[strongSwan] Unable to establish SA

Noel Kuntze noel at familie-kuntze.de
Wed Jun 24 19:45:50 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Glen,

No, they are not. There are different key exchanges and algorithm negotiations for IKE and the subsequent SA pairs.
You need to configure a file logger[1] and look at the logs to figure out what algos are negotiated for the IPsec SAs.

Use those options for the file logger:
                        default = 3
                        mgr = 1
                        ike = 1
                        net = 1
                        enc = 0
                        cfg = 2
                        asn = 1
                        job = 1                
                        knl = 1

[1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 24.06.2015 um 19:42 schrieb Glen Huang:
> Thank you. How do i check what algorithms are negotiated? Are those the "IKE proposal" from ipsec statusall?
>
> If so, they are "3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536", which ones do you think are missing from the lsmod list?
>
>> On Jun 25, 2015, at 1:36 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>
>>
> Hello Glen,
>
> You obviously also need kernel support for the algorithms
> that are negotiated for the IPsec SAs.
> Check what algorithms are negotitated and then load the corresponding
> kernel module.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 24.06.2015 um 19:30 schrieb Glen Huang:
> >>> Hi,
> >>>
> >>> I'm trying to establish a ikev1 transport SA, but it failed with error like "received netlink error: Function not implemented (89)", I guess it might be that some algo module or kernel module is missing?
> >>>
> >>> ipsec.conf
> >>> http://pastebin.com/WsBDWvCC
> >>>
> >>> messages from ipsec up
> >>> http://pastebin.com/iDxisnVt
> >>>
> >>> ipsec statusall
> >>> http://pastebin.com/CH6bQGYL
> >>>
> >>> output of lsmod
> >>> http://pastebin.com/7NJD0Mxa
> >>>
> >>> I have googled as hard as I can't, but didn't find any thing useful. I tried kernel-libipsec, but unfortunately it doesn't support transport mode. So I'm at my wits end. Could some one help me identify the missing part?
> >>>
> >>> Thanks in advance.
> >>>
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJViuzOAAoJEDg5KY9j7GZYpgcP/1DMKUt952SyFsSMOksR9CQJ
NUX0ieuBV/yVjW7N++28p7wlcCts1Mm143zAI3mjR2/YT2YujvjvItS1P1fHUyJ/
EtthBFqcqSvPAlGwJClCBqHvRfHP7k7NXi7GLF6pMTxtY3hPKBKQAn8m4wqaY+NU
G4OFoT0l/cCLbdQsrf87jJ01Xp74dkpncl3hexhTnyfFjJOysrvxC7BYYmYOYmu9
AiZW3YS9byXYDLTfwfo/H//m/GeCpQcQHp0uAXkGEVB77i9GIlFvAj0lGPb9/cuN
mcqHn9AFXiKr71jAVWOYX3eCN2WqbJOO1y9JJq9WD+syx3dGyKlVa/w6c+xE8tTm
w62fLUE0sXGdtRK4FOT+q4PtH2QuY5IP16l+Y93LQl9+f8nz6Pe3Rmn4X29h4maD
C9DIxc9Gecw/b9g/kxTyjCf41UxuLpRg0CZ1JYsVhaEEYgk7LcKlrAT9fc2QWhTK
Kp5tIOzeHkiQ9sWdyTIsLS8yJlHUXKmwXUQ3nfLRi1IJPkc+Sggs6nlebR+vW7zE
DrlUMMQnye69v+MAxMBHzHDDzH1PNGtbXbojwbtoPXDjnG2FGB7sPqJ2IY9qFf2J
fx2FRqocNPls20VQHWs9sQTOAweg9ptxKj1P7X5WZEYE7PC0FdKf3oZcqISfk5xw
o617eyUW0S3MVhW6I8TJ
=1Hvn
-----END PGP SIGNATURE-----



More information about the Users mailing list