Feature #377
Updated by Tobias Brunner about 12 years ago
I'm trying to use strongswan with kernel-libipsec on linux (3.9.4) but unfortunately it's not working. Here is the relevant part of "ipsec restart --nofork" output:
<pre>
05[IKE] authentication of 'XxXxX' with RSA successful
05[IKE] IKE_SA XxXxX[1] established between FOO...BAR
05[IKE] scheduling reauthentication in 10002s
05[IKE] maximum IKE_SA lifetime 10542s
05[ENC] generating QUICK_MODE request 3912695104 [ HASH SA No KE ID ID ]
05[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (308 bytes)
02[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
02[ENC] parsed QUICK_MODE response 3912695104 [ HASH SA No KE ID ID N((24576)) ]
02[ESP] failed to create ESP context: unsupported encryption algorithm
02[ESP] failed to create SAD entry
02[ESP] failed to create ESP context: unsupported encryption algorithm
02[ESP] failed to create SAD entry
02[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
02[ENC] generating QUICK_MODE request 1737399506 [ HASH SA No KE ID ID ]
02[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (308 bytes)
15[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
15[ENC] parsed QUICK_MODE response 1737399506 [ HASH SA No KE ID ID N((24576)) ]
15[ESP] failed to create ESP context: unsupported encryption algorithm
15[ESP] failed to create SAD entry
15[ESP] failed to create ESP context: unsupported encryption algorithm
15[ESP] failed to create SAD entry
15[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
15[ENC] generating QUICK_MODE request 2932897482 [ HASH SA No KE ID ID ]
15[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (308 bytes)
16[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
16[ENC] parsed QUICK_MODE response 2932897482 [ HASH SA No KE ID ID N((24576)) ]
16[ESP] failed to create ESP context: unsupported encryption algorithm
16[ESP] failed to create SAD entry
16[ESP] failed to create ESP context: unsupported encryption algorithm
16[ESP] failed to create SAD entry
16[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
16[ENC] generating QUICK_MODE request 502652095 [ HASH SA No KE ID ID ]
16[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (308 bytes)
06[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
06[ENC] parsed QUICK_MODE response 502652095 [ HASH SA No KE ID ID N((24576)) ]
06[ESP] failed to create ESP context: unsupported encryption algorithm
06[ESP] failed to create SAD entry
06[ESP] failed to create ESP context: unsupported encryption algorithm
06[ESP] failed to create SAD entry
06[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
06[ENC] generating INFORMATIONAL_V1 request 3861531521 [ HASH N(NO_PROP) ]
06[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (76 bytes)
06[ENC] generating INFORMATIONAL_V1 request 3956559828 [ HASH N(NO_PROP) ]
06[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (76 bytes)
06[ENC] generating INFORMATIONAL_V1 request 3218326822 [ HASH N(NO_PROP) ]
06[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (76 bytes)
06[ENC] generating INFORMATIONAL_V1 request 4192011303 [ HASH N(NO_PROP) ]
06[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (76 bytes)
04[IKE] sending DPD request
04[ENC] generating INFORMATIONAL_V1 request 2476302813 [ HASH N(DPD) ]
04[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (92 bytes)
03[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (92 bytes)
03[ENC] parsed INFORMATIONAL_V1 request 3412858184 [ HASH N(DPD_ACK) ]
01[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
01[ENC] invalid HASH_V1 payload length, decryption failed?
01[ENC] could not decrypt payloads
01[IKE] message parsing failed
01[ENC] generating INFORMATIONAL_V1 request 3450131845 [ HASH N(PLD_MAL) ]
01[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (68 bytes)
01[IKE] QUICK_MODE request with message ID 3912695104 processing failed
05[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
05[ENC] invalid HASH_V1 payload length, decryption failed?
05[ENC] could not decrypt payloads
05[IKE] message parsing failed
05[ENC] generating INFORMATIONAL_V1 request 2950229696 [ HASH N(PLD_MAL) ]
05[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (68 bytes)
05[IKE] QUICK_MODE request with message ID 1737399506 processing failed
02[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
02[IKE] received retransmit of response with ID 2932897482, but next request already sent
15[IKE] sending DPD request
15[ENC] generating INFORMATIONAL_V1 request 1923278649 [ HASH N(DPD) ]
15[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (92 bytes)
16[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (84 bytes)
16[ENC] parsed INFORMATIONAL_V1 request 3429950406 [ HASH D ]
16[IKE] received DELETE for IKE_SA XxXxX[1]
</pre>
When ipsec is running I see that ipsec0 interface is created:
<pre>
ipsec0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1400
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
</pre>
I have tested and strongswan is working just fine when used with kernel-netlink and same configuration.
Do you have any pointers or am I missing something obvious?
