Hi Amy,
> I don't know how to add DBG statements to get_replay_state() for I don't
> quite know the C language, could you give me some DBG statements?
You can try the attached patch. You'll have to compile strongSwan from
sources [1] and apply the patch after extracting the tarball with:
patch -p1 < /path/to/kernel-netlink.patch
If you installed strongSwan from an RPM package uninstall that first.
> I tried several times on centos 5.9 and 6.2 separately, every time,
> ping to right subnets pass on centos 6.2 but fail on centos 5.9.
> Is there anything about linux kernel version?
Yes, most likely there is something amiss with the 2.6.18 kernel used by
CentOS 5.9.
> I also noticed that on strongswan started, there are plugins unable
> to load, but I don't konw which plugins can't be loaded.
These shouldn't be an issue (most likely some DSA plugin features that
none of our crypto backends support).
Regards,
Tobias
[1]
https://wiki.strongswan.org/projects/strongswan/wiki/InstallationDocumentation#Compile-yourself
diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
index d9b55cf..cd6b53f 100644
--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1555,6 +1555,7 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
if (!add_mark(hdr, sizeof(request), mark))
{
+ DBG1(DBG_KNL, "add_mark failed");
return;
}
@@ -1567,6 +1568,7 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
{
case XFRM_MSG_NEWAE:
{
+ DBG1(DBG_KNL, "received aevent");
out_aevent = NLMSG_DATA(hdr);
break;
}
@@ -1579,9 +1581,11 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
break;
}
default:
+ DBG1(DBG_KNL, "received msg of type %d", hdr->nlmsg_type);
hdr = NLMSG_NEXT(hdr, len);
continue;
case NLMSG_DONE:
+ DBG1(DBG_KNL, "nlmsg done");
break;
}
break;
@@ -1590,10 +1594,12 @@ static void get_replay_state(private_kernel_netlink_ipsec_t *this,
if (out_aevent)
{
+ DBG1(DBG_KNL, "sizeof replay %d, sizeof replay_esn %d", sizeof(**replay), sizeof(**replay_esn));
rta = XFRM_RTA(out, struct xfrm_aevent_id);
rtasize = XFRM_PAYLOAD(out, struct xfrm_aevent_id);
while (RTA_OK(rta, rtasize))
{
+ DBG1(DBG_KNL, "handling attribute of type %d and length %d", rta->rta_type, RTA_PAYLOAD(rta));
if (rta->rta_type == XFRMA_REPLAY_VAL &&
RTA_PAYLOAD(rta) == sizeof(**replay))
{
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
