[strongSwan] 答复: About the problem of re ceived netlink error: Resource temporar ily unavailable
Hi Martin, My kernel version is: 2.6.28 and I have patched with the patch you gave me before, and I also got the following error messages: kernel_netlink_shared.c:241:Resource temporarily unavailable-93: received netlink error kernel_netlink_ipsec.c:1162:c3fddd90: unable to add SAD entry with SPI kernel_netlink_shared.c:241:Resource temporarily unavailable-93: received netlink error kernel_netlink_ipsec.c:1162:cc1ac880: unable to add SAD entry with SPI sa/tasks/child_create.c:476:inbound :and :outbound : unable to install IPsec SA(SAD) in kernel Is it the same as the old one or is it a new problem, please help me check, thanks. Best Regards, David -邮件原件- 发件人: Martin Willi [mailto:mar...@strongswan.org] 发送时间: 2009年8月25日 17:09 收件人: weiping deng 主题: Re: About the problem of received netlink error: protocol not supported (93) Hi, Is this patch applied to the strongswan4.3.1 and above version? No, it is a workaround, but not the clean solution (it breaks mixed v4/6 tunnels). Or can you give me the patch? Attached. The issue has been fixed in the kernel with 2.6.29. For older kernels, apply http://kerneltrap.org/mailarchive/linux-netdev/2008/11/25/4231304 Regards Martin ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Working with Different SAs with same src-dst IP but different Port
Hi, We are in a very critical state of our project. Please fin gtime to respond to the issue below. I would be of great help to us Thanks in advance, Ritu On 9/16/09, vivek bairathi bairathi.vi...@gmail.com wrote: Hi, We have the requirement that traffic between same source-destination IPs but different source-destination ports is channeled through different security associations Connetion Tunnel IP.Src IP Dst IPSrc Port Dst PortSA Ptr 1 a.a.a.a1.1.1.1 2.2.2.2 100 100 1 2 b.b.b.b1.1.1.1 2.2.2.2 200 200 2 With above configuration, If we bring up Connection 1 a new policy is created with tunnel IP a.a.a.a On bringing up connection 2, ref count of the previous policy is incremented in the stack and the policy in the kernel is updated, tunnel ip now being b.b.b.b Increasing reference count indicates that only a single SPD is used for both SAs. If our understanding is correct, then what is the use of creating 2 separate SAs? As per our understanding 2 different policies should be created, so that the traffic coming from different ports can be protected using the to different SAs that have been created. Can our requirment of channelising traffic between same IPs but different port into two separate SAs be achieved somehow using charon? Please find attached the ipsec.conf files and the log files for your reference. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] _updown is not called
Hi, I am using preshared key instead of certificate to setup an IPSec tunnel. After the tunnel is setup successfully, I found the _updown script is not called. Using the test case http://www.strongswan.org/uml/testresults43/ikev2/virtual-ip-override/, the _updown can be called. Since I want to get the inner virtual IP to write to a tmp file so that my application can read it. Curious why it is not called. Is it related with preshared key? Thanks, Roger ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] _updown is not called
Hello Roger, the IKEv2 charon daemon configures virtual IPs directly using the RT_NETLINK kernel interface whereas the IKEv1 pluto daemon does in fact uses the _updown script to install virtual IP addresses. With the IKEv2 you can use either the standard leftfirewall=yes which calls the _updown script which in turn installs a set of iptables firewall rules or in your case you can define leftupdown=path to my script which will call a script where you can execute any actions that you like. Best regards Andreas Zhang, Long (Roger) wrote: Hi, I am using preshared key instead of certificate to setup an IPSec tunnel. After the tunnel is setup successfully, I found the _updown script is not called. Using the test case http://www.strongswan.org/uml/testresults43/ikev2/virtual-ip-override/, the _updown can be called. Since I want to get the inner virtual IP to write to a tmp file so that my application can read it. Curious why it is not called. Is it related with preshared key? Thanks, Roger == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] a particular ``no trusted third party'' setup with X.509
Dimitrios Siganos dimitris... writes: [...] * when there're no trusted third party to serve as the CA to sign the certificates for the hosts belonging to the sites, each of the sites should sign the certificates used by the hosts of the other site to connect to the hosts of this site (i. e., each of the sites effectively becomes a CA)? [...] Oops. I fell into the trap of thinking small scale. If you are talking about large scale installations then your way is probably recommended. Actually, I don't know whether the installation's going to be small or large at this moment. But if there's no known issues with the arrangement above, I'll prefer doing it that way, as it scales better. Thanks. [...] -- FSF associate member #7257 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users