[strongSwan] Netlink error Invalid Argument(22)

A Lee aganguly14 at gmail.com
Tue Sep 17 05:44:14 CEST 2013


Hi,

Thanks for reply.

My kernel 2.6.18-128.el5

Also sha2 support is there.

output of 'grep sha2 /proc/crypto' is ----

name:         sha256
driver:          sha256-generic
module:       sha256

Also I have tried lsmod and it is sha256 module is loaded
.
Output of lsmod-------------

Module                  Size  Used by
sha256                 15297  0
xfrm4_mode_tunnel       6849  0
krng                    6081  1
ansi_cprng              9413  0
chainiv                 9153  0
rng                     7625  3 krng,ansi_cprng,chainiv
authenc                10433  0
testmgr_cipher          6849  0
des                    20417  0
cbc                     8257  0
md5                     8129  0
hmac                    8769  0
crypto_hash             6337  1 hmac
testmgr                44593  1 testmgr_cipher
crypto_blkcipher       17601  4 chainiv,authenc,cbc,testmgr
cryptomgr               7617  0
deflate                 7873  0
zlib_deflate           21977  1 deflate
xfrm4_tunnel            6593  0
tunnel4                 7365  1 xfrm4_tunnel
ipcomp                 11465  0
esp4                   12353  0
xfrm4_esp               9793  1 esp4
aead                   11841  3 authenc,testmgr,esp4
crypto_algapi          22849  10
krng,ansi_cprng,chainiv,authenc,cbc,hmac,testmgr,crypto_blkcipher,cryptomgr,aead
ah4                    10305  0
af_key                 40785  0
autofs4                24261  2
hidp                   23105  2
rfcomm                 42457  0
l2cap                  29505  10 hidp,rfcomm
bluetooth              53797  5 hidp,rfcomm,l2cap
sunrpc                144765  1
ipt_REJECT              9537  0
ip6t_REJECT             9409  1
xt_tcpudp               7105  6
ip6table_filter         6849  1
ip6_tables             18053  1 ip6table_filter
x_tables               17349  4 ipt_REJECT,ip6t_REJECT,xt_tcpudp,ip6_tables
dm_multipath           24013  0
scsi_dh                11713  1 dm_multipath
video                  21193  0
hwmon                   7365  0
backlight              10049  1 video
sbs                    18533  0
i2c_ec                  9025  1 sbs
button                 10705  0
battery                13637  0
asus_acpi              19289  0
ac                      9157  0
ipv6                  261473  31 ip6t_REJECT
xfrm_nalgo             13381  4 esp4,xfrm4_esp,ah4,ipv6
crypto_api             12609  9
rng,authenc,testmgr,crypto_blkcipher,esp4,aead,crypto_algapi,ah4,xfrm_nalgo
lp                     15849  0
sg                     36189  0
snd_intel8x0           35421  1
snd_ac97_codec         93025  1 snd_intel8x0
ac97_bus                6337  1 snd_ac97_codec
snd_seq_dummy           7877  0
snd_seq_oss            32577  0
snd_seq_midi_event     11073  1 snd_seq_oss
snd_seq                49585  5 snd_seq_dummy,snd_seq_oss,snd_seq_midi_event
snd_seq_device         11725  3 snd_seq_dummy,snd_seq_oss,snd_seq
snd_pcm_oss            42817  0
ide_cd                 40161  0
snd_mixer_oss          19009  1 snd_pcm_oss
i2c_piix4              12237  0
serio_raw              10693  0
cdrom                  36577  1 ide_cd
i2c_core               23745  2 i2c_ec,i2c_piix4
snd_pcm                72133  3 snd_intel8x0,snd_ac97_codec,snd_pcm_oss
snd_timer              24517  2 snd_seq,snd_pcm
snd                    55237  11
snd_intel8x0,snd_ac97_codec,snd_seq_oss,snd_seq,snd_seq_device,snd_pcm_oss,snd_mixer_oss,snd_pcm,snd_timer
parport_pc             29157  0
e1000                 115285  0
soundcore              11553  1 snd
pcspkr                  7105  0
parport                37513  2 lp,parport_pc
snd_page_alloc         14281  2 snd_intel8x0,snd_pcm
dm_raid45              66509  0
dm_message              6977  1 dm_raid45
dm_region_hash         15681  1 dm_raid45
dm_mem_cache            9537  1 dm_raid45
dm_snapshot            22245  0
dm_zero                 6209  0
dm_mirror              22981  0
dm_log                 14529  3 dm_raid45,dm_region_hash,dm_mirror
dm_mod                 62201  11
dm_multipath,dm_raid45,dm_snapshot,dm_zero,dm_mirror,dm_log
ata_piix               23621  0
ahci                   34377  2
libata                156677  2 ata_piix,ahci
sd_mod                 25153  3
scsi_mod              141589  4 scsi_dh,sg,libata,sd_mod
ext3                  124233  2
jbd                    56937  1 ext3
uhci_hcd               25421  0
ohci_hcd               24681  0
ehci_hcd               33357  0

Any help would be great.

Thanks and Regards,
Avishek Ganguly.



