[strongSwan] Error Message: "unsupported mode"?
Carlos Velasco
carlos.velasco at nimastelecom.com
Sat Oct 1 16:43:49 CEST 2022
Hi Michael,
I think remote end wants Transport mode "N(USE_TRANSP)", and local says it is not supported.
I suppose you are using Linux in local with "kernel-netlink" module for strongswan (default), so I would check if module transport is enabled in your kernel.
Refer to this doc: https://docs.strongswan.org/docs/5.9/install/kernelModules.html
"IP: IPsec transport mode [CONFIG_INET_XFRM_MODE_TRANSPORT]" usually can be checked with command in doc:
grep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
Also, if it is compiled as module (m), try to load it manually, I think module name is "xfrm4_mode_transport".
If it is not Linux, you must check your local OS (or strongswan module, if not using kernel-netlink) to properly support Transport mode.
Regards,
Carlos Velasco
Michael Schwartzkopff escribió el 01/10/2022 a las 15:48:
> Hi,
>
>
> I googled but I did not find a reasonable answer. We try to set up some
> specific strongswan-strongswan connection in transport mode. The log says:
>
>
> NET received packet: from x.x.x.x[4500] to y.y.y.y[4500] (240 bytes)}
> ENC parsed CREATE_CHILD_SA request 7 [ N(USE_TRANSP) SA No KE TSi TSr ]}
> CFG selected proposal: ESP:CHACHA20_POLY1305/CURVE_25519/NO_EXT_SEQ}
> ESP IPsec SA: unsupported mode}
> ESP failed to create SAD entry}
> ESP IPsec SA: unsupported mode}
> ESP failed to create SAD entry}
> IKE unable to install inbound and outbound IPsec SA (SAD) in kernel}
> IKE failed to establish CHILD_SA, keeping IKE_SA}
> ENC generating CREATE_CHILD_SA response 7 [ N(NO_PROP) ]}
>
> What exactly does "IPsec SA: unsupported mode" mean? unsupported mode
> "transport"?
>
> Or unsupported cipher algorithms? Or anything else went wrong?
>
>
> Mit freundlichen Grüßen,
>
More information about the Users
mailing list