[Swan] Setting up ike/ipsec tunnel over TCP
Andrew Cagney
andrew.cagney at gmail.com
Wed Sep 30 12:06:23 UTC 2020
On Wed, 30 Sep 2020 at 00:58, M Thotager <mallesh.thotager at gmail.com> wrote:
>
> Hi Team,
>
> I'm trying to setup a ipsec over tcp (on ubuntu , Kernel version is 5.8.9), but ipsec sa creation is failing with the below reason.
> I referred to the available test scripts for tcp (in git repository ) , Could you please check and let me know if I'm missing anything ?
>
> Sep 28 21:47:47.408661: | netlink: enabling tunnel mode
> Sep 28 21:47:47.408674: | XFRM: adding IPsec SA with reqid 16389
> Sep 28 21:47:47.408685: | netlink: setting IPsec SA replay-window to 32 using old-style req
> Sep 28 21:47:47.408699: | adding xfrm-encap-tmpl when adding sa encap_type=0(espintcp) sport=4500 dport=48792
> Sep 28 21:47:47.408711: | netlink: esp-hw-offload not set for IPsec SA
> Sep 28 21:47:47.408882: "mysubnet" #1: ERROR: netlink response for Add SA esp.654c8f7b at 10.30.65.7 included errno 22: Invalid argument
> Sep 28 21:47:47.408929: "mysubnet" #1: setup_half_ipsec_sa() hit fail:
> Sep 28 21:47:47.408943: | ikev2_child_sa_respond returned STF_FATAL
my knee jerk reaction is the kernel - we've been testing with some
bleeding edge patches and features enabled. I just ran the the tests
with the vanilla kernel:
Linux east 5.8.11-200.fc32.x86_64 #1 SMP Wed Sep 23 13:51:28 UTC 2020
x86_64 x86_64 x86_64 GNU/Linux
and they pass. However, that is still slightly ahead.
> I've downloaded the latest libreswan code , built and installed.
>
> Ipsec version:
> root at Ubuntu-1604New-001:~# vi /tmp/pluto.log
> root at Ubuntu-1604New-001:~# ipsec version
> Linux Libreswan v3.30-1834-g8b42ce7-main (netkey) on 5.8.9-050809-generic
> root at Ubuntu-1604New-001:~# uname -a
> Linux Ubuntu-1604New-001 5.8.9-050809-generic #202009120936 SMP Sat Sep 12 13:59:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
> root at Ubuntu-1604New-001:~#
>
> Configuration on both the peers:
> peer1:
> config setup
> protostack=netkey
> listen-tcp=yes
> logfile=/tmp/pluto.log
> logtime=yes
> logappend=no
> plutodebug=all
> dumpdir=/tmp
>
> conn mysubnet
> enable-tcp=yes
> tcp-remoteport=4500
> left=10.30.65.1
> right=10.30.65.7
> authby=secret
> leftsubnet=192.0.2.0/24
> rightsubnet=192.0.1.0/24
> type=tunnel
> auto=add
> ike=aes256-sha256;modp4096
>
>
> Peer2:
> version 2.0
> config setup
> protostack=netkey
> listen-tcp=yes
> logfile=/tmp/pluto.log
> logtime=yes
> logappend=no
> plutodebug=all
>
> conn mysubnet
> enable-tcp=yes
> tcp-remoteport=4500
> left=10.30.65.7
> right=10.30.65.1
> authby=secret
> leftsubnet=192.0.1.0/24
> rightsubnet=192.0.2.0/24
> type=tunnel
> auto=start
> ike=aes256-sha256;modp4096
> phase2alg=aes256-sha256;modp4096
>
> Thanks,
> Mallesh
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list