Thank you! My server is running on a virtual machine using a kernel provided by the host, and it seems it was missing some necessary modules. After installing my own kernel, everything is working great.
P. J. On 2013-05-30 11:01, Andreas Steffen wrote: > Hi, > > it seems that some IPsec kernel modules are missing on the > strongSwan VPN server. Please check against the following list of > mandatory modules: > > http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules > > Regards > > Andreas > > On 05/30/2013 04:53 PM, P. J. Reed wrote: >> My server is an Ubuntu 12.04 server with a public IP and the >> Ubuntu-provided Strongswan 4.5.2-1.2 package installed. I'm trying >> to >> set up a "road warrior" style configuration for an Android phone >> using >> the official Strongswan client; it is on a NAT behind a firewall that >> I >> have no control over. When I try to connect, the client says "Failed >> to >> establish VPN: User authentication failed". I've spent a while >> looking >> through documentation trying to figure out what's going on, but I'm >> not >> having any luck; the one suspicious thing that sticks out in the >> server >> log when I try to connect is: >> >> May 30 09:44:48 linode charon: 13[KNL] allocating SPI failed: Invalid >> argument (22) >> May 30 09:44:48 linode charon: 13[KNL] unable to get SPI for reqid >> {2} >> May 30 09:44:48 linode charon: 13[IKE] allocating SPI failed >> >> There are only a couple of hits for "allocating SPI failed: Invalid >> argument (22)" on Google and none of them seem related to my setup. >> Any >> thoughts? >> >> Here's my ipsec.conf: >> config setup >> charonstart=yes >> plutostart=no >> >> conn %default >> ikelifetime=60m >> keylife=20m >> rekeymargin=3m >> keyingtries=1 >> keyexchange=ikev2 >> leftcert=serverCert.pem >> rightcert=clientCert.pem >> >> conn vpnuser >> left=%defaultroute >> leftsubnet=0.0.0.0/0 >> right=%any >> rightid="C=CH, O=linode, CN=client" >> rightsourceip=10.0.0.0/24 >> auto=add >> >> And here's a complete dump of the server log (public IP addresses >> removed): >> >> May 30 09:44:47 linode charon: 05[NET] received packet: from >> x.x.x.x[57872] to y.y.y.y[500] >> May 30 09:44:47 linode charon: 05[ENC] parsed IKE_SA_INIT request 0 [ >> SA KE No N(NATD_S_IP) N(NATD_D_IP) ] >> May 30 09:44:47 linode charon: 05[IKE] x.x.x.x is initiating an >> IKE_SA >> May 30 09:44:47 linode charon: 05[IKE] remote host is behind NAT >> May 30 09:44:47 linode charon: 05[IKE] sending cert request for >> "C=CH, >> O=linode, CN=linode CA" >> May 30 09:44:47 linode charon: 05[ENC] generating IKE_SA_INIT >> response >> 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] >> May 30 09:44:47 linode charon: 05[NET] sending packet: from >> y.y.y.y[500] to x.x.x.x[57872] >> May 30 09:44:48 linode charon: 13[NET] received packet: from >> x.x.x.x[53768] to y.y.y.y[4500] >> May 30 09:44:48 linode charon: 13[ENC] parsed IKE_AUTH request 1 [ >> IDi >> CERT N(INIT_CONTACT) CERTREQ AUTH CP(ADDR ADDR6 DNS DNS6) >> N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) >> N(EAP_ONLY) ] >> May 30 09:44:48 linode charon: 13[IKE] received cert request for >> "C=CH, >> O=linode, CN=linode CA" >> May 30 09:44:48 linode charon: 13[IKE] received 129 cert requests for >> an unknown ca >> May 30 09:44:48 linode