[strongSwan] failing to decrypt esp

Chad Winckler cwinckler at westell.com
Wed Mar 6 22:32:57 CET 2013


Martin Willi <martin at ...> writes:

> 
> 
> > I tried a manual entry and it looks good.  So is there a strongswan config
> > option perhaps I am missing?
> 
> No, looks more like a bug. Unfortunately it is very difficult for me to
> debug this without having such a board. If you want to debug this
> yourself, have a look at [1] how the Netlink messages gets constructed
> in userland. Debugging the kernel at [2] might give you some insight
> what is wrong.
> 
> Regards
> Martin
> 
>
[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;hb=HEAD#l1153
>
[2]http://git.strongswan.org/?p=linux-dumm.git;a=blob;f=net/xfrm/xfrm_user.c;hb=HEAD#l570
> 
> 


Hi Martin,

It looks like I gave you some wrong information, so let me correct myself.
I am actually using the coldfire cpu which is a sub arch of m68k
(not mips, sorry).
Also, I missed some key output which I now believe is identifying the problem.
When I run the command manually it completes with no console ouput other than
my prints.
And the ip -s xfrm state command shows the correct info.  However,
when strongswan builds the netlink header and sends it, I am getting
console
output (although no errors) like the following:

netlink: 62 bytes leftover after parsing attributes.
netlink: 62 bytes leftover after parsing attributes.
netlink: 62 bytes leftover after parsing attributes.

So, I am going to go investigate this, but it looks like iproute2 is
building
the header correctly and strongswan is not?? 
Is the netlink structure arch dependent?
Let me know what you think,
thanks,
Chad










More information about the Users mailing list