[strongSwan] Allocating SPI failed: Operation not permitted (1)

Jan Luca jan at jans-seite.de
Sat Feb 23 11:02:23 CET 2013


Hi,

I have the problem that I cannot connect to strongswan with my Windows 7
Client and IKEv2. In the strongswan-log there is the error "Allocating SPI
failed: Operation not permitted (1)".

Here my ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
	# strictcrlpolicy=yes
	# uniqueids = no

conn %default
	keyexchange=ikev2
	esp=aes256ctr-sha512,aes256-sha1!
	ike=aes256ctr-sha512-modp4096,aes256-sha256-modp1024!

conn adv
	left=192.168.70.111
	leftcert=cert.pem
	leftsubnet=192.168.70.0/24
	leftfirewall=yes
	right=%any
	rightsourceip=%dhcp
	auto=add


Here my strongswan.conf:

# strongswan.conf - strongSwan configuration file

charon {

	# number of worker threads in charon
	threads = 16

	filelog {
		/var/log/charon.log {
			time_format = %b %e %T
			append = no
			default = 1
			chd=2
			knl=3
			flush_line = yes
		}
	}

	plugins {
            dhcp {
                server = 192.168.70.101
                force_server_address = yes     
            }
	}
}

pluto {

}

libstrongswan {

}


Here the log:

