[strongSwan] unable to allocate SPIs from kernel

Agrawal Hemant-B10814 B10814 at freescale.com
Wed Jun 8 16:08:37 CEST 2011


Thanks! It worked.

-----Original Message-----
From: Andreas Steffen [mailto:andreas.steffen at strongswan.org] 
Sent: Wednesday, June 08, 2011 4:36 PM
To: Agrawal Hemant-B10814
Cc: Users at lists.strongswan.org
Subject: Re: [strongSwan] unable to allocate SPIs from kernel

Hi Hemant,

your are lacking the kernel_netlink plugin which is responsible for the communication with the Linux kernel. If you have an explicit plugin load list in strongswan.conf of the form

charon {
    load = ..
}

then you must add kernel_netlink to this list.

Regards

Andreas

On 06/08/2011 12:10 PM, Agrawal Hemant-B10814 wrote:
> Hi Andreas,
> 
> I am running linux 2.6.35 with strongswan 4.5.1
> 
> The result of ipsec status all is
> ipsec statusall
> Status of IKEv2 charon daemon (strongSwan 4.5.1):
>   uptime: 3 hours, siince Aug o28 12:02:36 2009  135168, mmap 0, used 
> 56928, free 78240
>   worker threads: 11 idle of 16, job queue load: 0, scheduled events: 
> 0
> ns: aes edes sha1 sha2 md5 pem pkcs1 gmp random pubkey x509 revocation 
> hmac stroke socket-raw updown Listening IP addressses:
> CIonnections:
>      net-nent:  200.200.200.20...200.200.200.10
>      net-ne.t:   loc al:  [200.200.200.20] uses pre-shared keey authenticationy
>   remote: [200.2 00.200.1:0] uses 0any authentication
>      net-net:   child:  192.:168.2.0/24 === 192.168.12.0/24
> Security Associations:
>   None
> 
> Regards,
> Hemant
> 
> -----Original Message-----
> From: Andreas Steffen [mailto:andreas.steffen at strongswan.org]
> Sent: Wednesday, June 08, 2011 3:26 PM
> To: Agrawal Hemant-B10814
> Cc: Users at lists.strongswan.org
> Subject: Re: [strongSwan] unable to allocate SPIs from kernel
> 
> Hello Hemant,
> 
> execute "ipsec statusall" and post the list of loaded strongSwan plugins.
> 
> Which Linux kernel and which strongSwan version are you using?
> 
> Regards
> 
> Andreas
> 
> On 08.06.2011 09:14, Agrawal Hemant-B10814 wrote:
>> Hi,
>>
>>                 While trying to use strongswan for net-net scenario, 
>> I am facing following error:
>>
>> [root at P1024RDB /root]# ipsec up net-net
>>
>> initiating IKE_SA net-net[2] to 200.200.200.20
>>
>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>> ]
>>
>> sending packet: from 200.200.200.10[500] to 200.200.200.20[500]
>>
>> received packet: from 200.200.200.20[500] to 200.200.200.10[500]
>>
>> parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
>> CERTREQ N(MULT_AUTH) ]
>>
>> received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
>>
>> sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
>>
>> authentication of '200.200.200.10' (myself) with pre-shared key
>>
>> establishing CHILD_SA net-net
>>
>> *unable to allocate SPIs from kernel*
>>
>> * *
>>
>> I have compiled all the modules, which was suggested in
>>
>> /http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules/
>>
>> / /
>>
>> I am still facing the problem.
>>
>> My ipsec.conf is as follows:
>>
>> / /
>>
>> /# /etc/ipsec.conf - strongSwan IPsec configuration file/
>>
>> / /
>>
>> /config setup/
>>
>> /        charondebug="chd 4, knl 4"/
>>
>> /        crlcheckinterval=180/
>>
>> /        strictcrlpolicy=no/
>>
>> /        plutostart=no/
>>
>> / /
>>
>> /conn %default/
>>
>> /        pfs=no/
>>
>> /        ikelifetime=60m/
>>
>> /        keylife=20m/
>>
>> /        rekeymargin=3m/
>>
>> /        keyingtries=1/
>>
>> /        keyexchange=ikev2/
>>
>> /        type=tunnel/
>>
>> /        auth=esp/
>>
>> /        compress=no/
>>
>> /        mobike=no/
>>
>> /        ike=3des-sha1-md5-modp1024!/
>>
>> /        esp=aes128-3des-sha1-md5!/
>>
>> /conn net-net/
>>
>> /        authby=secret/
>>
>> /        left=200.200.200.10/
>>
>> /        leftsubnet=192.168.1.0/24/
>>
>> /        leftfirewall=yes/
>>
>> /        right=200.200.200.20/
>>
>> /        rightsubnet=192.168.2.0/24/
>>
>> /        auto=add/
>>
>> Please help
>>
>> Regards,
>>
>> Hemant
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications University of 
> Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) 
> ===========================================================[ITA-HSR]==
> 
> 


--
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]==






More information about the Users mailing list