[strongSwan] Netlink error Invalid Argument(22)
A Lee
aganguly14 at gmail.com
Tue Sep 17 05:44:14 CEST 2013
Hi,
Thanks for reply.
My kernel 2.6.18-128.el5
Also sha2 support is there.
output of 'grep sha2 /proc/crypto' is ----
name: sha256
driver: sha256-generic
module: sha256
Also I have tried lsmod and it is sha256 module is loaded
.
Output of lsmod-------------
Module Size Used by
sha256 15297 0
xfrm4_mode_tunnel 6849 0
krng 6081 1
ansi_cprng 9413 0
chainiv 9153 0
rng 7625 3 krng,ansi_cprng,chainiv
authenc 10433 0
testmgr_cipher 6849 0
des 20417 0
cbc 8257 0
md5 8129 0
hmac 8769 0
crypto_hash 6337 1 hmac
testmgr 44593 1 testmgr_cipher
crypto_blkcipher 17601 4 chainiv,authenc,cbc,testmgr
cryptomgr 7617 0
deflate 7873 0
zlib_deflate 21977 1 deflate
xfrm4_tunnel 6593 0
tunnel4 7365 1 xfrm4_tunnel
ipcomp 11465 0
esp4 12353 0
xfrm4_esp 9793 1 esp4
aead 11841 3 authenc,testmgr,esp4
crypto_algapi 22849 10
krng,ansi_cprng,chainiv,authenc,cbc,hmac,testmgr,crypto_blkcipher,cryptomgr,aead
ah4 10305 0
af_key 40785 0
autofs4 24261 2
hidp 23105 2
rfcomm 42457 0
l2cap 29505 10 hidp,rfcomm
bluetooth 53797 5 hidp,rfcomm,l2cap
sunrpc 144765 1
ipt_REJECT 9537 0
ip6t_REJECT 9409 1
xt_tcpudp 7105 6
ip6table_filter 6849 1
ip6_tables 18053 1 ip6table_filter
x_tables 17349 4 ipt_REJECT,ip6t_REJECT,xt_tcpudp,ip6_tables
dm_multipath 24013 0
scsi_dh 11713 1 dm_multipath
video 21193 0
hwmon 7365 0
backlight 10049 1 video
sbs 18533 0
i2c_ec 9025 1 sbs
button 10705 0
battery 13637 0
asus_acpi 19289 0
ac 9157 0
ipv6 261473 31 ip6t_REJECT
xfrm_nalgo 13381 4 esp4,xfrm4_esp,ah4,ipv6
crypto_api 12609 9
rng,authenc,testmgr,crypto_blkcipher,esp4,aead,crypto_algapi,ah4,xfrm_nalgo
lp 15849 0
sg 36189 0
snd_intel8x0 35421 1
snd_ac97_codec 93025 1 snd_intel8x0
ac97_bus 6337 1 snd_ac97_codec
snd_seq_dummy 7877 0
snd_seq_oss 32577 0
snd_seq_midi_event 11073 1 snd_seq_oss
snd_seq 49585 5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event
snd_seq_device 11725 3 snd_seq_dummy,snd_seq_oss,snd_seq
snd_pcm_oss 42817 0
ide_cd 40161 0
snd_mixer_oss 19009 1 snd_pcm_oss
i2c_piix4 12237 0
serio_raw 10693 0
cdrom 36577 1 ide_cd
i2c_core 23745 2 i2c_ec,i2c_piix4
snd_pcm 72133 3 snd_intel8x0,snd_ac97_codec,snd_pcm_oss
snd_timer 24517 2 snd_seq,snd_pcm
snd 55237 11
snd_intel8x0,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer
parport_pc 29157 0
e1000 115285 0
soundcore 11553 1 snd
pcspkr 7105 0
parport 37513 2 lp,parport_pc
snd_page_alloc 14281 2 snd_intel8x0,snd_pcm
dm_raid45 66509 0
dm_message 6977 1 dm_raid45
dm_region_hash 15681 1 dm_raid45
dm_mem_cache 9537 1 dm_raid45
dm_snapshot 22245 0
dm_zero 6209 0
dm_mirror 22981 0
dm_log 14529 3 dm_raid45,dm_region_hash,dm_mirror
dm_mod 62201 11
dm_multipath,dm_raid45,dm_snapshot,dm_zero,dm_mirror,dm_log
ata_piix 23621 0
ahci 34377 2
libata 156677 2 ata_piix,ahci
sd_mod 25153 3
scsi_mod 141589 4 scsi_dh,sg,libata,sd_mod
ext3 124233 2
jbd 56937 1 ext3
uhci_hcd 25421 0
ohci_hcd 24681 0
ehci_hcd 33357 0
Any help would be great.
Thanks and Regards,
Avishek Ganguly.
On Tue, Sep 17, 2013 at 2:13 AM, Thomas Egerer <hakke_007 at gmx.de> wrote:
> On 09/16/2013 03:44 PM, A Lee wrote:
> > Hi,
> >
> > I have been trying to setup a ikev1 tunnel with ESP and authentication
> > algorithm SHA256.
> >
> > The IKE tunnel is being created fine. But in quick mode exchange when it
> > receives the packet with Authentication algorithm as SHA256 (attribute
> > value 5), this error is happening.
