[Swan-dev] XfrmOutNoStates in Fedora 28
Qiuyu Xiao
qiuyu.xiao.qyx at gmail.com
Thu Jul 5 18:34:03 UTC 2018
Hi everyone,
I recently encountered a problem when running Libreswan in Fedora 28.
I though it might be a bug so I just post it here.
Basically, I was deploying transport mode IPsec between two hosts.
After I set up Libreswan in Fedora 28 with 4.14.0 kernel, I found that
the packet cannot be sent out and /proc/net/xfrm_stat shows
XfrmOutNoStates errors. But the host can receive and process ESP
packets (I tested this with a Fedora 27 host where Libreswan can
correctly run).
Below is some detailed information:
Host version:
Fedora 28 with kernel 4.14.0-1.fc28.x86_64
Libreswan version:
3.23-2.fc28
/etc/ipsec.conf
--------------------
conn %default
keyingtries=%forever
type=transport
auto=route
ike=aes_gcm256-sha2_256
esp=aes_gcm256
ikev2=insist
config setup
plutodebug=all
uniqueids=no
conn connetion1
left=10.33.78.167
right=10.33.79.184
leftrsasigkey=%cert
leftcert="vm1"
leftid=@vm1
rightid=@vm2
rightca=%same
ip xfrm policy
------------------
src 10.33.78.167/32 dst 10.33.79.184/32
dir out priority 2080 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16389 mode transport
src 10.33.79.184/32 dst 10.33.78.167/32
dir in priority 2080 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 16389 mode transport
ip xfrm state
-----------------
src 10.33.79.184 dst 10.33.78.167
proto esp spi 0xd16f9fd1 reqid 16389 mode transport
replay-window 32
aead rfc4106(gcm(aes))
0x6d15bb854f28069891f40905320cc0debcc93e46eb6093b4cd6bff65dee5fbebd4fa1aaf
128
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.33.79.184/32 dst 10.33.78.167/32
src 10.33.78.167 dst 10.33.79.184
proto esp spi 0x1bd4d970 reqid 16389 mode transport
replay-window 32
aead rfc4106(gcm(aes))
0xb874dedc137d202b502c03ead3f3cc1a565ed680b25832d4ac3dd7d1ea1ab37b2fc27599
128
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 10.33.78.167/32 dst 10.33.79.184/32
Best,
Qiuyu
More information about the Swan-dev
mailing list