Thanks,
Luka
<pre>
05[IKE] authentication of 'XxXxX' with RSA successful
05[IKE] IKE_SA XxXxX[1] established between FOO...BAR
05[IKE] scheduling reauthentication in 10002s
05[IKE] maximum IKE_SA lifetime 10542s
05[ENC] generating QUICK_MODE request 3912695104 [ HASH SA No KE ID ID ]
05[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (308 bytes)
02[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
02[ENC] parsed QUICK_MODE response 3912695104 [ HASH SA No KE ID ID N((24576)) ]
02[ESP] failed to create ESP context: unsupported encryption algorithm
02[ESP] failed to create SAD entry
02[ESP] failed to create ESP context: unsupported encryption algorithm
02[ESP] failed to create SAD entry
02[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
02[ENC] generating QUICK_MODE request 1737399506 [ HASH SA No KE ID ID ]
02[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (308 bytes)
15[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
15[ENC] parsed QUICK_MODE response 1737399506 [ HASH SA No KE ID ID N((24576)) ]
15[ESP] failed to create ESP context: unsupported encryption algorithm
15[ESP] failed to create SAD entry
15[ESP] failed to create ESP context: unsupported encryption algorithm
15[ESP] failed to create SAD entry
15[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
15[ENC] generating QUICK_MODE request 2932897482 [ HASH SA No KE ID ID ]
15[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (308 bytes)
16[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
16[ENC] parsed QUICK_MODE response 2932897482 [ HASH SA No KE ID ID N((24576)) ]
16[ESP] failed to create ESP context: unsupported encryption algorithm
16[ESP] failed to create SAD entry
16[ESP] failed to create ESP context: unsupported encryption algorithm
16[ESP] failed to create SAD entry
16[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
16[ENC] generating QUICK_MODE request 502652095 [ HASH SA No KE ID ID ]
16[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (308 bytes)
06[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
06[ENC] parsed QUICK_MODE response 502652095 [ HASH SA No KE ID ID N((24576)) ]
06[ESP] failed to create ESP context: unsupported encryption algorithm
06[ESP] failed to create SAD entry
06[ESP] failed to create ESP context: unsupported encryption algorithm
06[ESP] failed to create SAD entry
06[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
06[ENC] generating INFORMATIONAL_V1 request 3861531521 [ HASH N(NO_PROP) ]
06[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (76 bytes)
06[ENC] generating INFORMATIONAL_V1 request 3956559828 [ HASH N(NO_PROP) ]
06[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (76 bytes)
06[ENC] generating INFORMATIONAL_V1 request 3218326822 [ HASH N(NO_PROP) ]
06[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (76 bytes)
06[ENC] generating INFORMATIONAL_V1 request 4192011303 [ HASH N(NO_PROP) ]
06[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (76 bytes)
04[IKE] sending DPD request
04[ENC] generating INFORMATIONAL_V1 request 2476302813 [ HASH N(DPD) ]
04[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (92 bytes)
03[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (92 bytes)
03[ENC] parsed INFORMATIONAL_V1 request 3412858184 [ HASH N(DPD_ACK) ]
01[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
01[ENC] invalid HASH_V1 payload length, decryption failed?
01[ENC] could not decrypt payloads
01[IKE] message parsing failed
01[ENC] generating INFORMATIONAL_V1 request 3450131845 [ HASH N(PLD_MAL) ]
01[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (68 bytes)
01[IKE] QUICK_MODE request with message ID 3912695104 processing failed
05[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
05[ENC] invalid HASH_V1 payload length, decryption failed?
05[ENC] could not decrypt payloads
05[IKE] message parsing failed
05[ENC] generating INFORMATIONAL_V1 request 2950229696 [ HASH N(PLD_MAL) ]
05[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (68 bytes)
05[IKE] QUICK_MODE request with message ID 1737399506 processing failed
02[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (324 bytes)
02[IKE] received retransmit of response with ID 2932897482, but next request already sent
15[IKE] sending DPD request
15[ENC] generating INFORMATIONAL_V1 request 1923278649 [ HASH N(DPD) ]
15[NET] sending packet: from A.B.C.D[4500] to X.W.Y.Z[4500] (92 bytes)
16[NET] received packet: from X.W.Y.Z[4500] to A.B.C.D[4500] (84 bytes)
16[ENC] parsed INFORMATIONAL_V1 request 3429950406 [ HASH D ]
16[IKE] received DELETE for IKE_SA XxXxX[1]
</pre>
When ipsec is running I see that ipsec0 interface is created:
<pre>
ipsec0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1400
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
</pre>
I have tested and strongswan is working just fine when used with kernel-netlink and same configuration.
Do you have any pointers or am I missing something obvious?
Thanks,
Luka