[strongSwan] netlink error: Invalid argument (22)
John H
uothrawn at yahoo.com
Thu Sep 15 18:23:15 CEST 2011
I am unable to start Strongswan/IPsec with my compiled kernel.
I am getting the following output:
[root at encryptor1 ~]# ipsec up leftRight
establishing CHILD_SA leftRight
generating CREATE_CHILD_SA request 31 [ N(USE_TRANSP) SA No KE TSi TSr ]
sending packet: from 192.100.100.1[500] to 192.100.100.2[500]
received packet: from 192.100.100.2[500] to 192.100.100.1[500]
parsed CREATE_CHILD_SA response 31 [ N(USE_TRANSP) SA No KE TSi TSr ]
received netlink error: Invalid argument (22)
unable to add SAD entry with SPI c52ff07a
received netlink error: Invalid argument (22)
unable to add SAD entry with SPI cae31ca1
unable to install inbound and outbound IPsec SA (SAD) in kernel
According to prior messages on this mailing list, I should have a certain subset of options available in the kernel compile options as specified here: http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
I have compiled the kernel with all the mentioned modules in my "make menuconfig". All lines in the Crypto section are marked as modules.
The strange thing is that IPsec works with the stock Fedora-15 kernel (2.6.38), but if I rebuild the Fedora kernel, using the .config file included in the stock Fedora kernel RPM, I get this netlink error. This problem is repeated in a build kernel 3.0.4 as well.
I have "esp=aes256gcm-modp2048" in my configuration, if I change it to just "aes256" I am able to establish the tunnel using any kernel. I would like to use the hardware-level GMP/GCM driver, of course.
What else can I use to help debug this? strace looks like its just calling memset
More information about the Users
mailing list