[strongSwan] [KNL] received netlink error: No such file or directory (2) - unable to add SAD entry with SPI

Thomas Egerer hakke_007 at gmx.de
Tue Dec 29 00:12:14 CET 2015


btw, I forgot.
As root, try to run

ip x s add \


    src ::0 \
    dst ::0 \
    proto esp spi 0xC0123456 mode tunnel \
    reqid 1 \
    enc 'aes'
0x0102030405060708010203040506070801020304050607080102030405060708 \
    auth 'sha1' 0x0102030405060708090a0b0c0d0e0f0001020304

and see if this succeeds. If so, you will have to issue a

ip x s delete  src ::0     dst ::0     proto esp spi 0xC0123456

to get rid of the state.
If this works then apparently all of the modules are present.

Cheers,
Thomas


On 12/28/2015 12:33 AM, Conrad Kostecki wrote:
> Hi Thomas!
> Here is my output: http://pastebin.com/46dgkmKc
> 
> Cheers
> Conrad
> 
> Am 27.12.2015 um 22:58 schrieb Thomas Egerer:
>> Conrad, I only had a quick look at the log. Nothing suspicous so far.
>> However, I need the output of your /proc/crypto file to know what
>> crypto algorithms are supported by your kernel.
>>
>> Cheers,
>> Thomas
>>
>> On 12/27/2015 09:07 PM, Conrad Kostecki wrote:
>>> Hi Thomas!
>>>
>>> Am 27.12.2015 um 20:19 schrieb Thomas Egerer:
>>>> Hello Conrad
>>>>
>>>> On 12/26/2015 01:55 PM, ck+strongswanusers at bl4ckb0x.de wrote:
>>>>> Hello!
>>>>> I am trying to setup StrongSwan on a new Gentoo server.
>>>>> My Lumia 950XL (Windows Phone 10) is the connecting device.
>>>>>
>>>>> The connection fails, because I am getting "Invalid payload
>>>>> received" on
>>>>> the client side.
>>>>>
>>>>> Debug Log: http://pastebin.com/huTE2PxY
>>>>> Config: http://pastebin.com/9q84N6ii
>>>> I suspect that one of the negotiated crypto algorithms for ESP is not
>>>> available in the kernel. According to your config this should be AES256
>>>> along with SHA1. It could however not hurt to turn up logging for cfg
>>>> faciliy to 2 in your ipsec.conf. Loglevel 3 or 4 for knl would give us
>>>> the exact netlink message which in this case would be much better.
>>>> Modify the appropriate ipsec.conf line as follows:
>>>>     charondebug="cfg 2, dmn 2, ike 2, net 2, lib 3, knl 4"
>>>> and run your test again. Then we can analyze the logs and see if this
>>>> gets us any further.
>>>
>>> Thanks for the suggestion. I've modified it and created a new log file:
>>> http://pastebin.com/yJDiKfeg
>>>
>>> AES256 and SHA1 are build in in my kernel, if I am not searching for the
>>> wrong options..
>>>
>>> CONFIG_CRYPTO_SHA1=y
>>> CONFIG_CRYPTO_SHA1_SSSE3=y
>>> CONFIG_CRYPTO_SHA256_SSSE3=y
>>> CONFIG_CRYPTO_SHA512_SSSE3=y
>>> CONFIG_CRYPTO_SHA1_MB=y
>>> CONFIG_CRYPTO_SHA256=y
>>> CONFIG_CRYPTO_SHA512=y
>>>
>>> CONFIG_CRYPTO_AES=y
>>> CONFIG_CRYPTO_AES_X86_64=y
>>> CONFIG_CRYPTO_AES_NI_INTEL=y
>>>
>>> CONFIG_CRYPTO_HMAC=y
>>>
>>> CONFIG_CRYPTO_CBC=y
>>>
>>> Cheers
>>> Conrad
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>
>>
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20151229/d59f5260/attachment.pgp>


More information about the Users mailing list