[strongSwan-dev] Unable to setup child SA with ESN on kernel 3.0.101-0.15-xen

Sriram Yagnaraman Mon, 28 Dec 2015 05:37:58 -0800

Hi,

I am trying to setup an IPSEC tunnel on a linux machine with kernel 
(3.0.101-0.15) with extended sequence numbers, but it seems Linux rejects the 
XFRM_MSG_UPDSA because ESN is on.
It works fine with ESN off. Has anyone seen this problem?


Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> received proposals: 
ESP:AES_CBC_128/HMAC_MD5_96/EXT_SEQ/NO_EXT_SEQ
Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> configured proposals: 
ESP:AES_CBC_128/HMAC_MD5_96/EXT_SEQ/NO_EXT_SEQ, 
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/3DES_CBC/BLOWFISH_CBC_256/HMAC_SHA1_96/AES_XCBC_96/HMAC_MD5_96/NO_EXT_SEQ
Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> selected proposal: 
ESP:AES_CBC_128/HMAC_MD5_96/EXT_SEQ
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> getting SPI for reqid {2}
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> got SPI c489df14 for reqid {2}
Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> selecting traffic selectors for us:
Dec 27 17:43:43 14[CFG] <dut-STP_H54|2>  config: 10.91.154.0/28, received: 
0.0.0.0/0 => match: 10.91.154.0/28
Dec 27 17:43:43 14[CFG] <dut-STP_H54|2> selecting traffic selectors for other:
Dec 27 17:43:43 14[CFG] <dut-STP_H54|2>  config: 10.91.54.66/32, received: 
10.91.54.66/32 => match: 10.91.54.66/32
Dec 27 17:43:43 14[CHD] <dut-STP_H54|2>   using AES_CBC for encryption
Dec 27 17:43:43 14[CHD] <dut-STP_H54|2>   using HMAC_MD5_96 for integrity
Dec 27 17:43:43 14[CHD] <dut-STP_H54|2> adding inbound ESP SA
Dec 27 17:43:43 14[CHD] <dut-STP_H54|2>   SPI 0xc489df14, src 10.91.54.82 dst 
10.91.54.85
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> adding SAD entry with SPI c489df14 and 
reqid {2}  (mark 0/0x00000000)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using encryption algorithm AES_CBC 
with key size 128
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using integrity algorithm HMAC_MD5_96 
with key size 128
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using replay window of 32 packets
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using extended sequence numbers (ESN)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> received netlink error: No such file or 
directory (2)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> unable to add SAD entry with SPI 
c489df14
Dec 27 17:43:43 14[CHD] <dut-STP_H54|2> adding outbound ESP SA
Dec 27 17:43:43 14[CHD] <dut-STP_H54|2>   SPI 0x393bf12c, src 10.91.54.85 dst 
10.91.54.82
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> adding SAD entry with SPI 393bf12c and 
reqid {2}  (mark 0/0x00000000)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using encryption algorithm AES_CBC 
with key size 128
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using integrity algorithm HMAC_MD5_96 
with key size 128
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using replay window of 32 packets
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2>   using extended sequence numbers (ESN)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> received netlink error: No such file or 
directory (2)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> unable to add SAD entry with SPI 
393bf12c
Dec 27 17:43:43 14[IKE] <dut-STP_H54|2> unable to install inbound and outbound 
IPsec SA (SAD) in kernel
Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> added payload of type NOTIFY to message
Dec 27 17:43:43 14[IKE] <dut-STP_H54|2> failed to establish CHILD_SA, keeping 
IKE_SA
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> deleting SAD entry with SPI c489df14  
(mark 0/0x00000000)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> deleted SAD entry with SPI c489df14 
(mark 0/0x00000000)
Dec 27 17:43:43 14[KNL] <dut-STP_H54|2> deleting SAD entry with SPI 393bf12c  
(mark 0/0x00000000)
Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> added payload of type ID_RESPONDER to 
message
Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> added payload of type AUTHENTICATION to 
message
Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> added payload of type NOTIFY to message
Dec 27 17:43:43 14[ENC] <dut-STP_H54|2> generating IKE_AUTH response 1 [ IDr 
AUTH N(NO_PROP) ]

Contents of ipsec.conf
==================
rth15:/boot # cat /usr/local/etc/ipsec.conf
conn %default
                ikelifetime=1440m
                lifetime=1440m
                margintime=4320s
                reauth=no
                rekey=yes
                rekeyfuzz=0%

conn dut-STP_H54
                ike=aes128-aesxcbc-aesxcbc-modp1024
                esp=aes128-md5-esn-noesn
                authby=secret
                left=10.91.54.85
                leftsubnet=10.91.154.0/28
                leftfirewall=yes
                right=10.91.54.82
                rightsubnet=10.91.54.66/32
                dpdaction=clear
                dpddelay=0s
                auto=add

rth15:/usr/local/etc # uname -a
Linux rth15 3.0.101-0.15-xen #1 SMP Wed Jan 22 15:49:03 UTC 2014 (5c01f4e) i686 
i686 i386 GNU/Linux

BR,
/Sriram

_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev

[strongSwan-dev] Unable to setup child SA with ESN on kernel 3.0.101-0.15-xen

Reply via email to