[strongSwan] "unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument"

Lupe Christoph lupe at lupe-christoph.de
Sun Nov 20 13:55:48 CET 2011

On Monday, 2011-11-14 at 14:39:39 +0100, Tobias Brunner wrote:

> > strongswan4-mod-kernel-klips - 4.5.2-1

> Please try to remove this module from your build.  The kernel-klips
> plugin was done for a very specific (and rather old) KLIPS release.  And
> depending on whether your kernel actually includes the KLIPS patch or
> not might never work.  So, do you actually use KLIPS?  If so, you might
> have to go back to a 2.x strongSwan release that supported KLIPS.  If
> not, then just use the kernel-netlink plugin.

This works:

110 "openswan-server" #2: STATE_QUICK_I1: initiate
002 "openswan-server" #2: sent QI2, IPsec SA established {ESP=>0x83c08d51 <0xccb60e59}
004 "openswan-server" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x83c08d51 <0xccb60e59}

But, alas, there is no ipsec0 interface generated. I require an
interface for my firewall rules. Marking packets is just to error-prone
for my taste.

This dismerits of the interfaceless implementation have been discussed
to death on many mailing lists, and there is no solution. I left FreeBSD
because of the lack of an interface to tack firewall rules to, and it
seems StrongSwan is just to weak for me, too.

So unless you have a way to make StrongSwan support an interface for
tunnelled traffic, I will have to concentrate on getting Openswan going
on OpenWRT 10.03.1.

Thanks for your effort,
Luep Christoph
| It is a well-known fact in any organisation that, if you want a job    |
| done, you should give it to someone who is already very busy.          |
| Terry Pratchett, "Unseen Academicals"                                  |

More information about the Users mailing list