[strongSwan] On what feature does ESN depend?

Sat Dec 20 20:06:21 CET 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Martin,

After restarting the server, I could enable esn. It seems the combination of an AEAD crypto algorithm
together with esn makes the kernel need the additional "authencesn" module.
The description of the module provides a feasible cause for that dependency:
"AEAD wrapper for IPsec with extended sequence numbers".

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 17.12.2014 um 20:58 schrieb Noel Kuntze:
>
> Hello Martin,
>
> Yes, that is caused by specifying "-esn" in the esp line. The same line without "-esn" works
> just fine. I have ipcomp working just fine. That is quite weird then. I'll boot the newest kernel then and see
> if it works then.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 17.12.2014 um 10:14 schrieb Martin Willi:
> > Noel,
>
> >> I just tried to use esn (extended sequence numbers), but the responder got that error:
> >>
> >> parsed CREATE_CHILD_SA request 2 [ N(IPCOMP_SUP) SA No KE TSi TSr ]
> >> received netlink error: No such file or directory (2)
> >> unable to add SAD entry with SPI cb1c9923
>
> > Can you confirm that this error is related to the use of ESN, and not
> > the use of IPComp? Have you tried to disable IPcomp? If it works
> > without, you are probably lacking IPComp support or the used compression
> > algorithm.
>
> >> On what kernel feature does esn depend? Is there an extra module for it?
>
> > ESN support was introduced with Linux 2.6.39, so unless your kernel has
> > a regression it should support it. ESN support at least on my kernel is
> > no option or module, and is always included in XFRM.
>
> > Regards
> > Martin
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUlciqAAoJEDg5KY9j7GZY5BQP/j7EwcTL7ba/H1QyugqcRiDv
uV8jS2G906ajF4h96wku8t9em/UcKvW7v9Hz/Wo2+UHeYGak6qj2oAD+1weGB6ms
L1WgwS87dC5e1hkddh9BXdgHHINJk6rGjpKIkBLOLYjEBwZp88BYm1phpPQUk1JB
zcatQYK5eXHo6xNHMy7KvvAanvhlW4UKSy8czXdO7ztWFSNwhoF0IRGyEqwQ+35W
gKxfOzjyPij9cj2oZPYdGdlMmp+/Dd73zYZE69zvEPAfICkquo0F8LMphkJoGecN
rcb924warCWuOAWIcIG1qqOr9qHQ4Y/9wS0PQpXyTGczZu25HXQDXG969+ASXwQS
7P2hjRWFTT2R1SNIc46ZTgd82xbMjkoh+//q5LsD8VC5HmvLWmAJ5cXYSD33kmmP
Yv89biM+MdCNQUjn9/b9ZHETZv94aTeWKPwV1bLdYy67cf2lA9Jvfv7SY8T+fSPR
Lqq0pQN8OUHdA/Q+ShTw8uoexrdaYJyd0H9oeIEmqiJ+tfcguLJ5+Zc1egwepUa0
/+ktZgpwJ+dnnHwlKaCBnXs7CMVuXgrQK87+HZydvcrpJ7AuHA0nrcmqxbeIVNYP
r6N4uxIHymYEsdJ9MJkaDUiY9ayuogBYDrZ48v9d32lIeyrqo6143bYS7ufj0Voj
6NTr6VeXmjhGYt01h9/t
=vMmT
-----END PGP SIGNATURE-----