[strongSwan] Android client fails to connect with "allocating SPI failed: Invalid argument (22)"

P. J. Reed speed at sakabatou.net
Thu May 30 18:59:55 CEST 2013 

Thank you!  My server is running on a virtual machine using a kernel 
provided by the host, and it seems it was missing some necessary 
modules.  After installing my own kernel, everything is working great.

P. J.

On 2013-05-30 11:01, Andreas Steffen wrote:
> Hi,
> 
> it seems that some IPsec kernel modules are missing on the
> strongSwan VPN server. Please check against the following list of
> mandatory modules:
> 
> http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
> 
> Regards
> 
> Andreas
> 
> On 05/30/2013 04:53 PM, P. J. Reed wrote:
>> My server is an Ubuntu 12.04 server with a public IP and the
>> Ubuntu-provided Strongswan 4.5.2-1.2 package installed.  I'm trying 
>> to
>> set up a "road warrior" style configuration for an Android phone 
>> using
>> the official Strongswan client; it is on a NAT behind a firewall that 
>> I
>> have no control over.  When I try to connect, the client says "Failed 
>> to
>> establish VPN: User authentication failed".  I've spent a while 
>> looking
>> through documentation trying to figure out what's going on, but I'm 
>> not
>> having any luck; the one suspicious thing that sticks out in the 
>> server
>> log when I try to connect is:
>> 
>> May 30 09:44:48 linode charon: 13[KNL] allocating SPI failed: Invalid
>> argument (22)
>> May 30 09:44:48 linode charon: 13[KNL] unable to get SPI for reqid 
>> {2}
>> May 30 09:44:48 linode charon: 13[IKE] allocating SPI failed
>> 
>> There are only a couple of hits for "allocating SPI failed: Invalid
>> argument (22)" on Google and none of them seem related to my setup.  
>> Any
>> thoughts?
>> 
>> Here's my ipsec.conf:
>> config setup
>>    charonstart=yes
>>    plutostart=no
>> 
>> conn %default
>>    ikelifetime=60m
>>    keylife=20m
>>    rekeymargin=3m
>>    keyingtries=1
>>    keyexchange=ikev2
>>    leftcert=serverCert.pem
>>    rightcert=clientCert.pem
>> 
>> conn vpnuser
>>    left=%defaultroute
>>    leftsubnet=0.0.0.0/0
>>    right=%any
>>    rightid="C=CH, O=linode, CN=client"
>>    rightsourceip=10.0.0.0/24
>>    auto=add
>> 
>> And here's a complete dump of the server log (public IP addresses
>> removed):
>> 
>> May 30 09:44:47 linode charon: 05[NET] received packet: from
>> x.x.x.x[57872] to y.y.y.y[500]
>> May 30 09:44:47 linode charon: 05[ENC] parsed IKE_SA_INIT request 0 [
>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> May 30 09:44:47 linode charon: 05[IKE] x.x.x.x is initiating an 
>> IKE_SA
>> May 30 09:44:47 linode charon: 05[IKE] remote host is behind NAT
>> May 30 09:44:47 linode charon: 05[IKE] sending cert request for 
>> "C=CH,
>> O=linode, CN=linode CA"
>> May 30 09:44:47 linode charon: 05[ENC] generating IKE_SA_INIT 
>> response
>> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> May 30 09:44:47 linode charon: 05[NET] sending packet: from
>> y.y.y.y[500] to x.x.x.x[57872]
>> May 30 09:44:48 linode charon: 13[NET] received packet: from
>> x.x.x.x[53768] to y.y.y.y[4500]
>> May 30 09:44:48 linode charon: 13[ENC] parsed IKE_AUTH request 1 [ 
>> IDi
>> CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR ADDR6 DNS DNS6)
>> N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH)
>> N(EAP_ONLY) ]
>> May 30 09:44:48 linode charon: 13[IKE] received cert request for 
>> "C=CH,
