[strongSwan] failing to decrypt esp
Chad Winckler
cwinckler at westell.com
Fri Mar 8 20:23:00 CET 2013
Martin Willi <martin at ...> writes:
>
>
> > I tried a manual entry and it looks good. So is there a strongswan config
> > option perhaps I am missing?
>
> No, looks more like a bug. Unfortunately it is very difficult for me to
> debug this without having such a board. If you want to debug this
> yourself, have a look at [1] how the Netlink messages gets constructed
> in userland. Debugging the kernel at [2] might give you some insight
> what is wrong.
>
> Regards
> Martin
>
>
[1]http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c;hb=HEAD#l1153
>
[2]http://git.strongswan.org/?p=linux-dumm.git;a=blob;f=net/xfrm/xfrm_user.c;hb=HEAD#l570
>
>
Hi Martin,
I traced the root issue to an alignment problem in the strongswan macro
NLMSG_LEN. The len value passed in was never aligned and therefore the kernel
is off by two bytes when it computes the attribute list length causing it to
not complete all the commands. One question, why does strongswan redefine
the netlink headers and why not use the libnetlink functions like addattr_l()
such as iproute2 instead of rolling your own?
thanks for your help,
Chad
More information about the Users
mailing list