[strongSwan] How to troubleshoot strongswan error: “unable to allocate SPIs from kernel”?
Marko Burazin
morkitz at gmail.com
Wed Feb 24 10:10:56 CET 2016
Hi all,
I am trying to setup an IPsec tunnel to a Juniper security gateway using a
strongswan client on a Linux machine and preshared keys.
This is what I get when trying to bring the connection up:
root at localhost:/etc# ipsec up home
initiating IKE_SA home[32] to 192.168.226.1
generating IKE_SA_INIT request 0 [ SA KE No N(HASH_ALG) ]
sending packet: from 192.168.226.132[500] to 192.168.226.1[500] (1092 bytes)
received packet: from 192.168.226.1[500] to 192.168.226.132[500] (408 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V ]
received unknown vendor ID:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
authentication of '192.168.226.132' (myself) with pre-shared key
establishing CHILD_SA home
WARNING: No stream registered yet
unable to allocate SPIs from kernel
establishing connection 'home' failed
I'm guessing it fails because of the "*unable to allocate SPIs from kernel*"
error.
My ipsec.conf file looks like this:
root at localhost:/etc# cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
#plutostart=yes
charondebug="chd 2, knl 3, ike 2, cfg 2, enc 2, esp 2, net 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn home
left=192.168.226.132
leftsourceip=10.67.238.132
leftfirewall=yes
right=192.168.226.1
auto=add
The status:
root at localhost:/# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.1, Linux 3.10.55-xxxx, xxxx):
uptime: 16 minutes, since Feb 23 14:26:15 2016
malloc: sbrk 2699264, mmap 6164480, used 233640, free 2465624
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 2
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
pubkey pkcs1 pkcs7 pkcs8 pkcs12 sshkey pem openssl xcbc cmac hmac attr
ike-kernel-ipsec kernel-netlink resolve socket-default stroke
ike_config
Listening IP addresses:
169.254.2.2
10.67.225.132
192.168.226.132
Connections:
home: 192.168.226.132...192.168.226.1 IKEv2
home: local: [192.168.226.132] uses pre-shared key authentication
home: remote: [192.168.226.1] uses pre-shared key authentication
home: child: dynamic === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
none
I understand there could be a number of reasons why the SA could not
be established from the kernel point of view, but any help on how to
actually troubleshoot these kind of errors would be greatly
appreciated.
Thanks in advance.
Regards,
Marko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160224/3eb87733/attachment-0001.html>
More information about the Users
mailing list