[strongSwan] unable to add SAD entry with SPI

lily xuxiaoli86 at 126.com
Wed Aug 28 10:59:37 CEST 2013 

 Hi, Noel

Thank you for all guides in detail very much.
At last, we found if set CONFIG_CRYPTO_NULL y, and set 'esp=null-sha1! ' in ipsec.conf file ,we can successfully establish the connection between two routes.
but computers in subnets still can not ping the other side.
Two routes can ping each other very well. however, it can not ping computers in other side too.
did you have some advice for  this case?
is there still short of modules in kernel even it can establish successfully ? or just some mistakes with config? 
 
best regards and thank you for any help!
xuxl
 



At 2013-08-27 10:30:40,"Noel Kuntze" <noel at familie-kuntze.de> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA256
>
>It seems my mail client mangled the message after it was signed by
>pgp. I'm sorry. I'll send one with a valid signature:
>
>Hello,
>
>To compile with "libipsec", you need to add "--enable-libipsec" to the
>arguments you give ./configure.
>It might end up looking like this: (This is taken from a script I wrote
>to build and package strongSwan on Arch Linux.)
>> ./configure --prefix=/usr --sbindir=/usr/bin --sysconfdir=/etc
>> --libexecdir=/usr/lib \ --with-ipsecdir=/usr/lib/strongswan
>> --enable-sqlite \ --enable-openssl --enable-curl --enable-sql
>> --enable-attr-sql \ --enable-farp --enable-dhcp --enable-eap-sim
>> --enable-eap-sim-file \ --enable-eap-simaka-pseudonym \ 
>> --enable-eap-simaka-reauth --enable-eap-identity --enable-eap-md5
>> \ --enable-eap-gtc --enable-eap-aka --enable-eap-aka-3gpp2 \ 
>> --enable-eap-mschapv2 --enable-eap-radius --enable-xauth-eap \ 
>> --enable-ha --disable-mysql --disable-ldap --enable-libipsec
>After configuring, just run "make" to compile.
>
>When you installed strongSwan, you can load "libipsec" with the
>"charon.load" statement.
>This will look like this:
>> charon { load=charon test-vectors curl sqlite random nonce x509
>> revocation \ constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
>> sshkey pem \ openssl af-alg gmp xcbc cmac hmac fips-pfr ctr ccm gcm
>> attr \ kernel-netlink socket-default >farp stroke updown \ 
>> eap-identity eap-gtc eap-mschapv2 eap-radius xauth-generic \ 
>> xauth-eap dhcp unity }
>
>All the modules that are to be loaded need to be in the same line as the
>"load" statement!
>You also need to make sure to include all the modules you need in the
>"load" statement, as it will disable automatic loading.
>
>Doing this will give you a warning as soon as you start strongSwan. To
>disable this, you need to set "starter.load_warning" to "no":
>> starter { load_warning = no }
>
>Regards,
>Noel Kuntze
>
>On 27.08.2013 04:12, 徐筱莉 wrote:
>> 
>> Hi, Noel
>> 
>> Thanks for your reply. Would you pls explain the detail of how to 
>> compile with libipsec and loading it with the "load" statement in
>> strongswan.conf?
>> 
>> Sorry , I am a newbie to strongswan~~
>> 
>> Br,
>> 
>> At 2013-08-26 18:52:55,"Noel Kuntze" <noel at familie-kuntze.de>
>> wrote:
>>> 
>> Hello xuxl,
>> 
>> I've seen this behavious on systems virtualized with OpenVZ. On
>> such systems, it is not possible to insert xfrm policies into the
>> kernel or use netlink's functionality. The solution to this problem
>> is compiling with libipsec and loading it with the "load" statement
>> in strongswan.conf.
>> 
>> Regards, Noel Kuntze
>> 
>> On 26.08.2013 12:48, ??? wrote:
>> 
>>> Dec 12 01:25:05 freescale daemon.info charon: 01[KNL] received
>>> netlink
>> error: Function not implemented (38)
>> 
>>> 
>> 
>> 
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2.0.21 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iQIcBAEBCAAGBQJSHA9QAAoJEDg5KY9j7GZY+BkP/jcesks/RnFjqtiI1Tb340yN
>oz9NceJsNa0PaQgZIKD7eDtDJp96ef2B60M/m1BgDpKQCflSsDpi5cjkXFpdVeTj
>KP5Huw0PWpS+51LV405BBPwyDVihiVCIko1c7UplFCvEUH+rySA3r4b7ESt85C0p
>mD0Uv6PVuddjPvEPFeT7MWr0oVr9ByaOO9JvAXvNVYxwC8od2gIrJS1cMW8qc+q+
>v9WBWxY1kXW/oPQtQDE4MLVWR/YD+SykqK0KmPz4q/zHYZ1wIBi6sSHC8A8/k4aL
>zH5lWr1T5z+nLHS6rXar8GJT5W8klcShoXxkja4DPbrduCFoicqCNEYaDP1R8oaM
>E7Goq4ikJzlZfGmQ+ZfKlVvE0GrxNlKGmgZwT9Ig9WbDP77k+ZrAdUdd7mkeQ673
>/WUA/sw3vGQvB4yOjnIMlLT515hZ7Ff7l7L3JQNfYkWXpjs3l0AgJFdxpYgeOQ3E
>xCyJXIKe1/97zBCNOBonw43Dn/t65M/pvGjBqZgCtN3OIqtjs6OOQz+SzHbAfzgs
>+Pl4VXZdQ2CuzSoV5WmEPgAkGZLtBu7IGos7TolKYTckpLWxvns9h6CIfWzaPH9n
>TxsCGUlQ16XJe5UyGnrhI/lM1WJ5ah9iPBzx7B7NMksGURMGjTDbx/lZpEYPOQCW
>DR8lJuneSjNzygYbE4l/
>=P0Z0
>-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130828/2428441a/attachment.html>

More information about the Users mailing list