Hi Andreas, Thanks for your quick reply! The linux kernel is 2.6.38-8. I check the patch file "xfrm_mark.patch", the problems in the "xfrm.h/xfrm_policy.c" have been modified already.
Thanks and regards, Ethan -----Original Message----- From: Andreas Steffen [mailto:[email protected]] Sent: Monday, July 18, 2011 11:58 AM To: Yu Yin - Picochip Cc: [email protected] Subject: Re: [strongSwan] CHILD_SA can't setup with the configuration of MARK keywords Hello Ethan, which Linux kernel are you using? XFRM marks support was introduced with Linux 2.6.34 but was badly broken. It was fixed either with 2.6.35 or 2.6.36. Best regards Andreas On 07/18/2011 05:06 AM, Yu Yin - Picochip wrote: > Hi guys, > > > > I used to add a custom <app:ds:custom> eap-aka <app:ds:made> plugin at > the old strongswan version(4.3.4). > > And now I want to use the xfrm MARK function in the 4.3.4 version. > > So I merged the mark related code from 4.4.1 to the 4.3.4 version with > the reference of revision ee26c537 and revision 26c4d010. > > After that, I have tried to setup a host-host tunnel with mark support, > but the strongswan output some error: > > received netlink error: Numerical result out of range (34) > > > > the whole log and ipsec.conf is below. > > > > ipsec.conf of host A: > > > > /config setup/ > > / strictcrlpolicy=no/ > > / plutostart=no/ > > / / > > /conn %default/ > > / > ike=3des-sha1-modp1024,aes-sha1-modp1024,null-sha1-modp1024,3des-sha1-modp20 48,aes-sha1-modp2048,null-sha1-modp2048!/ > > / esp=null-sha1,aes-sha1,3des-sha1!/ > > / ikelifetime=24h/ > > / keylife=12m/ > > / keyexchange=ikev2/ > > / dpdaction=clear/ > > / dpddelay=20m/ > > /conn host-host/ > > / left=172.19.2.101/ > > / leftid=www.hostA.org/ > > / leftcert=/etc/ipsec.d/certs/hostA.pem/ > > / leftfirewall=yes/ > > / mark=20/ > > / right=172.19.4.166/ > > / rightid=www.hostB.org/ > > / rightcert=/etc/ipsec.d/certs/ hostB.pem/ > > / rightsendcert=never/ > > / auto=start/ > > / / > > ipsec.conf of host B: > > > > /config setup/ > > / strictcrlpolicy=no/ > > / plutostart=no/ > > / keep_alive=3m/ > > /conn %default/ > > / ike=aes-sha1-modp1024!/ > > / esp=aes-sha1!/ > > / ikelifetime=1440m/ > > / keylife=12m/ > > / rekeymargin=3m/ > > / keyingtries=1/ > > / reauth=no/ > > / keyexchange=ikev2/ > > / dpdaction=clear/ > > / dpddelay=10m/ > > / / > > /conn host-host/ > > / left=172.19.4.166/ > > / leftcert=/etc/ipsec.d/certs/hostB.pem/ > > / right=172.19.2.101/ > > / rightsubnet=0.0.0.0/0/ > > / mark=20/ > > / auto=add/ > > / leftid=www.hostB.org/ > > / rightid=www.hostA.org/ > > / / > > log on host A and B is attached. > > > > Thanks and regards, > > Ethan > > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
