[strongSwan] failing to decrypt esp
Chad Winckler
cwinckler at westell.com
Wed Mar 6 16:17:00 CET 2013
Martin Willi <martin at ...> writes:
>
> Either strongSwan gets something wrong while installing the SA on your
> architecture, or our kernel is somehow broken. The easiest way to check
> that is probably by installing some SAs manually, such as:
>
> > ip xfrm state add src 10.1.2.3 dst 10.2.3.4 proto esp spi 012345 \
> > mode tunnel reqid 1 enc aes 0x01020304050607080910111213141516 \
> > auth sha1 0x0102030405060708091011121314151617181920
>
> Regards
> Martin
>
>
Hi Martin,
I tried a manual entry and it looks good. So is there a strongswan config
option perhaps I am missing?
-Chad
ip xfrm state add src 10.1.2.3 dst 10.2.3.4 proto esp spi 012345
mode tunnel reqid 1 enc aes 0x01020304050607080910111213141516
auth sha1 0x0102030405060708091011121314151617181920
ip -s xfrm state
src 10.1.2.3 dst 10.2.3.4
proto esp spi 0x000014e5(5349) reqid 1(0x00000001) mode tunnel
replay-window 0 seq 0x00000000 flag (0x00000000)
auth-trunc hmac(sha1) 0x0102030405060708091011121314151617181920 (160
bits) 96
enc cbc(aes) 0x01020304050607080910111213141516 (128 bits)
sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2000-01-01 05:01:23 use -
stats:
replay-window 0 replay 0 failed 0
More information about the Users
mailing list