[strongSwan] 02[KNL] error installing route with policy after upgrading strongswan 5.1.3->5.3.5
Marc Eckel
dermarc at gmx.at
Mon Aug 22 20:51:50 CEST 2016
Hello,
after upgrading from Ubuntu 14.04 to 16.04 I ran into the problem that seems
to be related to bug 824 (https://wiki.strongswan.org/issues/824).
The log file:
charon: 03[IKE] sending DPD request
charon: 03[ENC] generating INFORMATIONAL request 4 [ ]
charon: 03[NET] sending packet: from <Static IP>[4500] to
93.227.144.52[4500] (76 bytes)
charon: 15[NET] received packet: from 93.227.144.52[4500] to <Static
IP>[4500] (76 bytes)
charon: 15[ENC] parsed INFORMATIONAL response 4 [ ]
charon: 02[IKE] sending DPD request
charon: 02[ENC] generating INFORMATIONAL request 4 [ ]
charon: 02[NET] sending packet: from <Static IP>[4500] to
188.192.11.21[4500] (76 bytes)
charon: 04[NET] received packet: from 188.192.11.21[4500] to <Static
IP>[4500] (540 bytes)
charon: 04[ENC] parsed CREATE_CHILD_SA request 5 [ SA No KE TSi TSr ]
charon: 04[IKE] ignoring KE exchange, agreed on a non-PFS proposal
charon: 04[KNL] getting a local address in traffic selector <Static IP>/32
charon: 04[KNL] using host <Static IP>
charon: 04[KNL] installing route: <Private IP 1>/24 src <Static IP> dev
ipsec0
charon: 04[KNL] getting iface index for ipsec0
charon: 04[KNL] getting a local address in traffic selector <Static IP>/32
charon: 04[KNL] using host <Static IP>
charon: 04[KNL] getting a local address in traffic selector <Private IP
2>/24
charon: 04[KNL] no local address found in traffic selector <Private IP 2>/24
charon: 04[KNL] error installing route with policy <Private IP 2>/24 ===
<Private IP 1>/24 out
charon: 04[KNL] getting a local address in traffic selector <Private IP
2>/24
charon: 04[KNL] no local address found in traffic selector <Private IP 2>/24
charon: 04[KNL] error installing route with policy <Private IP 2>/24 ===
<Private IP 1>/24 out
charon: 04[IKE] unable to install IPsec policies (SPD) in kernel
charon: 04[IKE] failed to establish CHILD_SA, keeping IKE_SA
charon: 04[KNL] getting iface index for ipsec0
> Ip a:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP group default qlen 1000
link/ether 00:16:3e:00:62:85 brd ff:ff:ff:ff:ff:ff
inet <Static IP>/25 brd 185.11.136.127 scope global eth0
valid_lft forever preferred_lft forever
inet <Private IP 3>/24 brd <Private IP 3>255 scope global eth0:1
valid_lft forever preferred_lft forever
inet6 fe80::216:3eff:fe00:6285/64 scope link
valid_lft forever preferred_lft forever
10: ipsec0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc
pfifo_fast state UNKNOWN group default qlen 500
link/none
The workaround
charon.interfaces_ignore=ipsec0 does not work for me, neither does
charon.interfaces_use=eth0
Is updating to 5.5 the only way (I don't know much about building
strongswan)? Any other workarounds?
Kind regards
Marc
More information about the Users
mailing list