[strongSwan] can't pass traffic with ip-compression enabled
yordanos beyene
yordanosb at gmail.com
Tue Feb 12 07:01:23 CET 2013
Hi Everyone,
I have a working site-to-site connection with strongswan 5.0.1 loaded on
both vpn peers. But when I set "compress = yes", ipsec SA get established
but I can't pass traffic through the tunnel. I think I have enabled the
required kernel modules. I appreciate any tips to resolve this issue.
Below are the logs from one of the vpn peers.
======
2013-02-12 13:30:27.169 [ngfw] [CHARON-INFO:] "09[IKE] initiating Main Mode
IKE_SA site2site[1] to 172.16.20.3"
2013-02-12 13:30:27.169 [ngfw] [CHARON-INFO:] "09[IKE] initiating Main Mode
IKE_SA site2site[1] to 172.16.20.3"
2013-02-12 13:30:27.169 [ngfw] [CHARON-INFO:] "09[ENC] generating ID_PROT
request 0 [ SA V V V ]"
2013-02-12 13:30:27.169 [ngfw] [CHARON-INFO:] "09[NET] sending packet: from
172.16.20.2[500] to 172.16.20.3[500]"
2013-02-12 13:30:27.182 [ngfw] [CHARON-INFO:] "08[NET] received packet:
from 172.16.20.3[500] to 172.16.20.2[500]"
2013-02-12 13:30:27.182 [ngfw] [CHARON-INFO:] "08[ENC] parsed ID_PROT
response 0 [ SA V V V ]"
2013-02-12 13:30:27.182 [ngfw] [CHARON-INFO:] "08[IKE] received XAuth
vendor ID"
2013-02-12 13:30:27.182 [ngfw] [CHARON-INFO:] "08[IKE] received NAT-T (RFC
3947) vendor ID"
2013-02-12 13:30:27.182 [ngfw] [CHARON-INFO:] "08[IKE] received DPD vendor
ID"
2013-02-12 13:30:27.185 [ngfw] [CHARON-INFO:] "08[ENC] generating ID_PROT
request 0 [ KE No NAT-D NAT-D ]"
2013-02-12 13:30:27.185 [ngfw] [CHARON-INFO:] "08[NET] sending packet: from
172.16.20.2[500] to 172.16.20.3[500]"
2013-02-12 13:30:27.203 [ngfw] [CHARON-INFO:] "11[NET] received packet:
from 172.16.20.3[500] to 172.16.20.2[500]"
2013-02-12 13:30:27.203 [ngfw] [CHARON-INFO:] "11[ENC] parsed ID_PROT
response 0 [ KE No NAT-D NAT-D ]"
2013-02-12 13:30:27.206 [ngfw] [CHARON-INFO:] "11[ENC] generating ID_PROT
request 0 [ ID HASH ]"
2013-02-12 13:30:27.206 [ngfw] [CHARON-INFO:] "11[NET] sending packet: from
172.16.20.2[500] to 172.16.20.3[500]"
2013-02-12 13:30:27.212 [ngfw] [CHARON-INFO:] "12[NET] received packet:
from 172.16.20.3[500] to 172.16.20.2[500]"
2013-02-12 13:30:27.212 [ngfw] [CHARON-INFO:] "12[ENC] parsed ID_PROT
response 0 [ ID HASH ]"
2013-02-12 13:30:27.212 [ngfw] [CHARON-INFO:] "12[IKE] IKE_SA site2site[1]
established between 172.16.20.2[172.16.20.2]...172.16.20.3[172.16.20.3]"
2013-02-12 13:30:27.212 [ngfw] [CHARON-INFO:] "12[IKE] IKE_SA site2site[1]
established between 172.16.20.2[172.16.20.2]...172.16.20.3[172.16.20.3]"
2013-02-12 13:30:27.212 [ngfw] [CHARON-INFO:] "12[IKE] scheduling rekeying
in 85524s"
2013-02-12 13:30:27.212 [ngfw] [CHARON-INFO:] "12[IKE] maximum IKE_SA
lifetime 86124s"
2013-02-12 13:30:27.212 [ngfw] [CHARON-INFO:] "12[ENC] generating
QUICK_MODE request 2703472901 [ HASH SA No ID ID ]"
2013-02-12 13:30:27.212 [ngfw] [CHARON-INFO:] "12[NET] sending packet: from
172.16.20.2[500] to 172.16.20.3[500]"
2013-02-12 13:30:27.221 [ngfw] [CHARON-INFO:] "10[NET] received packet:
from 172.16.20.3[500] to 172.16.20.2[500]"
2013-02-12 13:30:27.221 [ngfw] [CHARON-INFO:] "10[ENC] parsed QUICK_MODE
response 2703472901 [ HASH SA No ID ID ]"
*2013-02-12 13:30:27.221 [ngfw] [CHARON-INFO:] "10[KNL] received netlink
error: Protocol not supported (93)"
2013-02-12 13:30:27.221 [ngfw] [CHARON-INFO:] "10[KNL] unable to add SAD
entry with SPI 0000e270"
2013-02-12 13:30:27.221 [ngfw] [CHARON-INFO:] "10[KNL] received netlink
error: Protocol not supported (93)"
2013-02-12 13:30:27.221 [ngfw] [CHARON-INFO:] "10[KNL] unable to add SAD
entry with SPI 0000410b"*
2013-02-12 13:30:27.221 [ngfw] [CHARON-INFO:] "10[IKE] CHILD_SA
site2site{1} established with SPIs cf64ee81_i c2eaaade_o and TS
172.16.40.0/24 === 172.16.50.0/24 "
2013-02-12 13:30:27.221 [ngfw] [CHARON-INFO:] "10[IKE] CHILD_SA
site2site{1} established with SPIs cf64ee81_i c2eaaade_o and TS
172.16.40.0/24 === 172.16.50.0/24 "
2013-02-12 13:30:27.221 [ngfw] [CHARON-INFO:] "10[ENC] generating
QUICK_MODE request 2703472901 [ HASH ]"
2013-02-12 13:30:27.221 [ngfw] [CHARON-INFO:] "10[NET] sending packet: from
172.16.20.2[500] to 172.16.20.3[500]"
Thanks!
Jordan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130211/078a8e4c/attachment.html>
More information about the Users
mailing list