Martin,
The modules list and configuration check script all pass. I stepped up the
debug logging in charon to knl=4, to help narrow down the call in question:
Jan 17 15:38:27 16[KNL] adding SAD entry with SPI c5d8c211 and reqid {1}
Jan 17 15:38:27 16[KNL] using encryption algorithm AES_CBC with key size
128
Jan 17 15:38:27 16[KNL] using integrity algorithm HMAC_SHA1_96 with key
size 160
Jan 17 15:38:27 16[KNL] sending XFRM_MSG_UPDSA: => 448 bytes @ 0x2ceab7f0
Jan 17 15:38:27 16[KNL] 0: 00 00 01 C0 00 1A 00 05 00 00 00 CA 00 00 0E
12 ................
Jan 17 15:38:27 16[KNL] 16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 48: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 64: 00 00 00 00 00 00 00 00 AC 1E 2A 12 00 00 00
00 ..........*.....
Jan 17 15:38:27 16[KNL] 80: 00 00 00 00 00 00 00 00 C5 D8 C2 11 32 00 00
00 ............2...
Jan 17 15:38:27 16[KNL] 96: AC 1E 2A 63 00 00 00 00 00 00 00 00 00 00 00
00 ..*c............
Jan 17 15:38:27 16[KNL] 112: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF ................
Jan 17 15:38:27 16[KNL] 128: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF ................
Jan 17 15:38:27 16[KNL] 144: 00 00 00 00 00 00 0A 6D 00 00 00 00 00 00 0E
10 .......m........
Jan 17 15:38:27 16[KNL] 160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 176: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 208: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 224: 00 00 00 01 00 02 01 20 20 00 00 00 00 00 00
00 ....... .......
Jan 17 15:38:27 16[KNL] 240: 00 58 00 02 61 65 73 00 00 00 00 00 00 00 00
00 .X..aes.........
Jan 17 15:38:27 16[KNL] 256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 272: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 304: 00 00 00 00 00 00 00 80 F4 45 92 68 0A 15 4F
A0 .........E.h..O.
Jan 17 15:38:27 16[KNL] 320: A3 72 22 BA CB 6C 27 83 00 5C 00 01 73 68 61
31 .r"..l'..\..sha1
Jan 17 15:38:27 16[KNL] 336: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 368: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] 384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
A0 ................
Jan 17 15:38:27 16[KNL] 400: 43 B3 C8 83 3F 4A 1F CB 8A A6 34 C0 25 CD A4
4F C...?J....4.%..O
Jan 17 15:38:27 16[KNL] 416: EA 6D D2 0A 00 1C 00 04 00 02 DD A5 11 94 00
00 .m..............
Jan 17 15:38:27 16[KNL] 432: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 ................
Jan 17 15:38:27 16[KNL] received netlink error: No such file or directory
(2)
It seems to line up with this issue, but I'm getting the 96-bit truncation
instead of 128-bit truncation:
https://lists.strongswan.org/pipermail/users/2013-November/010026.html
So I'm off to dig through the kernel sources to see what's going on here.
Thanks,
Aaron
(kernel module check output follows)
# ./check.sh
CONFIG_XFRM_USER=m
CONFIG_NET_KEY=m
CONFIG_INET=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
CONFIG_INET_XFRM_MODE_TRANSPORT=m
CONFIG_INET_XFRM_MODE_TUNNEL=m
CONFIG_INET_XFRM_MODE_BEET=m
CONFIG_IPV6=m
CONFIG_INET6_AH=m
CONFIG_INET6_ESP=m
CONFIG_INET6_IPCOMP=m
CONFIG_INET6_XFRM_MODE_TRANSPORT=m
CONFIG_INET6_XFRM_MODE_TUNNEL=m
CONFIG_INET6_XFRM_MODE_BEET=m
CONFIG_IPV6_MULTIPLE_TABLES=y
CONFIG_NETFILTER=y
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
# lsmod | grep xfrm
xfrm4_tunnel 1920 0
xfrm4_mode_tunnel 1920 0
xfrm4_mode_transport 1216 0
xfrm4_mode_beet 2128 0
tunnel4 2640 1 xfrm4_tunnel
xfrm_user 20208 2
xfrm_ipcomp 4528 1 ipcomp
# lsmod | grep tunnel
xfrm4_tunnel 1920 0
xfrm4_mode_tunnel 1920 0
tunnel4 2640 1 xfrm4_tunnel
On Fri, Jan 17, 2014 at 10:30 AM, Martin Willi <[email protected]>wrote:
> Hi Aaron,
>
> > I'm trying to setup StrongSwan (4.5.2) on a fairly old kernel (2.6.31)
>
> > Jan 16 18:21:32 15[KNL] adding SAD entry with SPI c02c6c28 and reqid {2}
> > Jan 16 18:21:32 15[KNL] using encryption algorithm AES_CBC with key
> size 128
> > Jan 16 18:21:32 15[KNL] using integrity algorithm HMAC_SHA1_96 with
> key size 160
> > Jan 16 18:21:32 15[KNL] received netlink error: No such file or
> directory (2)
>
> > Previous discussions on this mailing list suggested using the
> > esp=aes128-sha256_96 option
>
> I don't think this is related to truncation: Truncation usually is an
> issue with HMAC-SHA256 only, as older strongSwan releases on older
> kernels used 96 bit instead of the standardized 128 bit truncation. And
> on older kernels you can't use SHA256 MACs, as there is no 128 bit
> truncation.
>
> > I do know that the sha and md5 algorithms exist
>
> Most likely it's not about crypto algorithms itself, but missing modules
> for IPsec transformation?
>
> Have a look at [1] and check if your kernel has the required
> modules/options.
>
> Regards
> Martin
>
> [1]http://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
>
>
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
