[strongSwan] IKEv2 - IKE_AUTH request problem
gowrishankar
gowrishankar.m at linux.vnet.ibm.com
Tue Feb 14 20:02:42 CET 2012
Hi,
Appreciating anyone willing to suggest possible cause(s) for the below
problem found in Test "IKEv2.EN.I.1.1.1.3: Use of CHILD_SA" (TAHI IKEv2
test suite). I am using strongswan version of 4.5.2, for a endnode-
endnode test, in RHEL6.2 environment.
IKE_SA_INIT is established between NUT (node under test) and TN (test
node), but IKE_AUTH request created by NUT is not observed by TN.
Some settings used in ipsec.conf are below (and I can share others if
needed for more debugging).
# Attempt to rekey 5 seconds before the SA expires.
rekeymargin=5s
# Set the encryption algorithm for the child SA.
esp=3des-sha1
# Set the encryption algorithm for the IKE SA.
ike=3des-sha1-modp1024
# Set the lifetime for the IKE SA.
ikelifetime="64s"
# Set the lifetime for the child SA.
keylife="128s"
# Use perfect forward security on the IKE SA.
pfs=no
type=transport
With debug mode set at level 4, following lines are caught in
charon.log (though there are other informations which may not be
required here):
...
.....
05[CFG] added configuration 'tahi_ikev2_test'
10[CFG] stroke message => -2036037751 bytes @ 0xfff80ede300
10[CFG] received stroke: route 'tahi_ikev2_test'
.....
...
10[KNL] adding policy <NUT IP6> === <TN IP6> out
10[KNL] sending XFRM_MSG_NEWPOLICY: => 252 bytes @ 0xfff80edda28
....
10[KNL] unable to add policy <NUT IP6> === <TN IP6> out
....
10[CFG] installing trap failed
I am suspecting over stroke message which is shown as negative bytes.
Before I dig something more deeper, I just liked to check this up with
anyone who has seen this problem earlier.
Thanks for the attention,
Gowri Shankar
More information about the Users
mailing list