[Swan] Setting up ike/ipsec tunnel over TCP

M Thotager mallesh.thotager at gmail.com
Wed Sep 30 04:57:42 UTC 2020 

  Hi Team,

I'm trying to setup a ipsec over tcp (on  ubuntu , Kernel version is
5.8.9), but  ipsec sa creation is failing with the below reason.
I referred to the available test scripts for tcp (in  git repository ) ,
Could you please check and let me know if I'm missing anything ?

Sep 28 21:47:47.408661: | netlink: enabling tunnel mode
Sep 28 21:47:47.408674: | XFRM: adding IPsec SA with reqid 16389
Sep 28 21:47:47.408685: | netlink: setting IPsec SA replay-window to 32
using old-style req
Sep 28 21:47:47.408699: | adding xfrm-encap-tmpl when adding sa
encap_type=0(espintcp) sport=4500 dport=48792
Sep 28 21:47:47.408711: | netlink: esp-hw-offload not set for IPsec SA

*Sep 28 21:47:47.408882: "mysubnet" #1: ERROR: netlink response for Add
SA esp.654c8f7b at 10.30.65.7 <esp.654c8f7b at 10.30.65.7> included errno 22:
Invalid argumentSep 28 21:47:47.408929: "mysubnet" #1:
setup_half_ipsec_sa() hit fail:*
Sep 28 21:47:47.408943: | ikev2_child_sa_respond returned STF_FATAL


I've downloaded the latest libreswan code , built and installed.

*Ipsec version:*
root at Ubuntu-1604New-001:~# vi /tmp/pluto.log
root at Ubuntu-1604New-001:~# ipsec version
Linux Libreswan v3.30-1834-g8b42ce7-main (netkey) on 5.8.9-050809-generic
root at Ubuntu-1604New-001:~# uname -a
Linux Ubuntu-1604New-001 5.8.9-050809-generic #202009120936 SMP Sat Sep 12
13:59:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root at Ubuntu-1604New-001:~#

Configuration on both the peers:
*peer1:*
config setup
    protostack=netkey
    listen-tcp=yes
    logfile=/tmp/pluto.log
    logtime=yes
    logappend=no
    plutodebug=all
    dumpdir=/tmp

conn mysubnet
     enable-tcp=yes
     tcp-remoteport=4500
     left=10.30.65.1
     right=10.30.65.7
     authby=secret
     leftsubnet=192.0.2.0/24
     rightsubnet=192.0.1.0/24
     type=tunnel
     auto=add
     ike=aes256-sha256;modp4096


*Peer2:*
version 2.0
config setup
    protostack=netkey
    listen-tcp=yes
        logfile=/tmp/pluto.log
        logtime=yes
        logappend=no
        plutodebug=all

conn mysubnet
   enable-tcp=yes
    tcp-remoteport=4500
     left=10.30.65.7
     right=10.30.65.1
     authby=secret
     leftsubnet=192.0.1.0/24
     rightsubnet=192.0.2.0/24
     type=tunnel
     auto=start
     ike=aes256-sha256;modp4096
     phase2alg=aes256-sha256;modp4096

Thanks,
Mallesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200930/a8af20db/attachment-0001.html>

More information about the Swan mailing list