[strongSwan] failing to decrypt esp

Chad Winckler cwinckler at westell.com
Fri Mar 8 20:23:00 CET 2013

Martin Willi <martin at ...> writes:

> > I tried a manual entry and it looks good.  So is there a strongswan config
> > option perhaps I am missing?
> No, looks more like a bug. Unfortunately it is very difficult for me to
> debug this without having such a board. If you want to debug this
> yourself, have a look at [1] how the Netlink messages gets constructed
> in userland. Debugging the kernel at [2] might give you some insight
> what is wrong.
> Regards
> Martin

Hi Martin,

I traced the root issue to an alignment problem in the strongswan macro
NLMSG_LEN.  The len value passed in was never aligned and therefore the kernel
is off by two bytes when it computes the attribute list length causing it to
not complete all the commands.  One question, why does strongswan redefine
the netlink headers and why not use the libnetlink functions like addattr_l()
such as iproute2 instead of rolling your own?

thanks for your help,

More information about the Users mailing list