Re: [Swan] Setting up ike/ipsec tunnel over TCP

Mon, 05 Oct 2020 18:56:12 -0700 

On Mon, 5 Oct 2020 at 21:26, M Thotager <[email protected]> wrote:

>> > Sep 28 21:47:47.408661: | netlink: enabling tunnel mode
>> > Sep 28 21:47:47.408674: | XFRM: adding IPsec SA with reqid 16389
>> > Sep 28 21:47:47.408685: | netlink: setting IPsec SA replay-window to 32 
>> > using old-style req
>> > Sep 28 21:47:47.408699: | adding xfrm-encap-tmpl when adding sa 
>> > encap_type=0(espintcp) sport=4500 dport=48792
>> > Sep 28 21:47:47.408711: | netlink: esp-hw-offload not set for IPsec SA
>> > Sep 28 21:47:47.408882: "mysubnet" #1: ERROR: netlink response for Add SA 
>> > [email protected] included errno 22: Invalid argument
>> > Sep 28 21:47:47.408929: "mysubnet" #1: setup_half_ipsec_sa() hit fail:
>> > Sep 28 21:47:47.408943: | ikev2_child_sa_respond returned STF_FATAL

Looking at 
https://testing.libreswan.org/v3.30-1888-g407c55e1e6-main/ikev2-tcp-00-yes/OUTPUT/west.pluto.log.gz

| netlink: enabling tunnel mode
| XFRM: adding IPsec SA with reqid 16389
| netlink: setting IPsec SA replay-window to 32 using old-style req
| adding xfrm-encap-tmpl when adding sa encap_type=7(espintcp)
sport=49484 dport=4500
| netlink: esp-hw-offload not set for IPsec SA
| netlink response for Add SA [email protected] included non-error error
| setup_half_ipsec_sa() is installing inbound eroute? inbound=0 owner=#0 mode=1

the two logs disagree over sa_encap_type "espintcp" :-(  Here's the
relevant code in ip_encap.c:

/*
 * XXX: linux can't include both headers.
 */
#ifdef linux
#  include <linux/udp.h>        /* for TCP_ENCAP_ESPINTCP and
UDP_ENCAP_ESPINUDP */
#else
#  include <netinet/udp.h>        /* for UDP_ENCAP_ESPINUDP aka NAT */
#endif

const struct ip_encap ip_encap_esp_in_tcp = {
    .name = "espintcp",
    .outer = &ip_protocol_tcp,
    .inner = &ip_protocol_esp,
#ifdef TCP_ENCAP_ESPINTCP
    .encap_type = TCP_ENCAP_ESPINTCP,
#endif
};

so presumably TCP_ENCAP_TCPINTCP isn't defined (I'll see if there's an
easy way of making this barf).
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to