> >
> > According to strong swan documentation sha256 is supported.
> >
> > Can anybody help me out with this one?
> >
> > I am pasting portion of pluto log and also the ipsec.conf file.
> >
> > PLUTO-LOG
> > ------------------
> >
> > HASH(2) computed:
> > | af da 55 9b 5f 40 52 a8 b8 75 b3 04 67 c1 ec 1b
> > | 39 bc 5c ca 96 ae c1 10 4b fe bb d1 2f ea f6 27
> > | kernel_alg_esp_enc_keylen(): alg_id=3, keylen=24
> > | kernel_alg_esp_auth_keylen(auth=5, sadb_aalg=5): a_keylen=32
> > | KEYMAT computed:
> > | a4 85 19 78 5c a1 b7 2b b2 f4 ce ac fd 50 6e 12
> > | f5 dc 18 9a ac fc 2d 38 08 da ba 4d 80 40 2e f3
> > | b8 50 7a 33 2b 96 9b 3e 6a ff c1 9a f5 6e d1 20
> > | 20 72 6e d7 7f d9 66 15
> > | install_inbound_ipsec_sa() checking if we can route
> > | route owner of "conn1" unrouted: NULL; eroute owner: NULL
> > | kernel_alg_esp_info():transid=3, auth=5, ei=0x80b7ae8, enckeylen=24,
> > authkeylen=32, encryptalg=3, authalg=5
> > | adding SAD entry with SPI c5ad47ee and reqid {16384}
> > | using encryption algorithm 3DES_CBC with key size 192
> > | using integrity algorithm HMAC_SHA2_256_128 with key size 256
> > | sending XFRM_MSG_UPDSA: => 440 bytes @ 0xbff65fd8
> > 0: B8 01 00 00 1A 00 05 00 CA 00 00 00 12 24 00 00 .............$..
> > 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 64: 00 00 00 00 00 00 00 00 0A 0A 0A 14 00 00 00 00 ................
> > 80: 00 00 00 00 00 00 00 00 C5 AD 47 EE 32 00 00 00 ..........G.2...
> > 96: 0A 0A 0A 32 00 00 00 00 00 00 00 00 00 00 00 00 ...2............
> > 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> > 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> > 144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 224: 00 40 00 00 02 00 01 20 20 00 00 00 60 00 02 00 . at ..... ...`...
> > 240: 64 65 73 33 5F 65 64 65 00 00 00 00 00 00 00 00 des3_ede........
> > 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 304: C0 00 00 00 A4 85 19 78 5C A1 B7 2B B2 F4 CE AC .......x\..+....
> > 320: FD 50 6E 12 F5 DC 18 9A AC FC 2D 38 6C 00 14 00 .Pn.......-8l...
> > 336: 68 6D 61 63 28 73 68 61 32 35 36 29 00 00 00 00 hmac(sha256)....
> > 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> > 400: 00 01 00 00 80 00 00 00 08 DA BA 4D 80 40 2E F3 ...........M. at ..
> > 416: B8 50 7A 33 2B 96 9B 3E 6A FF C1 9A F5 6E D1 20 .Pz3+..>j....n.
> > 432: 20 72 6E D7 7F D9 66 15 rn...f.
> > received netlink error: Invalid argument (22)
> > unable to add SAD entry with SPI c5ad47ee
> > | state transition function for STATE_QUICK_R0 had internal error
> > | next event EVENT_SO_DISCARD in 0 seconds for #2
> > |
> > | *time to handle event
> > | event after this is EVENT_SA_REPLACE in 1165 seconds
> > | ICOOKIE: 85 22 00 00 85 22 00 00
> > | RCOOKIE: 3b 12 6a 76 de 5f 2c 0c
> > | peer: 0a 0a 0a 32
> > | state hash entry 22
> > | next event EVENT_SA_REPLACE in 1165 seconds for #1
> > | received a XFRM_MSG_EXPIRE
> > |
> >
> > ipsec.conf
> > ----------------
> > config setup
> > interfaces="ipsec0=eth1"
> > klipsdebug=all
> > uniqueids=yes
> > charonstart=no
> > plutodebug=all
> > plutostart=yes
> > plutostderrlog="/etc/pluto.log"
> > conn %default
> > ikelifetime=20m
> > keylife=10m
> > rekeymargin=1m
> > keyingtries=1
> > forceencaps=yes
> > reauth=no
> > mobike=no
> > conn conn1
> > type=tunnel
> > left=10.10.10.20
> > leftid=%any
> > leftsubnet=20.0.2.20/32
> > right=10.10.10.50
> > rightid=%any
> > pfs=no
> > pfsgroup=modp1024
> > ike=3des-sha256-modp1024
> > esp=3des-sha256-modp1024
> > auto=add
> > auth=esp
> > authby=secret
> > keyexchange=ikev1
> Hi,
>
> which kernel-version are you using (uname -v), and is there
> a chance you don't have sha2 support enabled in your kernel?
> Try 'grep sha2 /proc/crypto'
>
> Cheers,
> Thomas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130917/598ea625/attachment.html>
More information about the Users
mailing list