[strongSwan] CHILD_SA can't setup with the configuration of MARK keywords

Andreas Steffen andreas.steffen at strongswan.org
Mon Jul 18 05:58:02 CEST 2011 

Hello Ethan,

which Linux kernel are you using? XFRM marks support was introduced with
Linux 2.6.34 but was badly broken. It was fixed either with 2.6.35 or
2.6.36.

Best regards

Andreas

On 07/18/2011 05:06 AM, Yu Yin - Picochip wrote:
> Hi guys,
> 
>  
> 
> I used to add a custom <app:ds:custom> eap-aka <app:ds:made> plugin at
> the old strongswan version(4.3.4).
> 
> And now I want to use the xfrm MARK function in the 4.3.4 version.
> 
> So I merged the mark related code from 4.4.1 to the 4.3.4 version with
> the reference of revision ee26c537 and revision 26c4d010.
> 
> After that, I have tried to setup a host-host tunnel with mark support,
> but the strongswan output some error:
> 
> received netlink error: Numerical result out of range (34)
> 
>  
> 
> the whole log and ipsec.conf is below.
> 
>  
> 
> ipsec.conf of host A:
> 
>  
> 
> /config setup/
> 
> /                strictcrlpolicy=no/
> 
> /                plutostart=no/
> 
> / /
> 
> /conn %default/
> 
> /               
> ike=3des-sha1-modp1024,aes-sha1-modp1024,null-sha1-modp1024,3des-sha1-modp2048,aes-sha1-modp2048,null-sha1-modp2048!/
> 
> /                esp=null-sha1,aes-sha1,3des-sha1!/
> 
> /                ikelifetime=24h/
> 
> /                keylife=12m/
> 
> /                keyexchange=ikev2/
> 
> /        dpdaction=clear/
> 
> /        dpddelay=20m/
> 
> /conn host-host/
> 
> /        left=172.19.2.101/
> 
> /        leftid=www.hostA.org/
> 
> /        leftcert=/etc/ipsec.d/certs/hostA.pem/
> 
> /        leftfirewall=yes/
> 
> /        mark=20/
> 
> /        right=172.19.4.166/
> 
> /        rightid=www.hostB.org/
> 
> /        rightcert=/etc/ipsec.d/certs/ hostB.pem/
> 
> /        rightsendcert=never/
> 
> /        auto=start/
> 
> / /
> 
> ipsec.conf of host B:
> 
>  
> 
> /config setup/
> 
> /                strictcrlpolicy=no/
> 
> /                plutostart=no/
> 
> /                keep_alive=3m/
> 
> /conn %default/
> 
> /                ike=aes-sha1-modp1024!/
> 
> /                esp=aes-sha1!/
> 
> /                ikelifetime=1440m/
> 
> /                keylife=12m/
> 
> /                rekeymargin=3m/
> 
> /                keyingtries=1/
> 
> /                reauth=no/
> 
> /                keyexchange=ikev2/
> 
> /                dpdaction=clear/
> 
> /                dpddelay=10m/
> 
> / /
> 
> /conn host-host/
> 
> /         left=172.19.4.166/
> 
> /         leftcert=/etc/ipsec.d/certs/hostB.pem/
> 
> /         right=172.19.2.101/
> 
> /         rightsubnet=0.0.0.0/0/
> 
> /         mark=20/
> 
> /         auto=add/
> 
> /         leftid=www.hostB.org/
> 
> /         rightid=www.hostA.org/
> 
> / /
> 
> log on host A and B is attached.
> 
>  
> 
> Thanks and regards,
> 
> Ethan
> 
>  
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list