[strongSwan] Problem with running Strongswan on a consumer router: Asus RT-N16

Lawrence Chiu Lawrence_Chiu_TX3 at yahoo.com
Wed Oct 2 10:04:06 CEST 2013 

The relevant errors appear to be:

Sep 27 10:26:03 RT-N16 syslog: 16[KNL] unable to add SAD entry with SPI 
ce0f9914: Function not implemented (89)
Sep 27 10:26:03 RT-N16 syslog: 16[KNL] unable to add SAD entry with SPI 
146ce921: Function not implemented (89)
Sep 27 10:26:03 RT-N16 syslog: 16[IKE] unable to install inbound and 
outbound IPsec SA (SAD) in kernel
Sep 27 10:26:03 RT-N16 syslog: 16[IKE] failed to establish CHILD_SA, 
keeping IKE_SA
Sep 27 10:26:03 RT-N16 syslog: 16[KNL] unable to delete SAD entry with 
SPI 146ce921: No such process (3)

Searching for this error on Google shows this old post from 2009:
https://lists.strongswan.org/pipermail/users/2009-September/003826.html
to which Martin Willi replied with a patch to xfrm_algo.c.  I already 
have this patch because the Linux kernel is 2.6.22.19 and xfrm_algo.c 
looks like this in my kernel:

=== ./linux/linux-2.6/net/xfrm/xfrm_algo.c
                 if (!probe)
                         break;

                 status = crypto_has_alg(list[i].name, algo_list->type,
                                         algo_list->mask);
                 if (!status)
                         break;
===

Any ideas?  Thanks so much.

