[Swan] Setting up ike/ipsec tunnel over TCP
M Thotager
mallesh.thotager at gmail.com
Wed Sep 30 04:57:42 UTC 2020
Hi Team,
I'm trying to setup a ipsec over tcp (on ubuntu , Kernel version is
5.8.9), but ipsec sa creation is failing with the below reason.
I referred to the available test scripts for tcp (in git repository ) ,
Could you please check and let me know if I'm missing anything ?
Sep 28 21:47:47.408661: | netlink: enabling tunnel mode
Sep 28 21:47:47.408674: | XFRM: adding IPsec SA with reqid 16389
Sep 28 21:47:47.408685: | netlink: setting IPsec SA replay-window to 32
using old-style req
Sep 28 21:47:47.408699: | adding xfrm-encap-tmpl when adding sa
encap_type=0(espintcp) sport=4500 dport=48792
Sep 28 21:47:47.408711: | netlink: esp-hw-offload not set for IPsec SA
*Sep 28 21:47:47.408882: "mysubnet" #1: ERROR: netlink response for Add
SA esp.654c8f7b at 10.30.65.7 <esp.654c8f7b at 10.30.65.7> included errno 22:
Invalid argumentSep 28 21:47:47.408929: "mysubnet" #1:
setup_half_ipsec_sa() hit fail:*
Sep 28 21:47:47.408943: | ikev2_child_sa_respond returned STF_FATAL
I've downloaded the latest libreswan code , built and installed.
*Ipsec version:*
root at Ubuntu-1604New-001:~# vi /tmp/pluto.log
root at Ubuntu-1604New-001:~# ipsec version
Linux Libreswan v3.30-1834-g8b42ce7-main (netkey) on 5.8.9-050809-generic
root at Ubuntu-1604New-001:~# uname -a
Linux Ubuntu-1604New-001 5.8.9-050809-generic #202009120936 SMP Sat Sep 12
13:59:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
root at Ubuntu-1604New-001:~#
Configuration on both the peers:
*peer1:*
config setup
protostack=netkey
listen-tcp=yes
logfile=/tmp/pluto.log
logtime=yes
logappend=no
plutodebug=all
dumpdir=/tmp
conn mysubnet
enable-tcp=yes
tcp-remoteport=4500
left=10.30.65.1
right=10.30.65.7
authby=secret
leftsubnet=192.0.2.0/24
rightsubnet=192.0.1.0/24
type=tunnel
auto=add
ike=aes256-sha256;modp4096
*Peer2:*
version 2.0
config setup
protostack=netkey
listen-tcp=yes
logfile=/tmp/pluto.log
logtime=yes
logappend=no
plutodebug=all
conn mysubnet
enable-tcp=yes
tcp-remoteport=4500
left=10.30.65.7
right=10.30.65.1
authby=secret
leftsubnet=192.0.1.0/24
rightsubnet=192.0.2.0/24
type=tunnel
auto=start
ike=aes256-sha256;modp4096
phase2alg=aes256-sha256;modp4096
Thanks,
Mallesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200930/a8af20db/attachment-0001.html>
More information about the Swan
mailing list