[strongSwan] Android client fails to connect with "allocating SPI failed: Invalid argument (22)"
P. J. Reed
speed at sakabatou.net
Thu May 30 18:59:55 CEST 2013
Thank you! My server is running on a virtual machine using a kernel
provided by the host, and it seems it was missing some necessary
modules. After installing my own kernel, everything is working great.
P. J.
On 2013-05-30 11:01, Andreas Steffen wrote:
> Hi,
>
> it seems that some IPsec kernel modules are missing on the
> strongSwan VPN server. Please check against the following list of
> mandatory modules:
>
> http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
>
> Regards
>
> Andreas
>
> On 05/30/2013 04:53 PM, P. J. Reed wrote:
>> My server is an Ubuntu 12.04 server with a public IP and the
>> Ubuntu-provided Strongswan 4.5.2-1.2 package installed. I'm trying
>> to
>> set up a "road warrior" style configuration for an Android phone
>> using
>> the official Strongswan client; it is on a NAT behind a firewall that
>> I
>> have no control over. When I try to connect, the client says "Failed
>> to
>> establish VPN: User authentication failed". I've spent a while
>> looking
>> through documentation trying to figure out what's going on, but I'm
>> not
>> having any luck; the one suspicious thing that sticks out in the
>> server
>> log when I try to connect is:
>>
>> May 30 09:44:48 linode charon: 13[KNL] allocating SPI failed: Invalid
>> argument (22)
>> May 30 09:44:48 linode charon: 13[KNL] unable to get SPI for reqid
>> {2}
>> May 30 09:44:48 linode charon: 13[IKE] allocating SPI failed
>>
>> There are only a couple of hits for "allocating SPI failed: Invalid
>> argument (22)" on Google and none of them seem related to my setup.
>> Any
>> thoughts?
>>
>> Here's my ipsec.conf:
>> config setup
>> charonstart=yes
>> plutostart=no
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>> leftcert=serverCert.pem
>> rightcert=clientCert.pem
>>
>> conn vpnuser
>> left=%defaultroute
>> leftsubnet=0.0.0.0/0
>> right=%any
>> rightid="C=CH, O=linode, CN=client"
>> rightsourceip=10.0.0.0/24
>> auto=add
>>
>> And here's a complete dump of the server log (public IP addresses
>> removed):
>>
>> May 30 09:44:47 linode charon: 05[NET] received packet: from
>> x.x.x.x[57872] to y.y.y.y[500]
>> May 30 09:44:47 linode charon: 05[ENC] parsed IKE_SA_INIT request 0 [
>> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
>> May 30 09:44:47 linode charon: 05[IKE] x.x.x.x is initiating an
>> IKE_SA
>> May 30 09:44:47 linode charon: 05[IKE] remote host is behind NAT
>> May 30 09:44:47 linode charon: 05[IKE] sending cert request for
>> "C=CH,
>> O=linode, CN=linode CA"
>> May 30 09:44:47 linode charon: 05[ENC] generating IKE_SA_INIT
>> response
>> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
>> May 30 09:44:47 linode charon: 05[NET] sending packet: from
>> y.y.y.y[500] to x.x.x.x[57872]
>> May 30 09:44:48 linode charon: 13[NET] received packet: from
>> x.x.x.x[53768] to y.y.y.y[4500]
>> May 30 09:44:48 linode charon: 13[ENC] parsed IKE_AUTH request 1 [
>> IDi
>> CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR ADDR6 DNS DNS6)
>> N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH)
>> N(EAP_ONLY) ]
>> May 30 09:44:48 linode charon: 13[IKE] received cert request for
>> "C=CH,
>> O=linode, CN=linode CA"
