[Swan] Setting up ike/ipsec tunnel over TCP
M Thotager
mallesh.thotager at gmail.com
Tue Oct 6 01:26:20 UTC 2020
Hi Andrew,
Thanks for the input.
I also upgraded to to 5.8.11 kernel
Linux Ubuntu-1604New-001 5.8.11-050811-generic #202009230858 SMP Wed Sep 23
13:06:55 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
ctuser at Ubuntu-1604New-001:~$
Still I'm getting the same error
Oct 5 23:05:02.745044: "mysubnet" #1: ERROR: netlink response for Add SA
esp.cb1fb8fe at 10.30.65.7 included errno 22: Invalid argument
I built and installed the latest libreswan code.
Thanks,
Mallesh
On Wed, Sep 30, 2020 at 5:36 PM Andrew Cagney <andrew.cagney at gmail.com>
wrote:
> On Wed, 30 Sep 2020 at 00:58, M Thotager <mallesh.thotager at gmail.com>
> wrote:
> >
> > Hi Team,
> >
> > I'm trying to setup a ipsec over tcp (on ubuntu , Kernel version is
> 5.8.9), but ipsec sa creation is failing with the below reason.
> > I referred to the available test scripts for tcp (in git repository ) ,
> Could you please check and let me know if I'm missing anything ?
> >
> > Sep 28 21:47:47.408661: | netlink: enabling tunnel mode
> > Sep 28 21:47:47.408674: | XFRM: adding IPsec SA with reqid 16389
> > Sep 28 21:47:47.408685: | netlink: setting IPsec SA replay-window to 32
> using old-style req
> > Sep 28 21:47:47.408699: | adding xfrm-encap-tmpl when adding sa
> encap_type=0(espintcp) sport=4500 dport=48792
> > Sep 28 21:47:47.408711: | netlink: esp-hw-offload not set for IPsec SA
> > Sep 28 21:47:47.408882: "mysubnet" #1: ERROR: netlink response for Add
> SA esp.654c8f7b at 10.30.65.7 included errno 22: Invalid argument
> > Sep 28 21:47:47.408929: "mysubnet" #1: setup_half_ipsec_sa() hit fail:
> > Sep 28 21:47:47.408943: | ikev2_child_sa_respond returned STF_FATAL
>
> my knee jerk reaction is the kernel - we've been testing with some
> bleeding edge patches and features enabled. I just ran the the tests
> with the vanilla kernel:
> Linux east 5.8.11-200.fc32.x86_64 #1 SMP Wed Sep 23 13:51:28 UTC 2020
> x86_64 x86_64 x86_64 GNU/Linux
> and they pass. However, that is still slightly ahead.
>
> > I've downloaded the latest libreswan code , built and installed.
> >
> > Ipsec version:
> > root at Ubuntu-1604New-001:~# vi /tmp/pluto.log
> > root at Ubuntu-1604New-001:~# ipsec version
> > Linux Libreswan v3.30-1834-g8b42ce7-main (netkey) on 5.8.9-050809-generic
> > root at Ubuntu-1604New-001:~# uname -a
> > Linux Ubuntu-1604New-001 5.8.9-050809-generic #202009120936 SMP Sat Sep
> 12 13:59:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
> > root at Ubuntu-1604New-001:~#
> >
> > Configuration on both the peers:
> > peer1:
> > config setup
> > protostack=netkey
> > listen-tcp=yes
> > logfile=/tmp/pluto.log
> > logtime=yes
> > logappend=no
> > plutodebug=all
> > dumpdir=/tmp
> >
> > conn mysubnet
> > enable-tcp=yes
> > tcp-remoteport=4500
> > left=10.30.65.1
> > right=10.30.65.7
> > authby=secret
> > leftsubnet=192.0.2.0/24
> > rightsubnet=192.0.1.0/24
> > type=tunnel
> > auto=add
> > ike=aes256-sha256;modp4096
> >
> >
> > Peer2:
> > version 2.0
> > config setup
> > protostack=netkey
> > listen-tcp=yes
> > logfile=/tmp/pluto.log
> > logtime=yes
> > logappend=no
> > plutodebug=all
> >
> > conn mysubnet
> > enable-tcp=yes
> > tcp-remoteport=4500
> > left=10.30.65.7
> > right=10.30.65.1
> > authby=secret
> > leftsubnet=192.0.1.0/24
> > rightsubnet=192.0.2.0/24
> > type=tunnel
> > auto=start
> > ike=aes256-sha256;modp4096
> > phase2alg=aes256-sha256;modp4096
> >
> > Thanks,
> > Mallesh
> >
> > _______________________________________________
> > Swan mailing list
> > Swan at lists.libreswan.org
> > https://lists.libreswan.org/mailman/listinfo/swan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20201006/3e2ebfc2/attachment.html>
More information about the Swan
mailing list