Re: [strongSwan] unable to allocate SPIs from kernel
Many thanks Tobias. Tunnel is now established with my new kernel. BR, -Milton From: Tobias Brunner tob...@strongswan.org To: Milton Lie m...@swbell.net Cc: Users@lists.strongswan.org Sent: Tue, January 3, 2012 1:56:41 AM Subject: Re: unable to allocate SPIs from kernel Hi Milton, For some reasons, I don't see aes, hmac plugins on Nexus One device: That's correct because the functionality of these plugins is provided by the openssl plugin on Android. Which I assume is the issue? No, as these plugins provide functionality for the IKEv2 charon daemon and work solely in userland these have nothing with the unable to allocate SPIs from kernel error message. I'm running the stock cyanogenmod kernel, which I assume has the appropriate E A support? That's more likely the problem. I suppose the kernel lacks some of the required modules (see [1] for a list). There is a page on the CyanogenMod wiki which explains how to build a custom kernel (see [2]). Regards, Tobias [1] http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules [2] http://wiki.cyanogenmod.com/wiki/Building_Kernel_from_source ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unable to allocate SPIs from kernel
Hi Milton, For some reasons, I don't see aes, hmac plugins on Nexus One device: That's correct because the functionality of these plugins is provided by the openssl plugin on Android. Which I assume is the issue? No, as these plugins provide functionality for the IKEv2 charon daemon and work solely in userland these have nothing with the unable to allocate SPIs from kernel error message. I'm running the stock cyanogenmod kernel, which I assume has the appropriate E A support? That's more likely the problem. I suppose the kernel lacks some of the required modules (see [1] for a list). There is a page on the CyanogenMod wiki which explains how to build a custom kernel (see [2]). Regards, Tobias [1] http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules [2] http://wiki.cyanogenmod.com/wiki/Building_Kernel_from_source ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unable to allocate SPIs from kernel
Hi Hemant, your are lacking the kernel_netlink plugin which is responsible for the communication with the Linux kernel. If you have an explicit plugin load list in strongswan.conf of the form charon { load = .. } then you must add kernel_netlink to this list. Regards Andreas On 06/08/2011 12:10 PM, Agrawal Hemant-B10814 wrote: Hi Andreas, I am running linux 2.6.35 with strongswan 4.5.1 The result of ipsec status all is ipsec statusall Status of IKEv2 charon daemon (strongSwan 4.5.1): uptime: 3 hours, siince Aug o28 12:02:36 2009 135168, mmap 0, used 56928, free 78240 worker threads: 11 idle of 16, job queue load: 0, scheduled events: 0 ns: aes edes sha1 sha2 md5 pem pkcs1 gmp random pubkey x509 revocation hmac stroke socket-raw updown Listening IP addressses: CIonnections: net-nent: 200.200.200.20...200.200.200.10 net-ne.t: loc al: [200.200.200.20] uses pre-shared keey authenticationy remote: [200.2 00.200.1:0] uses 0any authentication net-net: child: 192.:168.2.0/24 === 192.168.12.0/24 Security Associations: None Regards, Hemant -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: Wednesday, June 08, 2011 3:26 PM To: Agrawal Hemant-B10814 Cc: Users@lists.strongswan.org Subject: Re: [strongSwan] unable to allocate SPIs from kernel Hello Hemant, execute ipsec statusall and post the list of loaded strongSwan plugins. Which Linux kernel and which strongSwan version are you using? Regards Andreas On 08.06.2011 09:14, Agrawal Hemant-B10814 wrote: Hi, While trying to use strongswan for net-net scenario, I am facing following error: [root@P1024RDB /root]# ipsec up net-net initiating IKE_SA net-net[2] to 200.200.200.20 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 200.200.200.10[500] to 200.200.200.20[500] received packet: from 200.200.200.20[500] to 200.200.200.10[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for C=CH, O=Linux strongSwan, CN=strongSwan Root CA sending cert request for C=CH, O=Linux strongSwan, CN=strongSwan Root CA authentication of '200.200.200.10' (myself) with pre-shared key establishing CHILD_SA net-net *unable to allocate SPIs from kernel* * * I have compiled all the modules, which was suggested in /http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules/ / / I am still facing the problem. My ipsec.conf is as follows: / / /# /etc/ipsec.conf - strongSwan IPsec configuration file/ / / /config setup/ /charondebug=chd 4, knl 4/ /crlcheckinterval=180/ /strictcrlpolicy=no/ /plutostart=no/ / / /conn %default/ /pfs=no/ /ikelifetime=60m/ /keylife=20m/ /rekeymargin=3m/ /keyingtries=1/ /keyexchange=ikev2/ /type=tunnel/ /auth=esp/ /compress=no/ /mobike=no/ /ike=3des-sha1-md5-modp1024!/ /esp=aes128-3des-sha1-md5!/ /conn net-net/ /authby=secret/ /left=200.200.200.10/ /leftsubnet=192.168.1.0/24/ /leftfirewall=yes/ /right=200.200.200.20/ /rightsubnet=192.168.2.0/24/ /auto=add/ Please help Regards, Hemant == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unable to allocate SPIs from kernel
