[strongSwan] "unable to allocate SPIs from kernel"

Dorn Hetzel dorn at hetzel.org
Tue Mar 3 11:20:58 CET 2020

I am encountering this problem which seems to have been around for a while

root at TroposRouter:/etc# ipsec up test
initiating IKE_SA test[4] to
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from[500] to[500]
received packet: from[500] to[500]
parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP)
received unknown vendor ID:
received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
received unknown vendor ID:
received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
cert payload ANY not supported - ignored
no IDi configured, fall back on IP address
authentication of '' (myself) with pre-shared key
establishing CHILD_SA test
unable to allocate SPIs from kernel
root at TroposRouter:/etc#

ipsec statusall looks like ->

establishing CHILD_SA test
unable to allocate SPIs from kernel
root at TroposRouter:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips):
  uptime: 7 seconds, since Jan 01 01:14:28 2017
  malloc: sbrk 184320, mmap 0, used 153152, free 31168
  worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des
blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey
pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac
ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp
updown eap-identity eap-md5 eap-mschapv2 xauth-generic xauth-eap dhcp
whitelist led duplicheck uci addrblock
Listening IP addresses:
        test:  %any...  IKEv2
        test:   local:  [%any] uses pre-shared key authentication
        test:   remote: [] uses pre-shared key authentication
        test:   child:  dynamic === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
root at TroposRouter:/etc#

This is all on a mips based openwrt derived platform.



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200303/8210831a/attachment.html>

More information about the Users mailing list