[strongSwan] Android client fails to connect with "allocating SPI failed: Invalid argument (22)"

P. J. Reed speed at sakabatou.net
Thu May 30 16:53:10 CEST 2013 

My server is an Ubuntu 12.04 server with a public IP and the 
Ubuntu-provided Strongswan 4.5.2-1.2 package installed.  I'm trying to 
set up a "road warrior" style configuration for an Android phone using 
the official Strongswan client; it is on a NAT behind a firewall that I 
have no control over.  When I try to connect, the client says "Failed to 
establish VPN: User authentication failed".  I've spent a while looking 
through documentation trying to figure out what's going on, but I'm not 
having any luck; the one suspicious thing that sticks out in the server 
log when I try to connect is:

May 30 09:44:48 linode charon: 13[KNL] allocating SPI failed: Invalid 
argument (22)
May 30 09:44:48 linode charon: 13[KNL] unable to get SPI for reqid {2}
May 30 09:44:48 linode charon: 13[IKE] allocating SPI failed

There are only a couple of hits for "allocating SPI failed: Invalid 
argument (22)" on Google and none of them seem related to my setup.  Any 
thoughts?

Here's my ipsec.conf:
config setup
   charonstart=yes
   plutostart=no

conn %default
   ikelifetime=60m
   keylife=20m
   rekeymargin=3m
   keyingtries=1
   keyexchange=ikev2
   leftcert=serverCert.pem
   rightcert=clientCert.pem

conn vpnuser
   left=%defaultroute
   leftsubnet=0.0.0.0/0
   right=%any
   rightid="C=CH, O=linode, CN=client"
   rightsourceip=10.0.0.0/24
   auto=add

And here's a complete dump of the server log (public IP addresses 
removed):

May 30 09:44:47 linode charon: 05[NET] received packet: from 
x.x.x.x[57872] to y.y.y.y[500]
May 30 09:44:47 linode charon: 05[ENC] parsed IKE_SA_INIT request 0 [ 
SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
May 30 09:44:47 linode charon: 05[IKE] x.x.x.x is initiating an IKE_SA
May 30 09:44:47 linode charon: 05[IKE] remote host is behind NAT
May 30 09:44:47 linode charon: 05[IKE] sending cert request for "C=CH, 
O=linode, CN=linode CA"
May 30 09:44:47 linode charon: 05[ENC] generating IKE_SA_INIT response 
0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May 30 09:44:47 linode charon: 05[NET] sending packet: from 
y.y.y.y[500] to x.x.x.x[57872]
May 30 09:44:48 linode charon: 13[NET] received packet: from 
x.x.x.x[53768] to y.y.y.y[4500]
May 30 09:44:48 linode charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi 
CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR ADDR6 DNS DNS6) 
N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) 
N(EAP_ONLY) ]
May 30 09:44:48 linode charon: 13[IKE] received cert request for "C=CH, 
O=linode, CN=linode CA"
May 30 09:44:48 linode charon: 13[IKE] received 129 cert requests for 
an unknown ca
May 30 09:44:48 linode charon: 13[IKE] received end entity cert "C=CH, 
O=linode, CN=client"
May 30 09:44:48 linode charon: 13[CFG] looking for peer configs 
matching y.y.y.y[%any]...x.x.x.x[C=CH, O=linode, CN=client]
May 30 09:44:48 linode charon: 13[CFG] selected peer config 'vpnuser'
May 30 09:44:48 linode charon: 13[CFG]   using trusted ca certificate 
"C=CH, O=linode, CN=linode CA"
May 30 09:44:48 linode charon: 13[CFG] checking certificate status of 
"C=CH, O=linode, CN=client"
May 30 09:44:48 linode charon: 13[CFG] certificate status is not 
available
May 30 09:44:48 linode charon: 13[CFG]   reached self-signed root ca 
with a path length of 0
May 30 09:44:48 linode charon: 13[CFG]   using trusted certificate 
"C=CH, O=linode, CN=client"
May 30 09:44:48 linode charon: 13[IKE] authentication of 'C=CH, 
O=linode, CN=client' with RSA signature successful
May 30 09:44:48 linode charon: 13[IKE] received 
ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
May 30 09:44:48 linode charon: 13[IKE] peer supports MOBIKE
May 30 09:44:48 linode charon: 13[IKE] authentication of 'C=CH, 
O=linode, CN=linode' (myself) with RSA signature successful
May 30 09:44:48 linode charon: 13[IKE] IKE_SA vpnuser[2] established 
between y.y.y.y[C=CH, O=linode, CN=linode]...x.x.x.x[C=CH, O=linode, 
CN=client]
May 30 09:44:48 linode charon: 13[IKE] scheduling reauthentication in 
3298s
May 30 09:44:48 linode charon: 13[IKE] maximum IKE_SA lifetime 3478s
May 30 09:44:48 linode charon: 13[IKE] sending end entity cert "C=CH, 
O=linode, CN=linode"
May 30 09:44:48 linode charon: 13[IKE] peer requested virtual IP %any6
May 30 09:44:48 linode charon: 13[CFG] reassigning offline lease to 
'C=CH, O=linode, CN=client'
May 30 09:44:48 linode charon: 13[IKE] assigning virtual IP 10.0.0.1 to 
peer 'C=CH, O=linode, CN=client'
May 30 09:44:48 linode charon: 13[KNL] allocating SPI failed: Invalid 
argument (22)
May 30 09:44:48 linode charon: 13[KNL] unable to get SPI for reqid {2}
May 30 09:44:48 linode charon: 13[IKE] allocating SPI failed
May 30 09:44:48 linode charon: 13[ENC] generating IKE_AUTH response 1 [ 
IDr CERT AUTH CP(ADDR DNS) N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) 
N(NO_PROP) ]
May 30 09:44:48 linode charon: 13[NET] sending packet: from 
y.y.y.y[4500] to x.x.x.x[53768]
May 30 09:44:48 linode charon: 01[NET] received packet: from 
x.x.x.x[53768] to y.y.y.y[4500]
May 30 09:44:48 linode charon: 01[ENC] parsed INFORMATIONAL request 2 [ 
D ]
May 30 09:44:48 linode charon: 01[IKE] received DELETE for IKE_SA 
vpnuser[2]
May 30 09:44:48 linode charon: 01[IKE] deleting IKE_SA vpnuser[2] 
between y.y.y.y[C=CH, O=linode, CN=linode]...x.x.x.x[C=CH, O=linode, 
CN=client]
May 30 09:44:48 linode charon: 01[IKE] IKE_SA deleted
May 30 09:44:48 linode charon: 01[ENC] generating INFORMATIONAL 
response 2 [ ]
May 30 09:44:48 linode charon: 01[NET] sending packet: from 
y.y.y.y[4500] to x.x.x.x[53768]
May 30 09:44:48 linode charon: 01[CFG] lease 10.0.0.1 by 'C=CH, 
O=linode, CN=client' went offline

More information about the Users mailing list