[strongSwan] "unable to add pseudo IPIP SA with SPI c1bb6ffe: Invalid argument"

Andreas Steffen andreas.steffen at strongswan.org
Sun Nov 20 15:41:57 CET 2011 

Hello Christoph,

it is up to you which IPsec package to use. In our opinion
the IPsec policy rules offered by Linux netfilter are powerful
enough to bind plaintext traffic coming out or going into
an IPsec tunnel to any specific firewall rules. Of course
a special interface would be nice but this is not how
the netfilter framework is set up.

Regards

Andreas

On 11/20/2011 01:55 PM, Lupe Christoph wrote:
> On Monday, 2011-11-14 at 14:39:39 +0100, Tobias Brunner wrote:
> 
>>> strongswan4-mod-kernel-klips - 4.5.2-1
> 
>> Please try to remove this module from your build.  The kernel-klips
>> plugin was done for a very specific (and rather old) KLIPS release.  And
>> depending on whether your kernel actually includes the KLIPS patch or
>> not might never work.  So, do you actually use KLIPS?  If so, you might
>> have to go back to a 2.x strongSwan release that supported KLIPS.  If
>> not, then just use the kernel-netlink plugin.
> 
> This works:
> 
> 110 "openswan-server" #2: STATE_QUICK_I1: initiate
> 002 "openswan-server" #2: sent QI2, IPsec SA established {ESP=>0x83c08d51 <0xccb60e59}
> 004 "openswan-server" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x83c08d51 <0xccb60e59}
> 
> But, alas, there is no ipsec0 interface generated. I require an
> interface for my firewall rules. Marking packets is just to error-prone
> for my taste.
> 
> This dismerits of the interfaceless implementation have been discussed
> to death on many mailing lists, and there is no solution. I left FreeBSD
> because of the lack of an interface to tack firewall rules to, and it
> seems StrongSwan is just to weak for me, too.
> 
> So unless you have a way to make StrongSwan support an interface for
> tunnelled traffic, I will have to concentrate on getting Openswan going
> on OpenWRT 10.03.1.
> 
> Thanks for your effort,
> Luep Christoph

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list