Feb 22 18:39:15 00[DMN] Starting IKE charon daemon (strongSwan 5.0.2, Linux
3.2.0-4-amd64, x86_64)
Feb 22 18:39:15 00[KNL] known interfaces and IP addresses:
Feb 22 18:39:15 00[KNL]   lo
Feb 22 18:39:15 00[KNL]     127.0.0.1
Feb 22 18:39:15 00[KNL]     ::1
Feb 22 18:39:15 00[KNL]   eth0
Feb 22 18:39:15 00[KNL]     192.168.70.111
Feb 22 18:39:15 00[KNL]     fe80::215:5dff:fe46:6503
Feb 22 18:39:15 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Feb 22 18:39:15 00[CFG]   loaded ca certificate "C=DE, ST=..., O=...,
CN=..." from '/etc/ipsec.d/cacerts/cacert.pem'
Feb 22 18:39:15 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Feb 22 18:39:15 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Feb 22 18:39:15 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Feb 22 18:39:15 00[CFG] loading crls from '/etc/ipsec.d/crls'
Feb 22 18:39:15 00[CFG] loading secrets from '/etc/ipsec.secrets'
Feb 22 18:39:15 00[CFG]   loaded RSA private key from
'/etc/ipsec.d/private/key.pem'
Feb 22 18:39:15 00[DMN] loaded plugins: charon curl mysql pkcs11 aes des
blowfish sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1
pkcs8 pgp dnskey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink
resolve socket-default stroke updown eap-mschapv2 eap-tls xauth-generic dhcp
Feb 22 18:39:15 00[JOB] spawning 16 worker threads
Feb 22 18:39:15 14[CFG] received stroke: add connection 'adv'
Feb 22 18:39:15 14[CFG]   loaded certificate "C=DE, ST=..., O=..., CN=..."
from 'cert.pem'
Feb 22 18:39:15 14[CFG] added configuration 'adv'
Feb 22 18:39:16 16[NET] received packet: from 192.168.70.105[500] to
192.168.70.111[500] (528 bytes)
Feb 22 18:39:16 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP)
N(NATD_D_IP) ]
Feb 22 18:39:16 16[IKE] 192.168.70.105 is initiating an IKE_SA
Feb 22 18:39:16 16[IKE] sending cert request for "C=DE, ST=..., O=...,
CN=..."
Feb 22 18:39:16 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No
N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Feb 22 18:39:16 16[NET] sending packet: from 192.168.70.111[500] to
192.168.70.105[500] (337 bytes)
Feb 22 18:39:16 05[NET] received packet: from 192.168.70.105[4500] to
192.168.70.111[4500] (9872 bytes)
Feb 22 18:39:16 05[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH
N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Feb 22 18:39:16 05[IKE] received cert request for "C=DE, ST=..., O=...,
CN=... "
Feb 22 18:39:16 05[IKE] received 360 cert requests for an unknown ca
Feb 22 18:39:16 05[IKE] received end entity cert "C=DE, ST=..., O=...,
CN=..."
Feb 22 18:39:16 05[CFG] looking for peer configs matching
192.168.70.111[%any]...192.168.70.105[C=DE, ST=..., O=..., CN=...]
Feb 22 18:39:16 05[CFG] selected peer config 'adv'
Feb 22 18:39:16 05[CFG]   using certificate "C=DE, ST=..., O=..., CN=..."
Feb 22 18:39:16 05[CFG]   using trusted ca certificate "C=DE, ST=..., O=...,
CN=..."
Feb 22 18:39:16 05[CFG] checking certificate status of "C=DE, ST=..., O=...,
CN=..."
Feb 22 18:39:16 05[CFG] certificate status is not available
Feb 22 18:39:16 05[CFG]   reached self-signed root ca with a path length of
0
Feb 22 18:39:16 05[IKE] authentication of 'C=DE, ST=..., O=..., CN=...' with
RSA signature successful
Feb 22 18:39:16 05[IKE] peer supports MOBIKE
Feb 22 18:39:16 05[IKE] authentication of '192.168.70.111' (myself) with RSA
signature successful
Feb 22 18:39:16 05[IKE] IKE_SA adv[1] established between
192.168.70.111[192.168.70.111]...192.168.70.105[C=DE, ST=..., O=..., CN=...]
Feb 22 18:39:16 05[IKE] scheduling reauthentication in 10085s
Feb 22 18:39:16 05[IKE] maximum IKE_SA lifetime 10625s
Feb 22 18:39:16 05[IKE] sending end entity cert "C=DE, ST=..., O=...,
CN=..."
Feb 22 18:39:16 05[IKE] peer requested virtual IP %any
Feb 22 18:39:16 05[KNL] using 192.168.70.111 as address to reach
192.168.70.101
Feb 22 18:39:16 05[CFG] sending DHCP DISCOVER to 192.168.70.101
Feb 22 18:39:16 06[CFG] received DHCP OFFER 192.168.70.58 from
192.168.70.101
Feb 22 18:39:16 05[KNL] using 192.168.70.111 as address to reach
192.168.70.101
Feb 22 18:39:16 05[CFG] sending DHCP REQUEST for 192.168.70.58 to
192.168.70.101
Feb 22 18:39:16 06[CFG] received DHCP ACK for 192.168.70.58
Feb 22 18:39:16 05[IKE] assigning virtual IP 192.168.70.58 to peer 'C=DE,
ST=..., O=..., CN=...'
Feb 22 18:39:16 05[IKE] peer requested virtual IP %any6
Feb 22 18:39:16 05[IKE] no virtual IP found for %any6 requested by 'C=DE,
ST=..., O=..., CN=...'
Feb 22 18:39:16 05[KNL] getting SPI for reqid {1}
Feb 22 18:39:16 05[KNL] sending XFRM_MSG_ALLOCSPI: => 248 bytes @
0x7fd72766b5f0
Feb 22 18:39:16 05[KNL]    0: F8 00 00 00 16 00 01 00 C9 00 00 00 A7 0E 00
00  ................
Feb 22 18:39:16 05[KNL]   16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
Feb 22 18:39:16 05[KNL]   32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
Feb 22 18:39:16 05[KNL]   48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
Feb 22 18:39:16 05[KNL]   64: 00 00 00 00 00 00 00 00 C0 A8 46 6F 00 00 00
00  ..........Fo....
Feb 22 18:39:16 05[KNL]   80: 00 00 00 00 00 00 00 00 00 00 00 00 32 00 00
00  ............2...
Feb 22 18:39:16 05[KNL]   96: C0 A8 46 69 00 00 00 00 00 00 00 00 00 00 00
00  ..Fi............
Feb 22 18:39:16 05[KNL]  112: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
Feb 22 18:39:16 05[KNL]  128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
Feb 22 18:39:16 05[KNL]  144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
Feb 22 18:39:16 05[KNL]  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
Feb 22 18:39:16 05[KNL]  176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
Feb 22 18:39:16 05[KNL]  192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
Feb 22 18:39:16 05[KNL]  208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00  ................
Feb 22 18:39:16 05[KNL]  224: 01 00 00 00 02 00 01 00 00 00 00 00 00 00 00
00  ................
Feb 22 18:39:16 05[KNL]  240: 00 00 00 C0 FF FF FF CF
........
Feb 22 18:39:16 05[KNL] allocating SPI failed: Operation not permitted (1)
Feb 22 18:39:16 05[KNL] unable to get SPI for reqid {1}
Feb 22 18:39:16 05[IKE] allocating SPI failed
Feb 22 18:39:16 05[IKE] failed to establish CHILD_SA, keeping IKE_SA
Feb 22 18:39:16 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH
CP(ADDR DNS DNS) N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) N(NO_PROP) ]
Feb 22 18:39:16 05[NET] sending packet: from 192.168.70.111[4500] to
192.168.70.105[4500] (2960 bytes)
Feb 22 21:27:21 03[IKE] initiator did not reauthenticate as requested
Feb 22 21:27:21 03[IKE] IKE_SA adv[1] will timeout in 9 minutes
Feb 22 21:36:21 02[IKE] deleting IKE_SA adv[1] between
192.168.70.111[192.168.70.111]...192.168.70.105[C=DE, ST=..., O=..., CN=...]
Feb 22 21:36:21 02[IKE] sending DELETE for IKE_SA adv[1]
Feb 22 21:36:21 02[ENC] generating INFORMATIONAL request 0 [ D ]
Feb 22 21:36:21 02[NET] sending packet: from 192.168.70.111[4500] to
192.168.70.105[4500] (80 bytes)
Feb 22 21:36:25 01[IKE] retransmit 1 of request with message ID 0
Feb 22 21:36:25 01[NET] sending packet: from 192.168.70.111[4500] to
192.168.70.105[4500] (80 bytes)
Feb 22 21:36:32 14[IKE] retransmit 2 of request with message ID 0
Feb 22 21:36:32 14[NET] sending packet: from 192.168.70.111[4500] to
192.168.70.105[4500] (80 bytes)
Feb 22 21:36:45 15[IKE] retransmit 3 of request with message ID 0
Feb 22 21:36:45 15[NET] sending packet: from 192.168.70.111[4500] to
192.168.70.105[4500] (80 bytes)
Feb 22 21:37:09 16[IKE] retransmit 4 of request with message ID 0
Feb 22 21:37:09 16[NET] sending packet: from 192.168.70.111[4500] to
192.168.70.105[4500] (80 bytes)
Feb 22 21:37:51 05[IKE] retransmit 5 of request with message ID 0
Feb 22 21:37:51 05[NET] sending packet: from 192.168.70.111[4500] to
192.168.70.105[4500] (80 bytes)
Feb 22 21:39:06 04[IKE] giving up after 5 retransmits
Feb 22 21:39:06 04[IKE] proper IKE_SA delete failed, peer not responding
Feb 22 21:39:06 04[KNL] using 192.168.70.111 as address to reach
192.168.70.101
Feb 22 21:39:06 04[CFG] sending DHCP RELEASE for 192.168.70.58 to
192.168.70.101

Best regards,
Jan





More information about the Users mailing list