[strongSwan] failing to decrypt esp

Martin Willi martin at strongswan.org
Wed Mar 6 09:22:40 CET 2013


Hi Chad,

> src 192.168.1.208 dst 192.168.1.3
>         proto esp spi 0xc19173e1(3247535073) reqid 4(0x00000004) mode tunnel
>         replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
>         enc cbc(aes) 0xccde20ccf4265eaf08aebd1b0b80c487 (128 bits)

This looks suspicious. The authentication key and algorithm is just
missing, which perfectly explains the EINVAL. It should look something
like:

> src 192.168.0.1 dst 192.168.0.2
>         proto esp spi 0xc6a9b39d(3333010333) reqid 1(0x00000001) mode tunnel
>         replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
>         auth hmac(sha1) 0x36269b44dddd07521b8881ef46c386df4bef9b48 (160 bits)
>         enc cbc(aes) 0x0d19791684cb6f8348992f907cdfd726 (128 bits)

Do you see this on both devices? Is this on the DUT? What architecture
and kernel does it run?

Regards
Martin





More information about the Users mailing list