Re: [strongSwan] unable to allocate SPIs from kernel
Many thanks Tobias. Tunnel is now established with my new kernel. BR, -Milton From: Tobias Brunner tob...@strongswan.org To: Milton Lie m...@swbell.net Cc: Users@lists.strongswan.org Sent: Tue, January 3, 2012 1:56:41 AM Subject: Re: unable to allocate SPIs from kernel Hi Milton, For some reasons, I don't see aes, hmac plugins on Nexus One device: That's correct because the functionality of these plugins is provided by the openssl plugin on Android. Which I assume is the issue? No, as these plugins provide functionality for the IKEv2 charon daemon and work solely in userland these have nothing with the unable to allocate SPIs from kernel error message. I'm running the stock cyanogenmod kernel, which I assume has the appropriate E A support? That's more likely the problem. I suppose the kernel lacks some of the required modules (see [1] for a list). There is a page on the CyanogenMod wiki which explains how to build a custom kernel (see [2]). Regards, Tobias [1] http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules [2] http://wiki.cyanogenmod.com/wiki/Building_Kernel_from_source ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unable to allocate SPIs from kernel
Hi Milton, For some reasons, I don't see aes, hmac plugins on Nexus One device: That's correct because the functionality of these plugins is provided by the openssl plugin on Android. Which I assume is the issue? No, as these plugins provide functionality for the IKEv2 charon daemon and work solely in userland these have nothing with the unable to allocate SPIs from kernel error message. I'm running the stock cyanogenmod kernel, which I assume has the appropriate E A support? That's more likely the problem. I suppose the kernel lacks some of the required modules (see [1] for a list). There is a page on the CyanogenMod wiki which explains how to build a custom kernel (see [2]). Regards, Tobias [1] http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules [2] http://wiki.cyanogenmod.com/wiki/Building_Kernel_from_source ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unable to allocate SPIs from kernel
Hi Hemant,
your are lacking the kernel_netlink plugin which is responsible for
the communication with the Linux kernel. If you have an explicit
plugin load list in strongswan.conf of the form
charon {
load = ..
}
then you must add kernel_netlink to this list.
Regards
Andreas
On 06/08/2011 12:10 PM, Agrawal Hemant-B10814 wrote:
Hi Andreas,
I am running linux 2.6.35 with strongswan 4.5.1
The result of ipsec status all is
ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.1):
uptime: 3 hours, siince Aug o28 12:02:36 2009
135168, mmap 0, used 56928, free 78240
worker threads: 11 idle of 16, job queue load: 0, scheduled events: 0
ns: aes edes sha1 sha2 md5 pem pkcs1 gmp random pubkey x509 revocation hmac
stroke socket-raw updown
Listening IP addressses:
CIonnections:
net-nent: 200.200.200.20...200.200.200.10
net-ne.t: loc al: [200.200.200.20] uses pre-shared keey
authenticationy
remote: [200.2 00.200.1:0] uses 0any authentication
net-net: child: 192.:168.2.0/24 === 192.168.12.0/24
Security Associations:
None
Regards,
Hemant
-Original Message-
From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
Sent: Wednesday, June 08, 2011 3:26 PM
To: Agrawal Hemant-B10814
Cc: Users@lists.strongswan.org
Subject: Re: [strongSwan] unable to allocate SPIs from kernel
Hello Hemant,
execute ipsec statusall and post the list of loaded strongSwan plugins.
Which Linux kernel and which strongSwan version are you using?
Regards
Andreas
On 08.06.2011 09:14, Agrawal Hemant-B10814 wrote:
Hi,
While trying to use strongswan for net-net scenario, I
am facing following error:
[root@P1024RDB /root]# ipsec up net-net
initiating IKE_SA net-net[2] to 200.200.200.20
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
]
sending packet: from 200.200.200.10[500] to 200.200.200.20[500]
received packet: from 200.200.200.20[500] to 200.200.200.10[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
received cert request for C=CH, O=Linux strongSwan, CN=strongSwan Root CA
sending cert request for C=CH, O=Linux strongSwan, CN=strongSwan Root CA
authentication of '200.200.200.10' (myself) with pre-shared key
establishing CHILD_SA net-net
*unable to allocate SPIs from kernel*
* *
I have compiled all the modules, which was suggested in
/http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules/
/ /
I am still facing the problem.
My ipsec.conf is as follows:
/ /
/# /etc/ipsec.conf - strongSwan IPsec configuration file/
/ /
/config setup/
/charondebug=chd 4, knl 4/
/crlcheckinterval=180/
/strictcrlpolicy=no/
/plutostart=no/
/ /
/conn %default/
/pfs=no/
/ikelifetime=60m/
/keylife=20m/
/rekeymargin=3m/
/keyingtries=1/
/keyexchange=ikev2/
/type=tunnel/
/auth=esp/
/compress=no/
/mobike=no/
/ike=3des-sha1-md5-modp1024!/
/esp=aes128-3des-sha1-md5!/
/conn net-net/
/authby=secret/
/left=200.200.200.10/
/leftsubnet=192.168.1.0/24/
/leftfirewall=yes/
/right=200.200.200.20/
/rightsubnet=192.168.2.0/24/
/auto=add/
Please help
Regards,
Hemant
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications University of Applied
Sciences Rapperswil CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unable to allocate SPIs from kernel
Thanks! It worked.
