[strongSwan] "unable to allocate SPIs from kernel"

Dorn Hetzel dorn at hetzel.org
Tue Mar 3 11:20:58 CET 2020 

I am encountering this problem which seems to have been around for a while
->

/////
root at TroposRouter:/etc# ipsec up test
initiating IKE_SA test[4] to 192.168.55.1
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.55.6[500] to 192.168.55.1[500]
received packet: from 192.168.55.1[500] to 192.168.55.6[500]
parsed IKE_SA_INIT response 0 [ SA KE No V V V N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(HTTP_CERT_LOOK) N((16430)) V ]
received unknown vendor ID:
43:49:53:43:4f:2d:44:45:4c:45:54:45:2d:52:45:41:53:4f:4e
received unknown vendor ID: 43:49:53:43:4f:56:50:4e:2d:52:45:56:2d:30:32
received unknown vendor ID:
46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
received unknown vendor ID: 40:48:b7:d5:6e:bc:e8:85:25:e7:de:7f:00:d6:c2:d3
cert payload ANY not supported - ignored
no IDi configured, fall back on IP address
authentication of '192.168.55.6' (myself) with pre-shared key
establishing CHILD_SA test
unable to allocate SPIs from kernel
root at TroposRouter:/etc#
/////

ipsec statusall looks like ->

establishing CHILD_SA test
unable to allocate SPIs from kernel
root at TroposRouter:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.0.0, Linux 3.3.8, mips):
  uptime: 7 seconds, since Jan 01 01:14:28 2017
  malloc: sbrk 184320, mmap 0, used 153152, free 31168
  worker threads: 3 of 16 idle, 12/1/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon test-vectors curl ldap mysql sqlite pkcs11 aes des
blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey
pkcs1 pkcs8 pgp dnskey pem openssl gcrypt fips-prf gmp agent xcbc cmac hmac
ctr ccm gcm attr kernel-netlink resolve socket-default farp stroke smp
updown eap-identity eap-md5 eap-mschapv2 xauth-generic xauth-eap dhcp
whitelist led duplicheck uci addrblock
Listening IP addresses:
  192.168.55.6
  192.168.164.166
  192.168.55.9
  192.168.167.166
  192.168.55.8
  192.168.166.166
  192.168.168.168
  192.168.169.166
  192.168.55.7
  192.168.165.166
Connections:
        test:  %any...192.168.55.1  IKEv2
        test:   local:  [%any] uses pre-shared key authentication
        test:   remote: [192.168.55.1] uses pre-shared key authentication
        test:   child:  dynamic === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
  none
root at TroposRouter:/etc#

This is all on a mips based openwrt derived platform.

Thoughts?

Regards,

Dorn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200303/8210831a/attachment.html>

More information about the Users mailing list