[strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)

Houman houmie at gmail.com
Sat Jul 4 10:08:53 CEST 2020


Hello,

I'm seeing a strange error in StrongSwan U5.8.2/K5.4.0-39-generic (Ubuntu
20.04).
I don't get this error with StrongSwan U5.7.2/K5.3.0-53-generic (Ubuntu
19.10).

received netlink error: Invalid argument (22)

Jul  4 04:54:22 de-fsn-6 charon: 05[IKE] authentication of 'de-fsn-6.VPN.net'
(myself) with RSA signature successful

Jul  4 04:54:22 de-fsn-6 charon: 05[IKE] sending end entity cert "CN=
de-fsn-6.VPN.net"

Jul  4 04:54:22 de-fsn-6 charon: 05[IKE] sending issuer cert "C=US, O=Let's
Encrypt, CN=Let's Encrypt Authority X3"

Jul  4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [
IDr CERT CERT AUTH EAP/REQ/ID ]

Jul  4 04:54:22 de-fsn-6 charon: 05[ENC] splitting IKE message (2928 bytes)
into 3 fragments

Jul  4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [
EF(1/3) ]

Jul  4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [
EF(2/3) ]

Jul  4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [
EF(3/3) ]

Jul  4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from
144.76.113.xxx[4500] to 31.215.103.xxx[4500] (1236 bytes)

Jul  4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from
144.76.113.xxx[4500] to 31.215.103.xxx[4500] (1236 bytes)

Jul  4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from
144.76.113.xxx[4500] to 31.215.103.xxx[4500] (612 bytes)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 01[NET] received packet: from
39.33.54.xxx[4500] to 144.76.113.xxx[4500] (144 bytes)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 01[ENC] parsed INFORMATIONAL request
409 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 01[ENC] generating INFORMATIONAL
response 409 [ N(NATD_S_IP) N(NATD_D_IP) ]

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 01[NET] sending packet: from
144.76.113.xxx[4500] to 39.33.54.xxx[4500] (128 bytes)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[NET] received packet: from
xxxx:8f8:112d:ed31:2474:a82d:88cc:544[4500] to xxxx:4f7:192:732c::2[4500]
(144 bytes)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[ENC] parsed INFORMATIONAL request
12 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[IKE] remote host is not behind NAT
anymore

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[IKE] faking NAT situation to
enforce UDP encapsulation

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] received netlink error:
Invalid argument (22)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] unable to update SAD entry
with SPI c8a1394b

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] received netlink error:
Invalid argument (22)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] unable to update SAD entry
with SPI 0b956c9a

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[ENC] generating INFORMATIONAL
response 12 [ N(NATD_S_IP) N(NATD_D_IP) ]

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 08[NET] sending packet: from
xxxx:4f7:192:732c::2[4500] to xxxx:8f8:112d:ed31:2474:a82d:88cc:544[4500]
(128 bytes)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 13[KNL] creating acquire job for
policy xxx.111.251.62/32[tcp/https] === 10.10.34.25/32[tcp/51510] with
reqid {31606}

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 13[CFG] trap not found, unable to
acquire reqid 31606

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 09[NET] received packet: from
xxxx:8f8:112d:ed31:2474:a82d:88cc:544[4500] to xxxx:4f7:192:732c::2[4500]
(144 bytes)

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 09[ENC] parsed INFORMATIONAL request
12 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]

Jul  4 04:54:22 de-fsn-6 ipsec[706]: 09[IKE] received retransmit of request
with ID 12, retransmitting response



*/etc/ipsec.conf*


config setup

  strictcrlpolicy=yes

  uniqueids=never

conn Falkenstein-6

  auto=add

  compress=no

  type=tunnel

  keyexchange=ikev2

  fragmentation=yes

  forceencaps=yes


ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-ecp521-ecp256-modp4096-modp2048!

  esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!

  dpdaction=clear

  dpddelay=180s

  dpdtimeout=3600s

  rekey=no

  left=%any

  leftid=@de-fsn-6.VPN.net

  leftcert=cert.pem

  leftsendcert=always

  leftsubnet=0.0.0.0/0, ::/0

  right=%any

  rightid=%any

  rightauth=eap-radius

  eap_identity=%any

  rightdns=8.8.8.8,8.8.4.4

  rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113

  leftfirewall=no



Any idea what this could be?


Many Thanks,

Houman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200704/53eeb1ba/attachment.html>


More information about the Users mailing list