Regards,
Lawrence


On 9/27/2013 10:37 AM, Lawrence Chiu wrote:
> I am trying to run Strongswan on a consumer router, an Asus RT-N16. 
> There isn't a lot of people who have done this and there isn't a lot 
> of documentation to go on.  In any case, I have successfully compiled 
> the Asus kernel to support IPsec and installed Strongswan.
>
> I am using the example Win7 config on the Wiki:
> http://wiki.strongswan.org/projects/strongswan/wiki/Win7EapMultipleConfig
>
> ipsec.conf: The only change I made was "leftid=@vpn.strongswan.org" in 
> the example to " leftid=@MYHOSTNAME.dyndns.org".
> ipsec.secrets: Using same file as example with the 'carol' and 'dave' 
> test accounts.
> strongswan.conf: Changed to my own DNS/NBNS servers but otherwise 
> identical to the example.
>
>     $ diff strongswan.conf strongswan.conf.win7.orig
>     <   dns1 = 192.168.0.3
>     <   nbns1 = 192.168.0.3
>     ---
>     >   dns1 = 62.2.17.60
>     >   dns2 = 62.2.24.162
>     >   nbns1 = 10.10.1.1
>     >   nbns2 = 10.10.0.1
>
> The client is a Windows 7 PC.
>
> The syslog shows (starting with connection attempt):
>
> Sep 27 10:26:02 RT-N16 syslog: 15[NET] received packet: from 
> 70.139.113.210[500] to 50.162.106.134[500] (528 bytes)
> Sep 27 10:26:02 RT-N16 syslog: 15[ENC] parsed IKE_SA_INIT request 0 [ 
> SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
> Sep 27 10:26:02 RT-N16 syslog: 15[IKE] 70.139.113.210 is initiating an 
> IKE_SA
> Sep 27 10:26:02 RT-N16 syslog: 15[IKE] 70.139.113.210 is initiating an 
> IKE_SA
> Sep 27 10:26:02 RT-N16 syslog: 15[IKE] remote host is behind NAT
> Sep 27 10:26:02 RT-N16 syslog: 15[ENC] generating IKE_SA_INIT response 
> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
> Sep 27 10:26:02 RT-N16 syslog: 15[NET] sending packet: from 
> 50.162.106.134[500] to 70.139.113.210[500] (312 bytes)
> Sep 27 10:26:02 RT-N16 syslog: 16[NET] received packet: from 
> 70.139.113.210[4500] to 50.162.106.134[4500] (892 bytes)
> Sep 27 10:26:02 RT-N16 syslog: 16[ENC] parsed IKE_AUTH request 1 [ IDi 
> CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV) SA TSi TSr ]
> Sep 27 10:26:02 RT-N16 syslog: 16[IKE] received cert request for 
> "C=CH, O=strongSwan, CN=pkiCA"
> Sep 27 10:26:02 RT-N16 syslog: 16[IKE] received 31 cert requests for 
> an unknown ca
> Sep 27 10:26:02 RT-N16 syslog: 16[CFG] looking for peer configs 
> matching 50.162.106.134[%any]...70.139.113.210[192.168.1.183]
> Sep 27 10:26:02 RT-N16 syslog: 16[CFG] selected peer config 'win7'
> Sep 27 10:26:02 RT-N16 syslog: 16[IKE] initiating EAP_IDENTITY method 
> (id 0x00)
> Sep 27 10:26:02 RT-N16 syslog: 16[IKE] peer supports MOBIKE
> Sep 27 10:26:03 RT-N16 syslog: 16[IKE] authentication of 
> 'MYHOSTNAME.dyndns.org' (myself) with RSA signature successful
> Sep 27 10:26:03 RT-N16 syslog: 16[IKE] sending end entity cert "C=CH, 
> O=strongSwan, CN=MYHOSTNAME.dyndns.org"
> Sep 27 10:26:03 RT-N16 syslog: 16[ENC] generating IKE_AUTH response 1 
> [ IDr CERT AUTH EAP/REQ/ID ]
> Sep 27 10:26:03 RT-N16 syslog: 16[NET] sending packet: from 
> 50.162.106.134[4500] to 70.139.113.210[4500] (1212 bytes)
> Sep 27 10:26:03 RT-N16 syslog: 14[NET] received packet: from 
> 70.139.113.210[4500] to 50.162.106.134[4500] (92 bytes)
> Sep 27 10:26:03 RT-N16 syslog: 14[ENC] parsed IKE_AUTH request 2 [ 
> EAP/RES/ID ]
> Sep 27 10:26:03 RT-N16 syslog: 14[IKE] received EAP identity 'dave'
> Sep 27 10:26:03 RT-N16 syslog: 14[IKE] initiating EAP_MSCHAPV2 method 
> (id 0xDB)
> Sep 27 10:26:03 RT-N16 syslog: 14[ENC] generating IKE_AUTH response 2 
> [ EAP/REQ/MSCHAPV2 ]
> Sep 27 10:26:03 RT-N16 syslog: 14[NET] sending packet: from 
> 50.162.106.134[4500] to 70.139.113.210[4500] (108 bytes)
