SA 211TO60Tunnel
> unable to allocate SPIs from kernel
>
Some IPsec-relevant module (most probably xfrm_user) seems to be
missing in your Linux kernel. The following link shows which
kernel modules must be enabled:

http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules

> What could be the reason for this " unable to allocate SPIs from
kernel"
> error.
>
> Also, Any idea why the openssl generated keys wouldn't work ? I used
the
> latest openssl-1.0.0 version.
>
I cannot tell since I haven't used openssl-1.0.0 yet but I would be
very much surprised if anything would have changed in the output format.
I'm generating all my certificates with openssl-0.9.8.

> Regards
> Shyam
>

Regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

Please do not print this email unless it is absolutely necessary. 

The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. 

WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. 

www.wipro.com

More information about the Users mailing list