Thanks! It worked. -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: Wednesday, June 08, 2011 4:36 PM To: Agrawal Hemant-B10814 Cc: Users@lists.strongswan.org Subject: Re: [strongSwan] unable to allocate SPIs from kernel Hi Hemant, your are lacking the kernel_netlink plugin which is responsible for the communication with the Linux kernel. If you have an explicit plugin load list in strongswan.conf of the form charon { load = .. } then you must add kernel_netlink to this list. Regards Andreas On 06/08/2011 12:10 PM, Agrawal Hemant-B10814 wrote: Hi Andreas, I am running linux 2.6.35 with strongswan 4.5.1 The result of ipsec status all is ipsec statusall Status of IKEv2 charon daemon (strongSwan 4.5.1): uptime: 3 hours, siince Aug o28 12:02:36 2009 135168, mmap 0, used 56928, free 78240 worker threads: 11 idle of 16, job queue load: 0, scheduled events: 0 ns: aes edes sha1 sha2 md5 pem pkcs1 gmp random pubkey x509 revocation hmac stroke socket-raw updown Listening IP addressses: CIonnections: net-nent: 200.200.200.20...200.200.200.10 net-ne.t: loc al: [200.200.200.20] uses pre-shared keey authenticationy remote: [200.2 00.200.1:0] uses 0any authentication net-net: child: 192.:168.2.0/24 === 192.168.12.0/24 Security Associations: None Regards, Hemant -Original Message- From: Andreas Steffen [mailto:andreas.stef...@strongswan.org] Sent: Wednesday, June 08, 2011 3:26 PM To: Agrawal Hemant-B10814 Cc: Users@lists.strongswan.org Subject: Re: [strongSwan] unable to allocate SPIs from kernel Hello Hemant, execute ipsec statusall and post the list of loaded strongSwan plugins. Which Linux kernel and which strongSwan version are you using? Regards Andreas On 08.06.2011 09:14, Agrawal Hemant-B10814 wrote: Hi, While trying to use strongswan for net-net scenario, I am facing following error: [root@P1024RDB /root]# ipsec up net-net initiating IKE_SA net-net[2] to 200.200.200.20 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 200.200.200.10[500] to 200.200.200.20[500] received packet: from 200.200.200.20[500] to 200.200.200.10[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] received cert request for C=CH, O=Linux strongSwan, CN=strongSwan Root CA sending cert request for C=CH, O=Linux strongSwan, CN=strongSwan Root CA authentication of '200.200.200.10' (myself) with pre-shared key establishing CHILD_SA net-net *unable to allocate SPIs from kernel* * * I have compiled all the modules, which was suggested in /http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules/ / / I am still facing the problem. My ipsec.conf is as follows: / / /# /etc/ipsec.conf - strongSwan IPsec configuration file/ / / /config setup/ /charondebug=chd 4, knl 4/ /crlcheckinterval=180/ /strictcrlpolicy=no/ /plutostart=no/ / / /conn %default/ /pfs=no/ /ikelifetime=60m/ /keylife=20m/ /rekeymargin=3m/ /keyingtries=1/ /keyexchange=ikev2/ /type=tunnel/ /auth=esp/ /compress=no/ /mobike=no/ /ike=3des-sha1-md5-modp1024!/ /esp=aes128-3des-sha1-md5!/ /conn net-net/ /authby=secret/ /left=200.200.200.10/ /leftsubnet=192.168.1.0/24/ /leftfirewall=yes/ /right=200.200.200.20/ /rightsubnet=192.168.2.0/24/ /auto=add/ Please help Regards, Hemant == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== -- == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] unable to allocate SPIs from kernel
Can someone please help me with this unable to allocate SPIs from kernel message? On Tue, Aug 18, 2009 at 3:34 PM, Deva Pandiandeva.pand...@gmail.com wrote: Hi, I am an ipsec beginner. I installed strongswan 4.3.3 on my FC10/FC11 machines and tried to setup a host-host tunnel. But I get the following error. Googling it and searching for it in strongswan wiki didn't give any results. [r...@localhost ~]# ipsec restart Stopping strongSwan IPsec... Starting strongSwan 4.3.3 IPsec [starter]... [r...@localhost ~]# ipsec up host-host initiating IKE_SA host-host[1] to 10.40.128.14 generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 10.47.20.20[500] to 10.40.128.14[500] received packet: from 10.40.128.14[500] to 10.47.20.20[500] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] authentication of 'moon.strongswan.org' (myself) with pre-shared key establishing CHILD_SA host-host unable to allocate SPIs from kernel Can someone please help me. I tried rebuilding the kernel with the ipsec options mentioned in the doc. But I still see the error. Thanks. ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users