[strongSwan] strongswan 4.5 on kernel 2.6.28(Ipsec SA error)

chenguang2js at sina.com chenguang2js at sina.com
Thu Dec 30 08:30:56 CET 2010 

 Hello,

I used strongSwan 4.5 on my Linux 2.6.28 device.
I get the following output:
 

root at picopc7802:~# ipsec start
Starting strongSwan 4.5.0 IPsec [starter]...
Initializing XFRM netlink socket
 

root at picopc7802:~# ipsec up panda
initiating IKE_SA panda[1] to 211.136.114.107
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.1.198[500] to 211.136.114.107[500]
received packet: from 211.136.114.107[500] to 192.168.1.198[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
local host is behind NAT, sending keep alives
establishing CHILD_SA panda
generating IKE_AUTH request 1 [ IDi IDr CP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N((40960)) ]
sending packet: from 192.168.1.198[4500] to 211.136.114.107[4500]
retransmit 1 of request with message ID 1
sending packet: from 192.168.1.198[4500] to 211.136.114.107[4500]
retransmit 2 of request with message ID 1
sending packet: from 192.168.1.198[4500] to 211.136.114.107[4500]
received packet: from 211.136.114.107[4500] to 192.168.1.198[4500]
parsed IKE_AUTH response 1 [ IDr EAP/REQ/AKA ]
server requested EAP_AKA authentication
allow mutual EAP-only authentication
generating IKE_AUTH request 2 [ EAP/RES/AKA ]
sending packet: from 192.168.1.198[4500] to 211.136.114.107[4500]
retransmit 1 of request with message ID 2
sending packet: from 192.168.1.198[4500] to 211.136.114.107[4500]
received packet: from 211.136.114.107[4500] to 192.168.1.198[4500]
parsed IKE_AUTH response 2 [ EAP/SUCC ]
EAP method EAP_AKA succeeded, MSK established
authentication of '460006000000219 at strongswan.org' (myself) with EAP
generating IKE_AUTH request 3 [ AUTH ]
sending packet: from 192.168.1.198[4500] to 211.136.114.107[4500]
received packet: from 211.136.114.107[4500] to 192.168.1.198[4500]
parsed IKE_AUTH response 3 [ AUTH CP(ADDR) SA TSi TSr ]
authentication of 'strongswan.org' with EAP successful
IKE_SA panda[1] established between 192.168.1.198[460006000000219 at strongswan.org]...211.136.114.107[strongswan.org]
scheduling reauthentication in 3323s
maximum IKE_SA lifetime 3503s
installing new virtual IP 172.16.64.58
received netlink error: Protocol not supported (93)
unable to add SAD entry with SPI c7684d6b
received netlink error: Protocol not supported (93)
unable to add SAD entry with SPI 08003ed1
unable to install inbound and outbound IPsec SA (SAD) in kernel.
 
 
root at picopc7802:~# ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.0):
  uptime: 4 minutes, since Jan 01 00:01:08 1970
  malloc: sbrk 135168, mmap 0, used 69408, free 65760
  worker threads: 9 idle of 16, job queue load: 0, scheduled events: 3
  loaded plugins: aes des sha1 sha2 md5 random x509 revocation pubkey pkcs1 pgp pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-raw stroke updown eap-aka eap-aka-3gpp2 
Listening IP addresses:
  192.168.1.198
Connections:
       panda:  192.168.1.198...211.136.114.107
       panda:   local:  [460006000000219 at strongswan.org] uses EAP_AKA authentication with EAP identity '460006000000219'
       panda:   remote: [strongswan.org] uses any authentication
       panda:   child:  dynamic === 172.16.64.0/24 
Security Associations:
       panda[1]: ESTABLISHED 3 minutes ago, 192.168.1.198[460006000000219 at strongswan.org]...211.136.114.107[strongswan.org]
       panda[1]: IKE SPIs: 58a66da49298e7ac_i* d1000007165230c8_r, EAP reauthentication in 51 minutes
       panda[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
 
 
 
I have config kernel as:
http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
 
 Ipsec.config as follow:
config setup
 # plutodebug=all
 # crlcheckinterval=600
 # strictcrlpolicy=yes
 # cachecrls=yes
 # nat_traversal=yes
 # charonstart=no
 plutostart=no
conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
conn panda
      keyexchange=ikev2
      left=%defaultroute
      leftsourceip=%config
      #leftcert=panda.pem
      #leftnexthop=%direct
      leftid=460006000000219 at strongswan.org
      #leftid=460006000000280
      eap_identity=460006000000219
      #eap_identity=460006000000280
      leftauth=eap-aka
      #leftfirewall=yes
      right=211.136.114.107
      rightid=strongswan.org
      #rightsubnet=172.16.64.0/24
      #rightauth=pubkey
      ike=3des-sha-modp1024
      esp=3des-sha1
      pfs=yes
      auto=add
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101230/da0999cc/attachment.html>

More information about the Users mailing list