[strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)
Houman
houmie at gmail.com
Sat Jul 4 10:08:53 CEST 2020
Hello,
I'm seeing a strange error in StrongSwan U5.8.2/K5.4.0-39-generic (Ubuntu
20.04).
I don't get this error with StrongSwan U5.7.2/K5.3.0-53-generic (Ubuntu
19.10).
received netlink error: Invalid argument (22)
Jul 4 04:54:22 de-fsn-6 charon: 05[IKE] authentication of 'de-fsn-6.VPN.net'
(myself) with RSA signature successful
Jul 4 04:54:22 de-fsn-6 charon: 05[IKE] sending end entity cert "CN=
de-fsn-6.VPN.net"
Jul 4 04:54:22 de-fsn-6 charon: 05[IKE] sending issuer cert "C=US, O=Let's
Encrypt, CN=Let's Encrypt Authority X3"
Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [
IDr CERT CERT AUTH EAP/REQ/ID ]
Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] splitting IKE message (2928 bytes)
into 3 fragments
Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [
EF(1/3) ]
Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [
EF(2/3) ]
Jul 4 04:54:22 de-fsn-6 charon: 05[ENC] generating IKE_AUTH response 1 [
EF(3/3) ]
Jul 4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from
144.76.113.xxx[4500] to 31.215.103.xxx[4500] (1236 bytes)
Jul 4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from
144.76.113.xxx[4500] to 31.215.103.xxx[4500] (1236 bytes)
Jul 4 04:54:22 de-fsn-6 charon: 05[NET] sending packet: from
144.76.113.xxx[4500] to 31.215.103.xxx[4500] (612 bytes)
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 01[NET] received packet: from
39.33.54.xxx[4500] to 144.76.113.xxx[4500] (144 bytes)
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 01[ENC] parsed INFORMATIONAL request
409 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 01[ENC] generating INFORMATIONAL
response 409 [ N(NATD_S_IP) N(NATD_D_IP) ]
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 01[NET] sending packet: from
144.76.113.xxx[4500] to 39.33.54.xxx[4500] (128 bytes)
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[NET] received packet: from
xxxx:8f8:112d:ed31:2474:a82d:88cc:544[4500] to xxxx:4f7:192:732c::2[4500]
(144 bytes)
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[ENC] parsed INFORMATIONAL request
12 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[IKE] remote host is not behind NAT
anymore
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[IKE] faking NAT situation to
enforce UDP encapsulation
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] received netlink error:
Invalid argument (22)
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] unable to update SAD entry
with SPI c8a1394b
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] received netlink error:
Invalid argument (22)
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[KNL] unable to update SAD entry
with SPI 0b956c9a
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[ENC] generating INFORMATIONAL
response 12 [ N(NATD_S_IP) N(NATD_D_IP) ]
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 08[NET] sending packet: from
xxxx:4f7:192:732c::2[4500] to xxxx:8f8:112d:ed31:2474:a82d:88cc:544[4500]
(128 bytes)
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 13[KNL] creating acquire job for
policy xxx.111.251.62/32[tcp/https] === 10.10.34.25/32[tcp/51510] with
reqid {31606}
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 13[CFG] trap not found, unable to
acquire reqid 31606
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 09[NET] received packet: from
xxxx:8f8:112d:ed31:2474:a82d:88cc:544[4500] to xxxx:4f7:192:732c::2[4500]
(144 bytes)
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 09[ENC] parsed INFORMATIONAL request
12 [ N(UPD_SA_ADDR) N(NATD_S_IP) N(NATD_D_IP) ]
Jul 4 04:54:22 de-fsn-6 ipsec[706]: 09[IKE] received retransmit of request
with ID 12, retransmitting response
*/etc/ipsec.conf*
config setup
strictcrlpolicy=yes
uniqueids=never
conn Falkenstein-6
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256gcm16-aes192gcm16-aes128gcm16-prfsha256-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-ecp521-ecp256-modp4096-modp2048!
esp=aes256gcm16-aes192gcm16-aes128gcm16-ecp521-ecp256-modp4096-modp2048,
aes256-sha256-sha1-ecp521-ecp256-modp4096-modp2048, aes256-sha256-sha1!
dpdaction=clear
dpddelay=180s
dpdtimeout=3600s
rekey=no
left=%any
leftid=@de-fsn-6.VPN.net
leftcert=cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0, ::/0
right=%any
rightid=%any
rightauth=eap-radius
eap_identity=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.10.10.0/17,fdd2:54c4:4c90:1::300/113
leftfirewall=no
Any idea what this could be?
Many Thanks,
Houman
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200704/53eeb1ba/attachment.html>
More information about the Users
mailing list