On Tue, Sep 17, 2013 at 2:13 AM, Thomas Egerer <hakke_007 at gmx.de> wrote:

> On 09/16/2013 03:44 PM, A Lee wrote:
> > Hi,
> >
> > I have been trying to setup a ikev1 tunnel with ESP and authentication
> > algorithm SHA256.
> >
> > The IKE tunnel is being created fine. But in quick mode exchange when it
> > receives the packet with Authentication algorithm as SHA256 (attribute
> > value 5), this error is happening.
> >
> > According to strong swan documentation sha256 is supported.
> >
> > Can anybody help me out with this one?
> >
> > I am pasting portion of pluto log and also the ipsec.conf file.
> >
> > PLUTO-LOG
> > ------------------
> >
> >  HASH(2) computed:
> > |   af da 55 9b  5f 40 52 a8  b8 75 b3 04  67 c1 ec 1b
> > |   39 bc 5c ca  96 ae c1 10  4b fe bb d1  2f ea f6 27
> > | kernel_alg_esp_enc_keylen(): alg_id=3, keylen=24
> > | kernel_alg_esp_auth_keylen(auth=5, sadb_aalg=5): a_keylen=32
> > | KEYMAT computed:
> > |   a4 85 19 78  5c a1 b7 2b  b2 f4 ce ac  fd 50 6e 12
> > |   f5 dc 18 9a  ac fc 2d 38  08 da ba 4d  80 40 2e f3
> > |   b8 50 7a 33  2b 96 9b 3e  6a ff c1 9a  f5 6e d1 20
> > |   20 72 6e d7  7f d9 66 15
> > | install_inbound_ipsec_sa() checking if we can route
> > | route owner of "conn1" unrouted: NULL; eroute owner: NULL
> > | kernel_alg_esp_info():transid=3, auth=5, ei=0x80b7ae8, enckeylen=24,
> > authkeylen=32, encryptalg=3, authalg=5
> > | adding SAD entry with SPI c5ad47ee and reqid {16384}
> > |   using encryption algorithm 3DES_CBC with key size 192
> > |   using integrity algorithm HMAC_SHA2_256_128 with key size 256
> > | sending XFRM_MSG_UPDSA: => 440 bytes @ 0xbff65fd8
> >    0: B8 01 00 00 1A 00 05 00 CA 00 00 00 12 24 00 00  .............$..
> >   16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >   32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >   48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >   64: 00 00 00 00 00 00 00 00 0A 0A 0A 14 00 00 00 00  ................
> >   80: 00 00 00 00 00 00 00 00 C5 AD 47 EE 32 00 00 00  ..........G.2...
> >   96: 0A 0A 0A 32 00 00 00 00 00 00 00 00 00 00 00 00  ...2............
> >  112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
> >  128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF  ................
> >  144: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >  160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >  176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >  192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >  208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >  224: 00 40 00 00 02 00 01 20 20 00 00 00 60 00 02 00  . at .....  ...`...
> >  240: 64 65 73 33 5F 65 64 65 00 00 00 00 00 00 00 00  des3_ede........
> >  256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >  272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >  288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >  304: C0 00 00 00 A4 85 19 78 5C A1 B7 2B B2 F4 CE AC  .......x\..+....
> >  320: FD 50 6E 12 F5 DC 18 9A AC FC 2D 38 6C 00 14 00  .Pn.......-8l...
> >  336: 68 6D 61 63 28 73 68 61 32 35 36 29 00 00 00 00  hmac(sha256)....
> >  352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >  368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >  384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
> >  400: 00 01 00 00 80 00 00 00 08 DA BA 4D 80 40 2E F3  ...........M. at ..
> >  416: B8 50 7A 33 2B 96 9B 3E 6A FF C1 9A F5 6E D1 20  .Pz3+..>j....n.
> >  432: 20 72 6E D7 7F D9 66 15                           rn...f.
> > received netlink error: Invalid argument (22)
> > unable to add SAD entry with SPI c5ad47ee
> > | state transition function for STATE_QUICK_R0 had internal error
> > | next event EVENT_SO_DISCARD in 0 seconds for #2
> > |
> > | *time to handle event
> > | event after this is EVENT_SA_REPLACE in 1165 seconds
> > | ICOOKIE:  85 22 00 00  85 22 00 00
> > | RCOOKIE:  3b 12 6a 76  de 5f 2c 0c
> > | peer:  0a 0a 0a 32
> > | state hash entry 22
> > | next event EVENT_SA_REPLACE in 1165 seconds for #1
> > | received a XFRM_MSG_EXPIRE
> > |
> >
> > ipsec.conf
> > ----------------
> > config setup
> >         interfaces="ipsec0=eth1"
> >         klipsdebug=all
> >         uniqueids=yes
> >         charonstart=no
> >         plutodebug=all
> >         plutostart=yes
> >         plutostderrlog="/etc/pluto.log"
> > conn %default
> >   ikelifetime=20m
> >   keylife=10m
> >   rekeymargin=1m
> >   keyingtries=1
> >   forceencaps=yes
> >   reauth=no
> >   mobike=no
> > conn conn1
> >   type=tunnel
> >   left=10.10.10.20
> >   leftid=%any
> >   leftsubnet=20.0.2.20/32
> >   right=10.10.10.50
> >   rightid=%any
> >   pfs=no
> >   pfsgroup=modp1024
> >   ike=3des-sha256-modp1024
> >   esp=3des-sha256-modp1024
> >   auto=add
> >   auth=esp
> >   authby=secret
> >   keyexchange=ikev1
> Hi,
>
> which kernel-version are you using (uname -v), and is there
> a chance you don't have sha2 support enabled in your kernel?
> Try 'grep sha2 /proc/crypto'
>
> Cheers,
> Thomas
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130917/598ea625/attachment.html>


More information about the Users mailing list