> Sep 27 10:26:03 RT-N16 syslog: 13[NET] received packet: from 
> 70.139.113.210[4500] to 50.162.106.134[4500] (140 bytes)
> Sep 27 10:26:03 RT-N16 syslog: 13[ENC] parsed IKE_AUTH request 3 [ 
> EAP/RES/MSCHAPV2 ]
> Sep 27 10:26:03 RT-N16 syslog: 13[ENC] generating IKE_AUTH response 3 
> [ EAP/REQ/MSCHAPV2 ]
> Sep 27 10:26:03 RT-N16 syslog: 13[NET] sending packet: from 
> 50.162.106.134[4500] to 70.139.113.210[4500] (140 bytes)
> Sep 27 10:26:03 RT-N16 syslog: 15[NET] received packet: from 
> 70.139.113.210[4500] to 50.162.106.134[4500] (76 bytes)
> Sep 27 10:26:03 RT-N16 syslog: 15[ENC] parsed IKE_AUTH request 4 [ 
> EAP/RES/MSCHAPV2 ]
> Sep 27 10:26:03 RT-N16 syslog: 15[IKE] EAP method EAP_MSCHAPV2 
> succeeded, MSK established
> Sep 27 10:26:03 RT-N16 syslog: 15[ENC] generating IKE_AUTH response 4 
> [ EAP/SUCC ]
> Sep 27 10:26:03 RT-N16 syslog: 15[NET] sending packet: from 
> 50.162.106.134[4500] to 70.139.113.210[4500] (76 bytes)
> Sep 27 10:26:03 RT-N16 syslog: 16[NET] received packet: from 
> 70.139.113.210[4500] to 50.162.106.134[4500] (92 bytes)
> Sep 27 10:26:03 RT-N16 syslog: 16[ENC] parsed IKE_AUTH request 5 [ AUTH ]
> Sep 27 10:26:03 RT-N16 syslog: 16[IKE] authentication of 
> '192.168.1.183' with EAP successful
> Sep 27 10:26:03 RT-N16 syslog: 16[IKE] authentication of 
> 'MYHOSTNAME.dyndns.org' (myself) with EAP
> Sep 27 10:26:03 RT-N16 syslog: 16[IKE] IKE_SA win7[1] established 
> between 
> 50.162.106.134[MYHOSTNAME.dyndns.org]...70.139.113.210[192.168.1.183]
> Sep 27 10:26:03 RT-N16 syslog: 16[IKE] IKE_SA win7[1] established 
> between 
> 50.162.106.134[MYHOSTNAME.dyndns.org]...70.139.113.210[192.168.1.183]
> Sep 27 10:26:03 RT-N16 syslog: 16[IKE] peer requested virtual IP %any
> Sep 27 10:26:03 RT-N16 syslog: 16[CFG] assigning new lease to 'dave'
> Sep 27 10:26:03 RT-N16 syslog: 16[IKE] assigning virtual IP 10.10.3.1 
> to peer 'dave'
> Sep 27 10:26:03 RT-N16 syslog: 16[KNL] unable to add SAD entry with 
> SPI ce0f9914: Function not implemented (89)
> Sep 27 10:26:03 RT-N16 syslog: 16[KNL] unable to add SAD entry with 
> SPI 146ce921: Function not implemented (89)
> Sep 27 10:26:03 RT-N16 syslog: 16[IKE] unable to install inbound and 
> outbound IPsec SA (SAD) in kernel
> Sep 27 10:26:03 RT-N16 syslog: 16[IKE] failed to establish CHILD_SA, 
> keeping IKE_SA
> Sep 27 10:26:03 RT-N16 syslog: 16[KNL] unable to delete SAD entry with 
> SPI 146ce921: No such process (3)
> Sep 27 10:26:03 RT-N16 syslog: 16[ENC] generating IKE_AUTH response 5 
> [ AUTH CP(ADDR DNS NBNS) N(MOBIKE_SUP) N(ADD_4_ADDR) N(NO_PROP) ]
> Sep 27 10:26:03 RT-N16 syslog: 16[NET] sending packet: from 
> 50.162.106.134[4500] to 70.139.113.210[4500] (156 bytes)
> Sep 27 10:26:03 RT-N16 syslog: 14[NET] received packet: from 
> 70.139.113.210[4500] to 50.162.106.134[4500] (76 bytes)
> Sep 27 10:26:03 RT-N16 syslog: 14[ENC] parsed INFORMATIONAL request 6 
> [ D ]
> Sep 27 10:26:03 RT-N16 syslog: 14[IKE] received DELETE for IKE_SA win7[1]
> Sep 27 10:26:03 RT-N16 syslog: 14[IKE] deleting IKE_SA win7[1] between 
> 50.162.106.134[MYHOSTNAME.dyndns.org]...70.139.113.210[192.168.1.183]
> Sep 27 10:26:03 RT-N16 syslog: 14[IKE] deleting IKE_SA win7[1] between 
> 50.162.106.134[MYHOSTNAME.dyndns.org]...70.139.113.210[192.168.1.183]
> Sep 27 10:26:03 RT-N16 syslog: 14[IKE] IKE_SA deleted
> Sep 27 10:26:03 RT-N16 syslog: 14[IKE] IKE_SA deleted
> Sep 27 10:26:03 RT-N16 syslog: 14[ENC] generating INFORMATIONAL 
> response 6 [ ]
> Sep 27 10:26:03 RT-N16 syslog: 14[NET] sending packet: from 
> 50.162.106.134[4500] to 70.139.113.210[4500] (76 bytes)
> Sep 27 10:26:03 RT-N16 syslog: 14[CFG] lease 10.10.3.1 by 'dave' went 
> offline
>
> Thank you for any assistance!
>

More information about the Users mailing list