charon: 13[IKE] received end entity cert >> "C=CH, >> O=linode, CN=client" >> May 30 09:44:48 linode charon: 13[CFG] looking for peer configs >> matching y.y.y.y[%any]...x.x.x.x[C=CH, O=linode, CN=client] >> May 30 09:44:48 linode charon: 13[CFG] selected peer config 'vpnuser' >> May 30 09:44:48 linode charon: 13[CFG] using trusted ca certificate >> "C=CH, O=linode, CN=linode CA" >> May 30 09:44:48 linode charon: 13[CFG] checking certificate status of >> "C=CH, O=linode, CN=client" >> May 30 09:44:48 linode charon: 13[CFG] certificate status is not >> available >> May 30 09:44:48 linode charon: 13[CFG] reached self-signed root ca >> with a path length of 0 >> May 30 09:44:48 linode charon: 13[CFG] using trusted certificate >> "C=CH, O=linode, CN=client" >> May 30 09:44:48 linode charon: 13[IKE] authentication of 'C=CH, >> O=linode, CN=client' with RSA signature successful >> May 30 09:44:48 linode charon: 13[IKE] received >> ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding >> May 30 09:44:48 linode charon: 13[IKE] peer supports MOBIKE >> May 30 09:44:48 linode charon: 13[IKE] authentication of 'C=CH, >> O=linode, CN=linode' (myself) with RSA signature successful >> May 30 09:44:48 linode charon: 13[IKE] IKE_SA vpnuser[2] established >> between y.y.y.y[C=CH, O=linode, CN=linode]...x.x.x.x[C=CH, O=linode, >> CN=client] >> May 30 09:44:48 linode charon: 13[IKE] scheduling reauthentication in >> 3298s >> May 30 09:44:48 linode charon: 13[IKE] maximum IKE_SA lifetime 3478s >> May 30 09:44:48 linode charon: 13[IKE] sending end entity cert "C=CH, >> O=linode, CN=linode" >> May 30 09:44:48 linode charon: 13[IKE] peer requested virtual IP >> %any6 >> May 30 09:44:48 linode charon: 13[CFG] reassigning offline lease to >> 'C=CH, O=linode, CN=client' >> May 30 09:44:48 linode charon: 13[IKE] assigning virtual IP 10.0.0.1 >> to >> peer 'C=CH, O=linode, CN=client' >> May 30 09:44:48 linode charon: 13[KNL] allocating SPI failed: Invalid >> argument (22) >> May 30 09:44:48 linode charon: 13[KNL] unable to get SPI for reqid >> {2} >> May 30 09:44:48 linode charon: 13[IKE] allocating SPI failed >> May 30 09:44:48 linode charon: 13[ENC] generating IKE_AUTH response 1 >> [ >> IDr CERT AUTH CP(ADDR DNS) N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) >> N(NO_PROP) ] >> May 30 09:44:48 linode charon: 13[NET] sending packet: from >> y.y.y.y[4500] to x.x.x.x[53768] >> May 30 09:44:48 linode charon: 01[NET] received packet: from >> x.x.x.x[53768] to y.y.y.y[4500] >> May 30 09:44:48 linode charon: 01[ENC] parsed INFORMATIONAL request 2 >> [ >> D ] >> May 30 09:44:48 linode charon: 01[IKE] received DELETE for IKE_SA >> vpnuser[2] >> May 30 09:44:48 linode charon: 01[IKE] deleting IKE_SA vpnuser[2] >> between y.y.y.y[C=CH, O=linode, CN=linode]...x.x.x.x[C=CH, O=linode, >> CN=client] >> May 30 09:44:48 linode charon: 01[IKE] IKE_SA deleted >> May 30 09:44:48 linode charon: 01[ENC] generating INFORMATIONAL >> response 2 [ ] >> May 30 09:44:48 linode charon: 01[NET] sending packet: from >> y.y.y.y[4500] to x.x.x.x[53768] >> May 30 09:44:48 linode charon: 01[CFG] lease 10.0.0.1 by 'C=CH, >> O=linode, CN=client' went offline > > ====================================================================== > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users