[strongSwan] CHILD_SA can't setup with the configuration of MARK keywords

Yu Yin - Picochip yuy at picochip.com
Mon Jul 18 07:07:57 CEST 2011


Hi Andreas,

Thanks for your quick reply!
The linux kernel is 2.6.38-8.
I check the patch file "xfrm_mark.patch", the problems in the
"xfrm.h/xfrm_policy.c" have been modified already.

Thanks and regards,

Ethan

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Monday, July 18, 2011 11:58 AM
To: Yu Yin - Picochip
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] CHILD_SA can't setup with the configuration of
MARK keywords

Hello Ethan,

which Linux kernel are you using? XFRM marks support was introduced with
Linux 2.6.34 but was badly broken. It was fixed either with 2.6.35 or
2.6.36.

Best regards

Andreas

On 07/18/2011 05:06 AM, Yu Yin - Picochip wrote:
> Hi guys,
> 
>  
> 
> I used to add a custom <app:ds:custom> eap-aka <app:ds:made> plugin at
> the old strongswan version(4.3.4).
> 
> And now I want to use the xfrm MARK function in the 4.3.4 version.
> 
> So I merged the mark related code from 4.4.1 to the 4.3.4 version with
> the reference of revision ee26c537 and revision 26c4d010.
> 
> After that, I have tried to setup a host-host tunnel with mark support,
> but the strongswan output some error:
> 
> received netlink error: Numerical result out of range (34)
> 
>  
> 
> the whole log and ipsec.conf is below.
> 
>  
> 
> ipsec.conf of host A:
> 
>  
> 
> /config setup/
> 
> /                strictcrlpolicy=no/
> 
> /                plutostart=no/
> 
> / /
> 
> /conn %default/
> 
> /               
>
ike=3des-sha1-modp1024,aes-sha1-modp1024,null-sha1-modp1024,3des-sha1-modp20
48,aes-sha1-modp2048,null-sha1-modp2048!/
> 
> /                esp=null-sha1,aes-sha1,3des-sha1!/
> 
> /                ikelifetime=24h/
> 
> /                keylife=12m/
> 
> /                keyexchange=ikev2/
> 
> /        dpdaction=clear/
> 
> /        dpddelay=20m/
> 
> /conn host-host/
> 
> /        left=172.19.2.101/
> 
> /        leftid=www.hostA.org/
> 
> /        leftcert=/etc/ipsec.d/certs/hostA.pem/
> 
> /        leftfirewall=yes/
> 
> /        mark=20/
> 
> /        right=172.19.4.166/
> 
> /        rightid=www.hostB.org/
> 
> /        rightcert=/etc/ipsec.d/certs/ hostB.pem/
> 
> /        rightsendcert=never/
> 
> /        auto=start/
> 
> / /
> 
> ipsec.conf of host B:
> 
>  
> 
> /config setup/
> 
> /                strictcrlpolicy=no/
> 
> /                plutostart=no/
> 
> /                keep_alive=3m/
> 
> /conn %default/
> 
> /                ike=aes-sha1-modp1024!/
> 
> /                esp=aes-sha1!/
> 
> /                ikelifetime=1440m/
> 
> /                keylife=12m/
> 
> /                rekeymargin=3m/
> 
> /                keyingtries=1/
> 
> /                reauth=no/
> 
> /                keyexchange=ikev2/
> 
> /                dpdaction=clear/
> 
> /                dpddelay=10m/
> 
> / /
> 
> /conn host-host/
> 
> /         left=172.19.4.166/
> 
> /         leftcert=/etc/ipsec.d/certs/hostB.pem/
> 
> /         right=172.19.2.101/
> 
> /         rightsubnet=0.0.0.0/0/
> 
> /         mark=20/
> 
> /         auto=add/
> 
> /         leftid=www.hostB.org/
> 
> /         rightid=www.hostA.org/
> 
> / /
> 
> log on host A and B is attached.
> 
>  
> 
> Thanks and regards,
> 
> Ethan
> 
>  
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==





More information about the Users mailing list