[strongSwan] Android client fails to connect with "allocating SPI failed: Invalid argument (22)"

Andreas Steffen andreas.steffen at strongswan.org
Thu May 30 18:01:14 CEST 2013 

Hi,

it seems that some IPsec kernel modules are missing on the
strongSwan VPN server. Please check against the following list of
mandatory modules:

http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules

Regards

Andreas

On 05/30/2013 04:53 PM, P. J. Reed wrote:
> My server is an Ubuntu 12.04 server with a public IP and the 
> Ubuntu-provided Strongswan 4.5.2-1.2 package installed.  I'm trying to 
> set up a "road warrior" style configuration for an Android phone using 
> the official Strongswan client; it is on a NAT behind a firewall that I 
> have no control over.  When I try to connect, the client says "Failed to 
> establish VPN: User authentication failed".  I've spent a while looking 
> through documentation trying to figure out what's going on, but I'm not 
> having any luck; the one suspicious thing that sticks out in the server 
> log when I try to connect is:
> 
> May 30 09:44:48 linode charon: 13[KNL] allocating SPI failed: Invalid 
> argument (22)
> May 30 09:44:48 linode charon: 13[KNL] unable to get SPI for reqid {2}
> May 30 09:44:48 linode charon: 13[IKE] allocating SPI failed
> 
> There are only a couple of hits for "allocating SPI failed: Invalid 
> argument (22)" on Google and none of them seem related to my setup.  Any 
> thoughts?
> 
> Here's my ipsec.conf:
> config setup
>    charonstart=yes
>    plutostart=no
> 
> conn %default
>    ikelifetime=60m
>    keylife=20m
>    rekeymargin=3m
>    keyingtries=1
>    keyexchange=ikev2
>    leftcert=serverCert.pem
>    rightcert=clientCert.pem
> 
> conn vpnuser
>    left=%defaultroute
>    leftsubnet=0.0.0.0/0
>    right=%any
>    rightid="C=CH, O=linode, CN=client"
>    rightsourceip=10.0.0.0/24
>    auto=add
> 
> And here's a complete dump of the server log (public IP addresses 
> removed):
> 
> May 30 09:44:47 linode charon: 05[NET] received packet: from 
> x.x.x.x[57872] to y.y.y.y[500]
> May 30 09:44:47 linode charon: 05[ENC] parsed IKE_SA_INIT request 0 [ 
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> May 30 09:44:47 linode charon: 05[IKE] x.x.x.x is initiating an IKE_SA
> May 30 09:44:47 linode charon: 05[IKE] remote host is behind NAT
> May 30 09:44:47 linode charon: 05[IKE] sending cert request for "C=CH, 
> O=linode, CN=linode CA"
> May 30 09:44:47 linode charon: 05[ENC] generating IKE_SA_INIT response 
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
> May 30 09:44:47 linode charon: 05[NET] sending packet: from 
> y.y.y.y[500] to x.x.x.x[57872]
> May 30 09:44:48 linode charon: 13[NET] received packet: from 
> x.x.x.x[53768] to y.y.y.y[4500]
> May 30 09:44:48 linode charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi 
> CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR ADDR6 DNS DNS6) 
> N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) 
> N(EAP_ONLY) ]
> May 30 09:44:48 linode charon: 13[IKE] received cert request for "C=CH, 
> O=linode, CN=linode CA"
> May 30 09:44:48 linode charon: 13[IKE] received 129 cert requests for 
> an unknown ca
> May 30 09:44:48 linode charon: 13[IKE] received end entity cert "C=CH, 
> O=linode, CN=client"
> May 30 09:44:48 linode charon: 13[CFG] looking for peer configs 
> matching y.y.y.y[%any]...x.x.x.x[C=CH, O=linode, CN=client]
> May 30 09:44:48 linode charon: 13[CFG] selected peer config 'vpnuser'
> May 30 09:44:48 linode charon: 13[CFG]   using trusted ca certificate 
> "C=CH, O=linode, CN=linode CA"
> May 30 09:44:48 linode charon: 13[CFG] checking certificate status of 
> "C=CH, O=linode, CN=client"
> May 30 09:44:48 linode charon: 13[CFG] certificate status is not 
> available
> May 30 09:44:48 linode charon: 13[CFG]   reached self-signed root ca 
> with a path length of 0
> May 30 09:44:48 linode charon: 13[CFG]   using trusted certificate 
> "C=CH, O=linode, CN=client"
> May 30 09:44:48 linode charon: 13[IKE] authentication of 'C=CH, 
> O=linode, CN=client' with RSA signature successful
> May 30 09:44:48 linode charon: 13[IKE] received 
> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
> May 30 09:44:48 linode charon: 13[IKE] peer supports MOBIKE
> May 30 09:44:48 linode charon: 13[IKE] authentication of 'C=CH, 
> O=linode, CN=linode' (myself) with RSA signature successful
> May 30 09:44:48 linode charon: 13[IKE] IKE_SA vpnuser[2] established 
> between y.y.y.y[C=CH, O=linode, CN=linode]...x.x.x.x[C=CH, O=linode, 
> CN=client]
> May 30 09:44:48 linode charon: 13[IKE] scheduling reauthentication in 
> 3298s
> May 30 09:44:48 linode charon: 13[IKE] maximum IKE_SA lifetime 3478s
> May 30 09:44:48 linode charon: 13[IKE] sending end entity cert "C=CH, 
> O=linode, CN=linode"
> May 30 09:44:48 linode charon: 13[IKE] peer requested virtual IP %any6
> May 30 09:44:48 linode charon: 13[CFG] reassigning offline lease to 
> 'C=CH, O=linode, CN=client'
> May 30 09:44:48 linode charon: 13[IKE] assigning virtual IP 10.0.0.1 to 
> peer 'C=CH, O=linode, CN=client'
> May 30 09:44:48 linode charon: 13[KNL] allocating SPI failed: Invalid 
> argument (22)
> May 30 09:44:48 linode charon: 13[KNL] unable to get SPI for reqid {2}
> May 30 09:44:48 linode charon: 13[IKE] allocating SPI failed
> May 30 09:44:48 linode charon: 13[ENC] generating IKE_AUTH response 1 [ 
> IDr CERT AUTH CP(ADDR DNS) N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) 
> N(NO_PROP) ]
> May 30 09:44:48 linode charon: 13[NET] sending packet: from 
> y.y.y.y[4500] to x.x.x.x[53768]
> May 30 09:44:48 linode charon: 01[NET] received packet: from 
> x.x.x.x[53768] to y.y.y.y[4500]
> May 30 09:44:48 linode charon: 01[ENC] parsed INFORMATIONAL request 2 [ 
> D ]
> May 30 09:44:48 linode charon: 01[IKE] received DELETE for IKE_SA 
> vpnuser[2]
> May 30 09:44:48 linode charon: 01[IKE] deleting IKE_SA vpnuser[2] 
> between y.y.y.y[C=CH, O=linode, CN=linode]...x.x.x.x[C=CH, O=linode, 
> CN=client]
> May 30 09:44:48 linode charon: 01[IKE] IKE_SA deleted
> May 30 09:44:48 linode charon: 01[ENC] generating INFORMATIONAL 
> response 2 [ ]
> May 30 09:44:48 linode charon: 01[NET] sending packet: from 
> y.y.y.y[4500] to x.x.x.x[53768]
> May 30 09:44:48 linode charon: 01[CFG] lease 10.0.0.1 by 'C=CH, 
> O=linode, CN=client' went offline

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130530/4d4c5e2c/attachment.bin>

More information about the Users mailing list