>> O=linode, CN=linode CA"
>> May 30 09:44:48 linode charon: 13[IKE] received 129 cert requests for
>> an unknown ca
>> May 30 09:44:48 linode charon: 13[IKE] received end entity cert 
>> "C=CH,
>> O=linode, CN=client"
>> May 30 09:44:48 linode charon: 13[CFG] looking for peer configs
>> matching y.y.y.y[%any]...x.x.x.x[C=CH, O=linode, CN=client]
>> May 30 09:44:48 linode charon: 13[CFG] selected peer config 'vpnuser'
>> May 30 09:44:48 linode charon: 13[CFG]   using trusted ca certificate
>> "C=CH, O=linode, CN=linode CA"
>> May 30 09:44:48 linode charon: 13[CFG] checking certificate status of
>> "C=CH, O=linode, CN=client"
>> May 30 09:44:48 linode charon: 13[CFG] certificate status is not
>> available
>> May 30 09:44:48 linode charon: 13[CFG]   reached self-signed root ca
>> with a path length of 0
>> May 30 09:44:48 linode charon: 13[CFG]   using trusted certificate
>> "C=CH, O=linode, CN=client"
>> May 30 09:44:48 linode charon: 13[IKE] authentication of 'C=CH,
>> O=linode, CN=client' with RSA signature successful
>> May 30 09:44:48 linode charon: 13[IKE] received
>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>> May 30 09:44:48 linode charon: 13[IKE] peer supports MOBIKE
>> May 30 09:44:48 linode charon: 13[IKE] authentication of 'C=CH,
>> O=linode, CN=linode' (myself) with RSA signature successful
>> May 30 09:44:48 linode charon: 13[IKE] IKE_SA vpnuser[2] established
>> between y.y.y.y[C=CH, O=linode, CN=linode]...x.x.x.x[C=CH, O=linode,
>> CN=client]
>> May 30 09:44:48 linode charon: 13[IKE] scheduling reauthentication in
>> 3298s
>> May 30 09:44:48 linode charon: 13[IKE] maximum IKE_SA lifetime 3478s
>> May 30 09:44:48 linode charon: 13[IKE] sending end entity cert "C=CH,
>> O=linode, CN=linode"
>> May 30 09:44:48 linode charon: 13[IKE] peer requested virtual IP 
>> %any6
>> May 30 09:44:48 linode charon: 13[CFG] reassigning offline lease to
>> 'C=CH, O=linode, CN=client'
>> May 30 09:44:48 linode charon: 13[IKE] assigning virtual IP 10.0.0.1 
>> to
>> peer 'C=CH, O=linode, CN=client'
>> May 30 09:44:48 linode charon: 13[KNL] allocating SPI failed: Invalid
>> argument (22)
>> May 30 09:44:48 linode charon: 13[KNL] unable to get SPI for reqid 
>> {2}
>> May 30 09:44:48 linode charon: 13[IKE] allocating SPI failed
>> May 30 09:44:48 linode charon: 13[ENC] generating IKE_AUTH response 1 
>> [
>> IDr CERT AUTH CP(ADDR DNS) N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR)
>> N(NO_PROP) ]
>> May 30 09:44:48 linode charon: 13[NET] sending packet: from
>> y.y.y.y[4500] to x.x.x.x[53768]
>> May 30 09:44:48 linode charon: 01[NET] received packet: from
>> x.x.x.x[53768] to y.y.y.y[4500]
>> May 30 09:44:48 linode charon: 01[ENC] parsed INFORMATIONAL request 2 
>> [
>> D ]
>> May 30 09:44:48 linode charon: 01[IKE] received DELETE for IKE_SA
>> vpnuser[2]
>> May 30 09:44:48 linode charon: 01[IKE] deleting IKE_SA vpnuser[2]
>> between y.y.y.y[C=CH, O=linode, CN=linode]...x.x.x.x[C=CH, O=linode,
>> CN=client]
>> May 30 09:44:48 linode charon: 01[IKE] IKE_SA deleted
>> May 30 09:44:48 linode charon: 01[ENC] generating INFORMATIONAL
>> response 2 [ ]
>> May 30 09:44:48 linode charon: 01[NET] sending packet: from
>> y.y.y.y[4500] to x.x.x.x[53768]
>> May 30 09:44:48 linode charon: 01[CFG] lease 10.0.0.1 by 'C=CH,
>> O=linode, CN=client' went offline
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

More information about the Users mailing list