[strongSwan] unable to allocate SPIs from kernel
Andreas Steffen
andreas.steffen at strongswan.org
Wed Jun 8 13:05:31 CEST 2011
Hi Hemant,
your are lacking the kernel_netlink plugin which is responsible for
the communication with the Linux kernel. If you have an explicit
plugin load list in strongswan.conf of the form
charon {
load = ..
}
then you must add kernel_netlink to this list.
Regards
Andreas
On 06/08/2011 12:10 PM, Agrawal Hemant-B10814 wrote:
> Hi Andreas,
>
> I am running linux 2.6.35 with strongswan 4.5.1
>
> The result of ipsec status all is
> ipsec statusall
> Status of IKEv2 charon daemon (strongSwan 4.5.1):
> uptime: 3 hours, siince Aug o28 12:02:36 2009
> 135168, mmap 0, used 56928, free 78240
> worker threads: 11 idle of 16, job queue load: 0, scheduled events: 0
> ns: aes edes sha1 sha2 md5 pem pkcs1 gmp random pubkey x509 revocation hmac stroke socket-raw updown
> Listening IP addressses:
> CIonnections:
> net-nent: 200.200.200.20...200.200.200.10
> net-ne.t: loc al: [200.200.200.20] uses pre-shared keey authenticationy
> remote: [200.2 00.200.1:0] uses 0any authentication
> net-net: child: 192.:168.2.0/24 === 192.168.12.0/24
> Security Associations:
> None
>
> Regards,
> Hemant
>
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Wednesday, June 08, 2011 3:26 PM
> To: Agrawal Hemant-B10814
> Cc: Users at lists.strongswan.org
> Subject: Re: [strongSwan] unable to allocate SPIs from kernel
>
> Hello Hemant,
>
> execute "ipsec statusall" and post the list of loaded strongSwan plugins.
>
> Which Linux kernel and which strongSwan version are you using?
>
> Regards
>
> Andreas
>
> On 08.06.2011 09:14, Agrawal Hemant-B10814 wrote:
>> Hi,
>>
>> While trying to use strongswan for net-net scenario, I
>> am facing following error:
>>
>> [root at P1024RDB /root]# ipsec up net-net
>>
>> initiating IKE_SA net-net[2] to 200.200.200.20
>>
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> ]
>>
>> sending packet: from 200.200.200.10[500] to 200.200.200.20[500]
>>
>> received packet: from 200.200.200.20[500] to 200.200.200.10[500]
>>
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> CERTREQ N(MULT_AUTH) ]
>>
>> received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
>>
>> sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
>>
>> authentication of '200.200.200.10' (myself) with pre-shared key
>>
>> establishing CHILD_SA net-net
>>
>> *unable to allocate SPIs from kernel*
>>
>> * *
>>
>> I have compiled all the modules, which was suggested in
>>
>> /http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules/
>>
>> / /
>>
>> I am still facing the problem.
>>
>> My ipsec.conf is as follows:
>>
>> / /
>>
>> /# /etc/ipsec.conf - strongSwan IPsec configuration file/
>>
>> / /
>>
>> /config setup/
>>
>> / charondebug="chd 4, knl 4"/
>>
>> / crlcheckinterval=180/
>>
>> / strictcrlpolicy=no/
>>
>> / plutostart=no/
>>
>> / /
>>
>> /conn %default/
>>
>> / pfs=no/
>>
>> / ikelifetime=60m/
>>
>> / keylife=20m/
>>
>> / rekeymargin=3m/
>>
>> / keyingtries=1/
>>
>> / keyexchange=ikev2/
>>
>> / type=tunnel/
>>
>> / auth=esp/
>>
>> / compress=no/
>>
>> / mobike=no/
>>
>> / ike=3des-sha1-md5-modp1024!/
>>
>> / esp=aes128-3des-sha1-md5!/
>>
>> /conn net-net/
>>
>> / authby=secret/
>>
>> / left=200.200.200.10/
>>
>> / leftsubnet=192.168.1.0/24/
>>
>> / leftfirewall=yes/
>>
>> / right=200.200.200.20/
>>
>> / rightsubnet=192.168.2.0/24/
>>
>> / auto=add/
>>
>> Please help
>>
>> Regards,
>>
>> Hemant
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==
>
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list