[strongSwan] [KNL] received netlink error: No such file or directory (2) - unable to add SAD entry with SPI
Thomas Egerer
hakke_007 at gmx.de
Mon Dec 28 23:33:52 CET 2015
Hi Conrad,
On 12/28/2015 12:33 AM, Conrad Kostecki wrote:> Hi Thomas!
> Here is my output: http://pastebin.com/46dgkmKc
Looks good to me. Even also more thorough analysis of the netlink
message show that it's fine.
The fact that aes and sha1 are available, the message is OK and
that the kernel apparently returns ENOENT if the loading of a
particular module fails, leads me to believe that the modules
from [1] are missing, particularely the . Or is there any chance the
kernel you emerged, has some Gentoo-only patches?
You can modify the kernel module loader as described in [2], to log
attempts of module loading prior to the actual loading is done. This
along with a list of loaded modules before and after the tunnel
initiation should get is (hopefully) further.
Cheers,
Thomas
[1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
[2] http://tldp.org/HOWTO/Module-HOWTO/x197.html#AUTOLOAD
>
> Cheers
> Conrad
>
> Am 27.12.2015 um 22:58 schrieb Thomas Egerer:
>> Conrad, I only had a quick look at the log. Nothing suspicous so far.
>> However, I need the output of your /proc/crypto file to know what
>> crypto algorithms are supported by your kernel.
>>
>> Cheers,
>> Thomas
>>
>> On 12/27/2015 09:07 PM, Conrad Kostecki wrote:
>>> Hi Thomas!
>>>
>>> Am 27.12.2015 um 20:19 schrieb Thomas Egerer:
>>>> Hello Conrad
>>>>
>>>> On 12/26/2015 01:55 PM, ck+strongswanusers at bl4ckb0x.de wrote:
>>>>> Hello!
>>>>> I am trying to setup StrongSwan on a new Gentoo server.
>>>>> My Lumia 950XL (Windows Phone 10) is the connecting device.
>>>>>
>>>>> The connection fails, because I am getting "Invalid payload
>>>>> received" on
>>>>> the client side.
>>>>>
>>>>> Debug Log: http://pastebin.com/huTE2PxY
>>>>> Config: http://pastebin.com/9q84N6ii
>>>> I suspect that one of the negotiated crypto algorithms for ESP is not
>>>> available in the kernel. According to your config this should be AES256
>>>> along with SHA1. It could however not hurt to turn up logging for cfg
>>>> faciliy to 2 in your ipsec.conf. Loglevel 3 or 4 for knl would give us
>>>> the exact netlink message which in this case would be much better.
>>>> Modify the appropriate ipsec.conf line as follows:
>>>> charondebug="cfg 2, dmn 2, ike 2, net 2, lib 3, knl 4"
>>>> and run your test again. Then we can analyze the logs and see if this
>>>> gets us any further.
>>>
>>> Thanks for the suggestion. I've modified it and created a new log file:
>>> http://pastebin.com/yJDiKfeg
>>>
>>> AES256 and SHA1 are build in in my kernel, if I am not searching for the
>>> wrong options..
>>>
>>> CONFIG_CRYPTO_SHA1=y
>>> CONFIG_CRYPTO_SHA1_SSSE3=y
>>> CONFIG_CRYPTO_SHA256_SSSE3=y
>>> CONFIG_CRYPTO_SHA512_SSSE3=y
>>> CONFIG_CRYPTO_SHA1_MB=y
>>> CONFIG_CRYPTO_SHA256=y
>>> CONFIG_CRYPTO_SHA512=y
>>>
>>> CONFIG_CRYPTO_AES=y
>>> CONFIG_CRYPTO_AES_X86_64=y
>>> CONFIG_CRYPTO_AES_NI_INTEL=y
>>>
>>> CONFIG_CRYPTO_HMAC=y
>>>
>>> CONFIG_CRYPTO_CBC=y
>>>
>>> Cheers
>>> Conrad
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151228/73d75a1c/attachment.pgp>
More information about the Users
mailing list