[strongSwan] 5.0.1 unable to set UDP_ENCAP: Protocol not available
Hello, all I was trying to setup a IPv6 tunnel with strongSwan as the client. strongSwan sent the IKE_SA_INIT to my SGW and the SGW properly responded. Wireshark capture indicated that the IKE_SA_INIT response was received on the network interface that strongSwan was listening on, however the packet (IKE_SA_INIT response) was not handed over to charon, instead the packet was responded with a ICMPv6 Unreachable (Administratively prohibited). Any idea that the linux kernel can fail to distribute the packet to charon? Examing the charon logs, I found the following errors: charon: 00[KNL] unable to set UDP_ENCAP: Protocol not available charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed Do those errors have anything to do with the failure to setup IPv6 tunnels? I am currently running strongSwan 5.0.1. The IPv6 connection is: conn ipv6_cert left=1080::192:160:1:100 leftsourceip=%config leftcert=ss.cert leftauth=pubkey leftsubnet=1080::6:0:0/112 leftfirewall=yes rightfirewall=yes right=1080::192:160:1:10 rightsubnet=1080::15:15:15:0/112 rightauth=pubkey auto=add esp=aes-sha1-md5-modp1024 ike=3des-aes-sha1-md5-modp1024 - Thanks for your help Nan___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] unable to install source route for IPv6
Hello, Andreas, hello all I am trying to bring up a IPv6 tunnel between my SeGW and a strongSwan client running on Linux. The tunnel was able to be setup however strongSwan failed to install the route for virtual endpoint IP (assigned by the SeGW). Thus I was not able to pass data over the tunnel. When I tried to ping6 over the tunnel, ping6 returns ping: sendmsg: Network is unreachable. I wonder if you have run into this issue before or know how to fix this. Thanks very much Nan The strongSwan trace and my connection configuration is as following: strongSwan traces: . sending packet: from 1080::ac10:202[4500] to 1080::ac10:102[4500] received packet: from 1080::ac10:102[4500] to 1080::ac10:202[4500] parsed IKE_AUTH response 5 [ AUTH CP(ADDR6) SA TSi TSr ] authentication of '1080::ac10:102' with EAP successful IKE_SA ipv6_sim[4] established between 1080::ac10:202[1080::ac10:202]...1080::ac10:102[1080::ac10:102] scheduling rekeying in 9998s maximum IKE_SA lifetime 10538s installing new virtual IP 1080::abcd:0:2 received netlink error: Invalid argument (22) unable to install source route for 1080::abcd:0:2 received netlink error: Invalid argument (22) unable to install source route for 1080::abcd:0:2 conn ipv6_sim left=1080::ac10:202 leftsourceip=%config leftfirewall=no leftauth=eap eap=sim eap_identity=1234567 leftsubnet=1080::abcd:0:0/112 right=1080::ac10:102 rightsubnet=1172::ac10:191/112 rightauth=psk auto=add esp=3des-aes-sha1-md5-modp1024 ike=3des-aes-sha1-md5-modp1024 ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] R_U_THERE_ACK has invalid SPI length (16)
Hi, I have seen this error in the pluto debug log secure when testing DPD against my SeGW, I wonder what this error really means. Per RFC3706, the SPI length should be set to 16 in the R_U_THERE/R_U_THERE_ACK messages. So does this error mean something else wrong in the R_U_THERE_ACK sent by my SeGW? strongSwan sent a MALFORMED-PAYLOAD back to my SeGW after printing out this error Thanks for your help Nan ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Question on sending INTERNAL_IP4_SUBNET in CFG
Hi, Can strongSwan (as client) send INTERNAL_IP4_SUBNET in Configuration Payload? How to configure it? Thanks very much for your help Nan --- On Fri, 6/24/11, Nan Luo harvana2...@yahoo.com wrote: From: Nan Luo harvana2...@yahoo.com Subject: [strongSwan] Question on sending INTERNAL_IP4_DNS in CFG To: users@lists.strongswan.org Date: Friday, June 24, 2011, 3:11 PM Hi, I am testing a SeGW with strongSwan as the client. I am trying to have strongSwan sending multiple attributes (INTERNAL_IP4_ADDRESS and INTERNAL_IP4_DNS) in the Configuration payload to my SeGW, but strongSwan always includes only one attribute (INTERNAL_IP4_ADDRESS), any configuration I am missing here? I remember strongSwan used to be able to send multiple. I am using srtongSwan 4.5.0 Thanks a lot for your help -Inline Attachment Follows- ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Question on sending INTERNAL_IP4_DNS in CFG
Hi, I am testing a SeGW with strongSwan as the client. I am trying to have strongSwan sending multiple attributes (INTERNAL_IP4_ADDRESS and INTERNAL_IP4_DNS) in the Configuration payload to my SeGW, but strongSwan always includes only one attribute (INTERNAL_IP4_ADDRESS), any configuration I am missing here? I remember strongSwan used to be able to send multiple. I am using srtongSwan 4.5.0 Thanks a lot for your help___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] EAP-SIM Identity Request/Response
Hi, Martin, Hi, Andreas, Hi, all I am testing EAP-SIM with strongSwan as the client against a Security Gateway. I wonder if strongSwan supports the EAP-SIM authentication mechanism defined in 3GPP TS43.318V7.5.0. The difference between this EAP-SIM scheme and a standard one defined in RFC4186 is that this scheme omits the EAP-Identity Request/Response exchange at the beginning of the authentication procedure. The EAP-Identity is included in the IDi sent from the client to the SeGW in the first IKE-AUTH message. So the first EAP payload the client receives is a EAP-Request/SIM/Start (instead of EAP-Request/Identity in the standard case). Can you please tell me if the above EAP-SIM scheme is supported by strongSwan? If it is, is there any special configuration involved? If it's not supported, do you think how complicated the changes would be to support it? Can you kindly point to me to the files that would be involved if I want to implement this support? Thanks very much RFC 4186 EAP-SIM:strongSwan (client)SeGW (Authenticator)| EAP-Request/Identity | |-| | | | EAP-Response/Identity| |-| | | | EAP-Request/SIM/Start (AT_VERSION_LIST) | |-| | | | EAP-Response/SIM/Start (AT_NONCE_MT, AT_SELECTED_VERSION)| |-| | | | EAP-Request/SIM/Challenge (AT_RAND, AT_MAC)| |-| |Peer runs GSM algorithms, verifies| |AT_MAC and derives session keys | |+---+ | | EAP-Response/SIM/Challenge (AT_MAC) | |-| | | | EAP-Success | |-| ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users