Hi Andrew, Thanks for the input.
I also upgraded to to 5.8.11 kernel Linux Ubuntu-1604New-001 5.8.11-050811-generic #202009230858 SMP Wed Sep 23 13:06:55 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux ctuser@Ubuntu-1604New-001:~$ Still I'm getting the same error Oct 5 23:05:02.745044: "mysubnet" #1: ERROR: netlink response for Add SA [email protected] included errno 22: Invalid argument I built and installed the latest libreswan code. Thanks, Mallesh On Wed, Sep 30, 2020 at 5:36 PM Andrew Cagney <[email protected]> wrote: > On Wed, 30 Sep 2020 at 00:58, M Thotager <[email protected]> > wrote: > > > > Hi Team, > > > > I'm trying to setup a ipsec over tcp (on ubuntu , Kernel version is > 5.8.9), but ipsec sa creation is failing with the below reason. > > I referred to the available test scripts for tcp (in git repository ) , > Could you please check and let me know if I'm missing anything ? > > > > Sep 28 21:47:47.408661: | netlink: enabling tunnel mode > > Sep 28 21:47:47.408674: | XFRM: adding IPsec SA with reqid 16389 > > Sep 28 21:47:47.408685: | netlink: setting IPsec SA replay-window to 32 > using old-style req > > Sep 28 21:47:47.408699: | adding xfrm-encap-tmpl when adding sa > encap_type=0(espintcp) sport=4500 dport=48792 > > Sep 28 21:47:47.408711: | netlink: esp-hw-offload not set for IPsec SA > > Sep 28 21:47:47.408882: "mysubnet" #1: ERROR: netlink response for Add > SA [email protected] included errno 22: Invalid argument > > Sep 28 21:47:47.408929: "mysubnet" #1: setup_half_ipsec_sa() hit fail: > > Sep 28 21:47:47.408943: | ikev2_child_sa_respond returned STF_FATAL > > my knee jerk reaction is the kernel - we've been testing with some > bleeding edge patches and features enabled. I just ran the the tests > with the vanilla kernel: > Linux east 5.8.11-200.fc32.x86_64 #1 SMP Wed Sep 23 13:51:28 UTC 2020 > x86_64 x86_64 x86_64 GNU/Linux > and they pass. However, that is still slightly ahead. > > > I've downloaded the latest libreswan code , built and installed. > > > > Ipsec version: > > root@Ubuntu-1604New-001:~# vi /tmp/pluto.log > > root@Ubuntu-1604New-001:~# ipsec version > > Linux Libreswan v3.30-1834-g8b42ce7-main (netkey) on 5.8.9-050809-generic > > root@Ubuntu-1604New-001:~# uname -a > > Linux Ubuntu-1604New-001 5.8.9-050809-generic #202009120936 SMP Sat Sep > 12 13:59:35 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux > > root@Ubuntu-1604New-001:~# > > > > Configuration on both the peers: > > peer1: > > config setup > > protostack=netkey > > listen-tcp=yes > > logfile=/tmp/pluto.log > > logtime=yes > > logappend=no > > plutodebug=all > > dumpdir=/tmp > > > > conn mysubnet > > enable-tcp=yes > > tcp-remoteport=4500 > > left=10.30.65.1 > > right=10.30.65.7 > > authby=secret > > leftsubnet=192.0.2.0/24 > > rightsubnet=192.0.1.0/24 > > type=tunnel > > auto=add > > ike=aes256-sha256;modp4096 > > > > > > Peer2: > > version 2.0 > > config setup > > protostack=netkey > > listen-tcp=yes > > logfile=/tmp/pluto.log > > logtime=yes > > logappend=no > > plutodebug=all > > > > conn mysubnet > > enable-tcp=yes > > tcp-remoteport=4500 > > left=10.30.65.7 > > right=10.30.65.1 > > authby=secret > > leftsubnet=192.0.1.0/24 > > rightsubnet=192.0.2.0/24 > > type=tunnel > > auto=start > > ike=aes256-sha256;modp4096 > > phase2alg=aes256-sha256;modp4096 > > > > Thanks, > > Mallesh > > > > _______________________________________________ > > Swan mailing list > > [email protected] > > https://lists.libreswan.org/mailman/listinfo/swan >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
