[strongSwan] "unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument"
Lupe Christoph
lupe at lupe-christoph.de
Sun Nov 20 13:55:48 CET 2011
On Monday, 2011-11-14 at 14:39:39 +0100, Tobias Brunner wrote:
> > strongswan4-mod-kernel-klips - 4.5.2-1
> Please try to remove this module from your build. The kernel-klips
> plugin was done for a very specific (and rather old) KLIPS release. And
> depending on whether your kernel actually includes the KLIPS patch or
> not might never work. So, do you actually use KLIPS? If so, you might
> have to go back to a 2.x strongSwan release that supported KLIPS. If
> not, then just use the kernel-netlink plugin.
This works:
110 "openswan-server" #2: STATE_QUICK_I1: initiate
002 "openswan-server" #2: sent QI2, IPsec SA established {ESP=>0x83c08d51 <0xccb60e59}
004 "openswan-server" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x83c08d51 <0xccb60e59}
But, alas, there is no ipsec0 interface generated. I require an
interface for my firewall rules. Marking packets is just to error-prone
for my taste.
This dismerits of the interfaceless implementation have been discussed
to death on many mailing lists, and there is no solution. I left FreeBSD
because of the lack of an interface to tack firewall rules to, and it
seems StrongSwan is just to weak for me, too.
So unless you have a way to make StrongSwan support an interface for
tunnelled traffic, I will have to concentrate on getting Openswan going
on OpenWRT 10.03.1.
Thanks for your effort,
Luep Christoph
--
| It is a well-known fact in any organisation that, if you want a job |
| done, you should give it to someone who is already very busy. |
| Terry Pratchett, "Unseen Academicals" |
More information about the Users
mailing list