>> May 30 09:44:48 linode charon: 13[IKE] received 129 cert requests for
>> an unknown ca
>> May 30 09:44:48 linode charon: 13[IKE] received end entity cert
>> "C=CH,
>> O=linode, CN=client"
>> May 30 09:44:48 linode charon: 13[CFG] looking for peer configs
>> matching y.y.y.y[%any]...x.x.x.x[C=CH, O=linode, CN=client]
>> May 30 09:44:48 linode charon: 13[CFG] selected peer config 'vpnuser'
>> May 30 09:44:48 linode charon: 13[CFG] using trusted ca certificate
>> "C=CH, O=linode, CN=linode CA"
>> May 30 09:44:48 linode charon: 13[CFG] checking certificate status of
>> "C=CH, O=linode, CN=client"
>> May 30 09:44:48 linode charon: 13[CFG] certificate status is not
>> available
>> May 30 09:44:48 linode charon: 13[CFG] reached self-signed root ca
>> with a path length of 0
>> May 30 09:44:48 linode charon: 13[CFG] using trusted certificate
>> "C=CH, O=linode, CN=client"
>> May 30 09:44:48 linode charon: 13[IKE] authentication of 'C=CH,
>> O=linode, CN=client' with RSA signature successful
>> May 30 09:44:48 linode charon: 13[IKE] received
>> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
>> May 30 09:44:48 linode charon: 13[IKE] peer supports MOBIKE
>> May 30 09:44:48 linode charon: 13[IKE] authentication of 'C=CH,
>> O=linode, CN=linode' (myself) with RSA signature successful
>> May 30 09:44:48 linode charon: 13[IKE] IKE_SA vpnuser[2] established
>> between y.y.y.y[C=CH, O=linode, CN=linode]...x.x.x.x[C=CH, O=linode,
>> CN=client]
>> May 30 09:44:48 linode charon: 13[IKE] scheduling reauthentication in
>> 3298s
>> May 30 09:44:48 linode charon: 13[IKE] maximum IKE_SA lifetime 3478s
>> May 30 09:44:48 linode charon: 13[IKE] sending end entity cert "C=CH,
>> O=linode, CN=linode"
>> May 30 09:44:48 linode charon: 13[IKE] peer requested virtual IP
>> %any6
>> May 30 09:44:48 linode charon: 13[CFG] reassigning offline lease to
>> 'C=CH, O=linode, CN=client'
>> May 30 09:44:48 linode charon: 13[IKE] assigning virtual IP 10.0.0.1
>> to
>> peer 'C=CH, O=linode, CN=client'
>> May 30 09:44:48 linode charon: 13[KNL] allocating SPI failed: Invalid
>> argument (22)
>> May 30 09:44:48 linode charon: 13[KNL] unable to get SPI for reqid
>> {2}
>> May 30 09:44:48 linode charon: 13[IKE] allocating SPI failed
>> May 30 09:44:48 linode charon: 13[ENC] generating IKE_AUTH response 1
>> [
>> IDr CERT AUTH CP(ADDR DNS) N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR)
>> N(NO_PROP) ]
>> May 30 09:44:48 linode charon: 13[NET] sending packet: from
>> y.y.y.y[4500] to x.x.x.x[53768]
>> May 30 09:44:48 linode charon: 01[NET] received packet: from
>> x.x.x.x[53768] to y.y.y.y[4500]
>> May 30 09:44:48 linode charon: 01[ENC] parsed INFORMATIONAL request 2
>> [
>> D ]
>> May 30 09:44:48 linode charon: 01[IKE] received DELETE for IKE_SA
>> vpnuser[2]
>> May 30 09:44:48 linode charon: 01[IKE] deleting IKE_SA vpnuser[2]
>> between y.y.y.y[C=CH, O=linode, CN=linode]...x.x.x.x[C=CH, O=linode,
>> CN=client]
>> May 30 09:44:48 linode charon: 01[IKE] IKE_SA deleted
>> May 30 09:44:48 linode charon: 01[ENC] generating INFORMATIONAL
>> response 2 [ ]
>> May 30 09:44:48 linode charon: 01[NET] sending packet: from
>> y.y.y.y[4500] to x.x.x.x[53768]
>> May 30 09:44:48 linode charon: 01[CFG] lease 10.0.0.1 by 'C=CH,
>> O=linode, CN=client' went offline
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
More information about the Users
mailing list