[strongSwan] Netlink error Invalid Argument(22)

A Lee aganguly14 at gmail.com
Mon Sep 16 15:44:20 CEST 2013 

Hi,

I have been trying to setup a ikev1 tunnel with ESP and authentication
algorithm SHA256.

The IKE tunnel is being created fine. But in quick mode exchange when it
receives the packet with Authentication algorithm as SHA256 (attribute
value 5), this error is happening.

According to strong swan documentation sha256 is supported.

Can anybody help me out with this one?

I am pasting portion of pluto log and also the ipsec.conf file.

PLUTO-LOG
------------------

 HASH(2) computed:
|   af da 55 9b  5f 40 52 a8  b8 75 b3 04  67 c1 ec 1b
|   39 bc 5c ca  96 ae c1 10  4b fe bb d1  2f ea f6 27
| kernel_alg_esp_enc_keylen(): alg_id=3, keylen=24
| kernel_alg_esp_auth_keylen(auth=5, sadb_aalg=5): a_keylen=32
| KEYMAT computed:
|   a4 85 19 78  5c a1 b7 2b  b2 f4 ce ac  fd 50 6e 12
|   f5 dc 18 9a  ac fc 2d 38  08 da ba 4d  80 40 2e f3
|   b8 50 7a 33  2b 96 9b 3e  6a ff c1 9a  f5 6e d1 20
|   20 72 6e d7  7f d9 66 15
| install_inbound_ipsec_sa() checking if we can route
| route owner of "conn1" unrouted: NULL; eroute owner: NULL
| kernel_alg_esp_info():transid=3, auth=5, ei=0x80b7ae8, enckeylen=24,
authkeylen=32, encryptalg=3, authalg=5
| adding SAD entry with SPI c5ad47ee and reqid {16384}
|   using encryption algorithm 3DES_CBC with key size 192
|   using integrity algorithm HMAC_SHA2_256_128 with key size 256
| sending XFRM_MSG_UPDSA: => 440 bytes @ 0xbff65fd8
   0: B8 01 00 00 1A 00 05 00 CA 00 00 00 12 24 00 00  .............$..
  16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  64: 00 00 00 00 00 00 00 00 0A 0A 0A 14 00 00 00 00  ................
  80: 00 00 00 00 00 00 00 00 C5 AD 47 EE 32 00 00 00  ..........G.2...
  96: 0A 0A 0A 32 00 00 00 00 00 00 00 00 00 00 00 00  ...2............
 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 224: 00 40 00 00 02 00 01 20 20 00 00 00 60 00 02 00  . at .....  ...`...
 240: 64 65 73 33 5F 65 64 65 00 00 00 00 00 00 00 00  des3_ede........
 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 304: C0 00 00 00 A4 85 19 78 5C A1 B7 2B B2 F4 CE AC  .......x\..+....
 320: FD 50 6E 12 F5 DC 18 9A AC FC 2D 38 6C 00 14 00  .Pn.......-8l...
 336: 68 6D 61 63 28 73 68 61 32 35 36 29 00 00 00 00  hmac(sha256)....
 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
 400: 00 01 00 00 80 00 00 00 08 DA BA 4D 80 40 2E F3  ...........M. at ..
 416: B8 50 7A 33 2B 96 9B 3E 6A FF C1 9A F5 6E D1 20  .Pz3+..>j....n.
 432: 20 72 6E D7 7F D9 66 15                           rn...f.
received netlink error: Invalid argument (22)
unable to add SAD entry with SPI c5ad47ee
| state transition function for STATE_QUICK_R0 had internal error
| next event EVENT_SO_DISCARD in 0 seconds for #2
|
| *time to handle event
| event after this is EVENT_SA_REPLACE in 1165 seconds
| ICOOKIE:  85 22 00 00  85 22 00 00
| RCOOKIE:  3b 12 6a 76  de 5f 2c 0c
| peer:  0a 0a 0a 32
| state hash entry 22
| next event EVENT_SA_REPLACE in 1165 seconds for #1
| received a XFRM_MSG_EXPIRE
|

ipsec.conf
----------------
config setup
        interfaces="ipsec0=eth1"
        klipsdebug=all
        uniqueids=yes
        charonstart=no
        plutodebug=all
        plutostart=yes
        plutostderrlog="/etc/pluto.log"
conn %default
  ikelifetime=20m
  keylife=10m
  rekeymargin=1m
  keyingtries=1
  forceencaps=yes
  reauth=no
  mobike=no
conn conn1
  type=tunnel
  left=10.10.10.20
  leftid=%any
  leftsubnet=20.0.2.20/32
  right=10.10.10.50
  rightid=%any
  pfs=no
  pfsgroup=modp1024
  ike=3des-sha256-modp1024
  esp=3des-sha256-modp1024
  auto=add
  auth=esp
  authby=secret
  keyexchange=ikev1

Thanks and Regards,
Avishek Ganguly
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130916/faddaa66/attachment.html>

More information about the Users mailing list