[strongSwan] Netlink error Invalid Argument(22)

Thomas Egerer hakke_007 at gmx.de
Mon Sep 16 22:43:40 CEST 2013 

On 09/16/2013 03:44 PM, A Lee wrote:
> Hi,
> 
> I have been trying to setup a ikev1 tunnel with ESP and authentication
> algorithm SHA256.
> 
> The IKE tunnel is being created fine. But in quick mode exchange when it
> receives the packet with Authentication algorithm as SHA256 (attribute
> value 5), this error is happening.
> 
> According to strong swan documentation sha256 is supported.
> 
> Can anybody help me out with this one?
> 
> I am pasting portion of pluto log and also the ipsec.conf file.
> 
> PLUTO-LOG
> ------------------
> 
>  HASH(2) computed:
> |   af da 55 9b  5f 40 52 a8  b8 75 b3 04  67 c1 ec 1b
> |   39 bc 5c ca  96 ae c1 10  4b fe bb d1  2f ea f6 27
> | kernel_alg_esp_enc_keylen(): alg_id=3, keylen=24
> | kernel_alg_esp_auth_keylen(auth=5, sadb_aalg=5): a_keylen=32
> | KEYMAT computed:
> |   a4 85 19 78  5c a1 b7 2b  b2 f4 ce ac  fd 50 6e 12
> |   f5 dc 18 9a  ac fc 2d 38  08 da ba 4d  80 40 2e f3
> |   b8 50 7a 33  2b 96 9b 3e  6a ff c1 9a  f5 6e d1 20
> |   20 72 6e d7  7f d9 66 15
> | install_inbound_ipsec_sa() checking if we can route
> | route owner of "conn1" unrouted: NULL; eroute owner: NULL
> | kernel_alg_esp_info():transid=3, auth=5, ei=0x80b7ae8, enckeylen=24,
> authkeylen=32, encryptalg=3, authalg=5
> | adding SAD entry with SPI c5ad47ee and reqid {16384}
> |   using encryption algorithm 3DES_CBC with key size 192
> |   using integrity algorithm HMAC_SHA2_256_128 with key size 256
> | sending XFRM_MSG_UPDSA: => 440 bytes @ 0xbff65fd8
>    0: B8 01 00 00 1A 00 05 00 CA 00 00 00 12 24 00 00  .............$..
>   16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   64: 00 00 00 00 00 00 00 00 0A 0A 0A 14 00 00 00 00  ................
>   80: 00 00 00 00 00 00 00 00 C5 AD 47 EE 32 00 00 00  ..........G.2...
>   96: 0A 0A 0A 32 00 00 00 00 00 00 00 00 00 00 00 00  ...2............
>  112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
>  128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
>  144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>  176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>  192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>  208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>  224: 00 40 00 00 02 00 01 20 20 00 00 00 60 00 02 00  . at .....  ...`...
>  240: 64 65 73 33 5F 65 64 65 00 00 00 00 00 00 00 00  des3_ede........
>  256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>  272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>  288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>  304: C0 00 00 00 A4 85 19 78 5C A1 B7 2B B2 F4 CE AC  .......x\..+....
>  320: FD 50 6E 12 F5 DC 18 9A AC FC 2D 38 6C 00 14 00  .Pn.......-8l...
>  336: 68 6D 61 63 28 73 68 61 32 35 36 29 00 00 00 00  hmac(sha256)....
>  352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>  368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>  384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>  400: 00 01 00 00 80 00 00 00 08 DA BA 4D 80 40 2E F3  ...........M. at ..
>  416: B8 50 7A 33 2B 96 9B 3E 6A FF C1 9A F5 6E D1 20  .Pz3+..>j....n.
>  432: 20 72 6E D7 7F D9 66 15                           rn...f.
> received netlink error: Invalid argument (22)
> unable to add SAD entry with SPI c5ad47ee
> | state transition function for STATE_QUICK_R0 had internal error
> | next event EVENT_SO_DISCARD in 0 seconds for #2
> |
> | *time to handle event
> | event after this is EVENT_SA_REPLACE in 1165 seconds
> | ICOOKIE:  85 22 00 00  85 22 00 00
> | RCOOKIE:  3b 12 6a 76  de 5f 2c 0c
> | peer:  0a 0a 0a 32
> | state hash entry 22
> | next event EVENT_SA_REPLACE in 1165 seconds for #1
> | received a XFRM_MSG_EXPIRE
> |
> 
> ipsec.conf
> ----------------
> config setup
>         interfaces="ipsec0=eth1"
>         klipsdebug=all
>         uniqueids=yes
>         charonstart=no
>         plutodebug=all
>         plutostart=yes
>         plutostderrlog="/etc/pluto.log"
> conn %default
>   ikelifetime=20m
>   keylife=10m
>   rekeymargin=1m
>   keyingtries=1
>   forceencaps=yes
>   reauth=no
>   mobike=no
> conn conn1
>   type=tunnel
>   left=10.10.10.20
>   leftid=%any
>   leftsubnet=20.0.2.20/32
>   right=10.10.10.50
>   rightid=%any
>   pfs=no
>   pfsgroup=modp1024
>   ike=3des-sha256-modp1024
>   esp=3des-sha256-modp1024
>   auto=add
>   auth=esp
>   authby=secret
>   keyexchange=ikev1
Hi,

which kernel-version are you using (uname -v), and is there
a chance you don't have sha2 support enabled in your kernel?
Try 'grep sha2 /proc/crypto'

Cheers,
Thomas

More information about the Users mailing list