[Swan] Setting up ike/ipsec tunnel over TCP

Andrew Cagney andrew.cagney at gmail.com
Wed Sep 30 12:06:23 UTC 2020 

On Wed, 30 Sep 2020 at 00:58, M Thotager <mallesh.thotager at gmail.com> wrote:
>
>   Hi Team,
>
> I'm trying to setup a ipsec over tcp (on  ubuntu , Kernel version is 5.8.9), but  ipsec sa creation is failing with the below reason.
> I referred to the available test scripts for tcp (in  git repository ) , Could you please check and let me know if I'm missing anything ?
>
> Sep 28 21:47:47.408661: | netlink: enabling tunnel mode
> Sep 28 21:47:47.408674: | XFRM: adding IPsec SA with reqid 16389
> Sep 28 21:47:47.408685: | netlink: setting IPsec SA replay-window to 32 using old-style req
> Sep 28 21:47:47.408699: | adding xfrm-encap-tmpl when adding sa encap_type=0(espintcp) sport=4500 dport=48792
> Sep 28 21:47:47.408711: | netlink: esp-hw-offload not set for IPsec SA
> Sep 28 21:47:47.408882: "mysubnet" #1: ERROR: netlink response for Add SA esp.654c8f7b at 10.30.65.7 included errno 22: Invalid argument
> Sep 28 21:47:47.408929: "mysubnet" #1: setup_half_ipsec_sa() hit fail:
> Sep 28 21:47:47.408943: | ikev2_child_sa_respond returned STF_FATAL

my knee jerk reaction is the kernel - we've been testing with some
bleeding edge patches and features enabled.   I just ran the the tests
with the vanilla kernel:
Linux east 5.8.11-200.fc32.x86_64 #1 SMP Wed Sep 23 13:51:28 UTC 2020
x86_64 x86_64 x86_64 GNU/Linux
and they pass.  However, that is still slightly ahead.

> I've downloaded the latest libreswan code , built and installed.
>
> Ipsec version:
> root at Ubuntu-1604New-001:~# vi /tmp/pluto.log
> root at Ubuntu-1604New-001:~# ipsec version
> Linux Libreswan v3.30-1834-g8b42ce7-main (netkey) on 5.8.9-050809-generic
> root at Ubuntu-1604New-001:~# uname -a
> Linux Ubuntu-1604New-001 5.8.9-050809-generic #202009120936 SMP Sat Sep 12 13:59:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
> root at Ubuntu-1604New-001:~#
>
> Configuration on both the peers:
> peer1:
> config setup
>     protostack=netkey
>     listen-tcp=yes
>     logfile=/tmp/pluto.log
>     logtime=yes
>     logappend=no
>     plutodebug=all
>     dumpdir=/tmp
>
> conn mysubnet
>      enable-tcp=yes
>      tcp-remoteport=4500
>      left=10.30.65.1
>      right=10.30.65.7
>      authby=secret
>      leftsubnet=192.0.2.0/24
>      rightsubnet=192.0.1.0/24
>      type=tunnel
>      auto=add
>      ike=aes256-sha256;modp4096
>
>
> Peer2:
> version 2.0
> config setup
>     protostack=netkey
>     listen-tcp=yes
>         logfile=/tmp/pluto.log
>         logtime=yes
>         logappend=no
>         plutodebug=all
>
> conn mysubnet
>    enable-tcp=yes
>     tcp-remoteport=4500
>      left=10.30.65.7
>      right=10.30.65.1
>      authby=secret
>      leftsubnet=192.0.1.0/24
>      rightsubnet=192.0.2.0/24
>      type=tunnel
>      auto=start
>      ike=aes256-sha256;modp4096
>      phase2alg=aes256-sha256;modp4096
>
> Thanks,
> Mallesh
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list