-Original Message-
From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
Sent: Wednesday, June 08, 2011 4:36 PM
To: Agrawal Hemant-B10814
Cc: Users@lists.strongswan.org
Subject: Re: [strongSwan] unable to allocate SPIs from kernel
Hi Hemant,
your are lacking the kernel_netlink plugin which is responsible for the
communication with the Linux kernel. If you have an explicit plugin load list
in strongswan.conf of the form
charon {
load = ..
}
then you must add kernel_netlink to this list.
Regards
Andreas
On 06/08/2011 12:10 PM, Agrawal Hemant-B10814 wrote:
Hi Andreas,
I am running linux 2.6.35 with strongswan 4.5.1
The result of ipsec status all is
ipsec statusall
Status of IKEv2 charon daemon (strongSwan 4.5.1):
uptime: 3 hours, siince Aug o28 12:02:36 2009 135168, mmap 0, used
56928, free 78240
worker threads: 11 idle of 16, job queue load: 0, scheduled events:
0
ns: aes edes sha1 sha2 md5 pem pkcs1 gmp random pubkey x509 revocation
hmac stroke socket-raw updown Listening IP addressses:
CIonnections:
net-nent: 200.200.200.20...200.200.200.10
net-ne.t: loc al: [200.200.200.20] uses pre-shared keey
authenticationy
remote: [200.2 00.200.1:0] uses 0any authentication
net-net: child: 192.:168.2.0/24 === 192.168.12.0/24
Security Associations:
None
Regards,
Hemant
-Original Message-
From: Andreas Steffen [mailto:andreas.stef...@strongswan.org]
Sent: Wednesday, June 08, 2011 3:26 PM
To: Agrawal Hemant-B10814
Cc: Users@lists.strongswan.org
Subject: Re: [strongSwan] unable to allocate SPIs from kernel
Hello Hemant,
execute ipsec statusall and post the list of loaded strongSwan plugins.
Which Linux kernel and which strongSwan version are you using?
Regards
Andreas
On 08.06.2011 09:14, Agrawal Hemant-B10814 wrote:
Hi,
While trying to use strongswan for net-net scenario,
I am facing following error:
[root@P1024RDB /root]# ipsec up net-net
initiating IKE_SA net-net[2] to 200.200.200.20
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
]
sending packet: from 200.200.200.10[500] to 200.200.200.20[500]
received packet: from 200.200.200.20[500] to 200.200.200.10[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
received cert request for C=CH, O=Linux strongSwan, CN=strongSwan Root CA
sending cert request for C=CH, O=Linux strongSwan, CN=strongSwan Root CA
authentication of '200.200.200.10' (myself) with pre-shared key
establishing CHILD_SA net-net
*unable to allocate SPIs from kernel*
* *
I have compiled all the modules, which was suggested in
/http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules/
/ /
I am still facing the problem.
My ipsec.conf is as follows:
/ /
/# /etc/ipsec.conf - strongSwan IPsec configuration file/
/ /
/config setup/
/charondebug=chd 4, knl 4/
/crlcheckinterval=180/
/strictcrlpolicy=no/
/plutostart=no/
/ /
/conn %default/
/pfs=no/
/ikelifetime=60m/
/keylife=20m/
/rekeymargin=3m/
/keyingtries=1/
/keyexchange=ikev2/
/type=tunnel/
/auth=esp/
/compress=no/
/mobike=no/
/ike=3des-sha1-md5-modp1024!/
/esp=aes128-3des-sha1-md5!/
/conn net-net/
/authby=secret/
/left=200.200.200.10/
/leftsubnet=192.168.1.0/24/
/leftfirewall=yes/
/right=200.200.200.20/
/rightsubnet=192.168.2.0/24/
/auto=add/
Please help
Regards,
Hemant
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications University of
Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
--
==
Andreas Steffen andreas.stef...@strongswan.org
strongSwan - the Linux VPN Solution!www.strongswan.org
Institute for Internet Technologies and Applications University of Applied
Sciences Rapperswil CH-8640 Rapperswil (Switzerland)
===[ITA-HSR]==
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unable to allocate SPIs from kernel
Can someone please help me with this unable to allocate SPIs from kernel message? On Tue, Aug 18, 2009 at 3:34 PM, Deva Pandiandeva.pand...@gmail.com wrote: Hi, I am an ipsec beginner. I installed strongswan 4.3.3 on my FC10/FC11 machines and tried to setup a host-host tunnel. But I get the following error. Googling it and searching for it in strongswan wiki didn't give any results. [r...@localhost ~]# ipsec restart Stopping strongSwan IPsec... Starting strongSwan 4.3.3 IPsec [starter]... [r...@localhost ~]# ipsec up host-host initiating IKE_SA host-host[1] to 10.40.128.14 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 10.47.20.20[500] to 10.40.128.14[500] received packet: from 10.40.128.14[500] to 10.47.20.20[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] authentication of 'moon.strongswan.org' (myself) with pre-shared key establishing CHILD_SA host-host unable to allocate SPIs from kernel Can someone please help me. I tried rebuilding the kernel with the ipsec options mentioned in the doc. But I still see the error. Thanks. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
