[strongSwan] IPV6 'connection' bug? (in 4.3.3 with linux 2.6.21)

Yong Choo yhc at alcatel-lucent.com
Wed Mar 24 16:35:40 CET 2010 

Hi,
I'm getting the following errors on my linux 2.6.21 based using 
strongswan 4.3.3 version:
Any Help would be appreciated! (The host that I'm communicating with has 
2.6.27 and it has no problem)

I configured/checked all required IPV6 kernel protocols in linux 2.6.21 
as defined in the installation document url also.

eCCM-root-/etc> ipsec up enb12v6
initiating IKE_SA enb12v6[1] to fd00::410:172:21:10:181
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from fd00::410:172:21:10:12[500] to fd00::410:172:21:10:181[500]
received packet: from fd00::410:172:21:10:181[500] to fd00::410:172:21:10:12[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
authentication of 'fd00::410:172:21:10:12' (myself) with pre-shared key
establishing CHILD_SA enb12v6
generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) ]
sending packet: from fd00::410:172:21:10:12[500] to fd00::410:172:21:10:181[500]
received packet: from fd00::410:172:21:10:181[500] to fd00::410:172:21:10:12[500]
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
authentication of 'fd00::410:172:21:10:181' with pre-shared key successful
scheduling rekeying in 50s
maximum IKE_SA lifetime 370s
IKE_SA enb12v6[1] established between fd00::410:172:21:10:12[fd00::410:172:21:10:12]...fd00::410:172:21:10:181[fd00::410:172:21:10:181]
received netlink error: Protocol not supported (93)
unable to add SAD entry with SPI c05a60aa
received netlink error: Protocol not supported (93)
unable to add SAD entry with SPI c48cd085
unable to install inbound and outbound IPsec SA (SAD) in kernel


The ipsec.conf has the following entries:

config setup
	plutostart=no

conn %default
	auth=esp
	dpdaction=restart
	dpddelay=50s
	esp=aes128-sha1-modp1024,3des-sha1-modp1024
	forceencaps=no
	ike=aes128-sha-modp1024,3des-sha-modp1024
	ikelifetime=500s
	installpolicy=yes
	keyexchange=ikev2
	keyingtries=%forever
	keylife=400s
	mobike=no
	pfs=yes
	reauth=no
	rekey=yes
	rekeymargin=320s
	type=tunnel
	leftauth=psk
	rightauth=psk

config setup
	plutostart=no

conn %default
	auth=esp
	dpdaction=restart
	dpddelay=50s
	esp=aes128-sha1-modp1024,3des-sha1-modp1024
	forceencaps=no
	ike=aes128-sha-modp1024,3des-sha-modp1024
	ikelifetime=500s
	installpolicy=yes
	keyexchange=ikev2
	keyingtries=%forever
	keylife=400s
	mobike=no
	pfs=yes
	reauth=no
	rekey=yes
	rekeymargin=320s
	type=tunnel
	leftauth=psk
	rightauth=psk

conn enb12v4
	left=135.112.41.22
	right=135.112.40.181
	auto=add
conn enb12v6
	left=fd00:0000:0000:410:172:21:10:12
	#leftsourceip=fd00:0000:0000:410:172:21:10:12
	leftsubnet=fd00::12/64
	right=fd00:0000:0000:410:172:21:10:181
	rightsubnet=fd00::181/64
	auto=add

conn enb12v6
	left=fd00:0000:0000:410:172:21:10:12
	#leftsourceip=fd00:0000:0000:410:172:21:10:12
	leftsubnet=fd00::12/64
	right=fd00:0000:0000:410:172:21:10:181
	rightsubnet=fd00::181/64

	auto=add

More information about the Users mailing list