[strongSwan] StrongSwan 5.8.2 - received netlink error: Invalid argument (22)

Tobias Brunner tobias at strongswan.org
Mon Jul 6 11:08:00 CEST 2020

Hi Houman,

> We have two types of servers. Same users are doing ok on servers with
> StrongSwan 5.7.2 on kernel  5.3.0-53-generic.
> But on the servers with StrongSwan 5.8.2 with kernel* 5.4.0-39-generic,
> *the issue arises. (Not for all users, but quite a few)

I had a closer look at the log and now saw what the problem is.  It has
nothing to do with the strongSwan or kernel version.

The problem is that the client moves from an IPv4 address to an IPv6
address and you apparently have UDP-encapsulation forced (see the
"faking NAT situation to enforce UDP encapsulation").  However, the
Linux kernel currently does not support UDP encapsulation for IPv6 (the
upcoming 5.8 kernel will be the first one with support for it), so you
get that error when the daemon tries to replace the IPv4 SA with an IPv6
SA that has UDP encapsulation enabled.  Try without forcing UDP
encapsulation (or disable IPv6 in the socket-default plugin if you don't
want clients to use it).


More information about the Users mailing list