[strongSwan] failing to decrypt esp

Chad Winckler CWinckler at westell.com
Mon Mar 11 15:15:34 CET 2013

Thanks again Martin,

Yes, this patch also works and thankyou for your explanations!

-----Original Message-----
From: Martin Willi [mailto:martin at strongswan.org] 
Sent: Monday, March 11, 2013 6:57 AM
To: Chad Winckler
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] failing to decrypt esp

Hi Chad,

> I traced the root issue to an alignment problem in the strongswan 
> macro NLMSG_LEN.

NLMSG_LENGTH is not a strongSwan macro, but one defined by the netlink.h Linux header.

> The len value passed in was never aligned and therefore the kernel is 
> off by two bytes when it computes the attribute list length causing it 
> to not complete all the commands.

I don't think that aligning the length is required for a simple payload.
However, when adding attributes after the payload, it is required that we update the length of the added attribute, plus any alignment we added before the attribute.

The patch at [1] fixes this, let me know if this works on your architecture. Probably it's about time to refactor that code...

> One question, why does strongswan redefine the netlink headers

Unfortunately, Linux headers shipped by some distributions are not only horribly outdated, but often just unusable. Therefore we ship a copy of some headers. Of course you can build against your own headers using the --with-linux-headers ./configure option.

> and why not use the libnetlink functions like addattr_l() such as
> iproute2 instead of rolling your own?

The libnetlink functions you refer here to are an integral part of iproute2. In most builds there is no shared library we could use. Using third party libraries or sources has pros and cons, we use our own Netlink code wich gives us much more flexibility.



This e-mail and its attachments are private and may contain confidential and proprietary information that is protected. 
If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of the 
information contained in or attached to this message is strictly prohibited. If you have received this e-mail in error, 
please notify the sender by replying to this message, and then delete it from your system.  Thank you.

More information about the Users mailing list