Hi Jeroen, don't use that antique kernel unless you have to. Sounds like the IV generator issue from [1]: <quote> Note: For kernel versions 4.2-4.5 you will have to select Encrypted Chain IV Generator manually in order to use any encryption algorithm in CBC mode. </quote>
Hth Thomas [1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules On April 17, 2019 7:07:10 PM GMT+02:00, Jeroen Landheer <[email protected]> wrote: >This apears in my log file: > >Apr 17 18:43:04 fwhq03 charon: 11[IKE] assigning virtual IP 192.168.8.1 >to peer 'jlan--------------e.nl' >Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid >argument (22) >Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI >cf789c5c >Apr 17 18:43:04 fwhq03 charon: 11[KNL] received netlink error: Invalid >argument (22) >Apr 17 18:43:04 fwhq03 charon: 11[KNL] unable to add SAD entry with SPI >b651e5ec >Apr 17 18:43:04 fwhq03 charon: 11[IKE] unable to install inbound and >outbound IPsec SA (SAD) in kernel > >It seems that somehow strongswan can't assign a virtual IP address to >the peer. > >Config: > >config setup > charondebug="all" > uniqueids=no > >conn ikev2-vpn > auto=add > compress=no > type=tunnel > keyexchange=ikev2 > fragmentation=yes > forceencaps=yes > ike=aes256-sha1-modp1024,3des-sha1-modp1024! > esp=aes256-sha1,3des-sha1! > dpdaction=clear > dpddelay=300s > rekey=no > left=%any > [email protected]<mailto:[email protected]> > leftcert=/etc/ipsec.d/certs/vpn-server-cert.pem > leftsendcert=always > leftsubnet=0.0.0.0/0,::/0 > right=%any > rightid=%any > rightdns=192.168.5.2,192.168.5.9,2001:980:aa14:5::2,2001:980:aa14:5::9 > rightsourceip=192.168.8.0/24,2001:980:aa14:8::/64 > rightsendcert=never > rightauth=eap-mschapv2 > eap_identity=%identity > >If I run the check script for the kernel modules, I get this: (this is >basically a standard ubuntu setup) > >CONFIG_XFRM_USER=m >CONFIG_NET_KEY=m ># CONFIG_NET_KEY_MIGRATE is not set >CONFIG_INET=y >CONFIG_INET_AH=m >CONFIG_INET_ESP=m >CONFIG_INET_IPCOMP=m >CONFIG_INET_XFRM_TUNNEL=m >CONFIG_INET_TUNNEL=m >CONFIG_INET_XFRM_MODE_TRANSPORT=m >CONFIG_INET_XFRM_MODE_TUNNEL=m >CONFIG_INET_XFRM_MODE_BEET=m >CONFIG_INET_LRO=y >CONFIG_INET_DIAG=m >CONFIG_INET_TCP_DIAG=m >CONFIG_INET_UDP_DIAG=m >CONFIG_INET6_AH=m >CONFIG_INET6_ESP=m >CONFIG_INET6_IPCOMP=m >CONFIG_INET6_XFRM_TUNNEL=m >CONFIG_INET6_TUNNEL=m >CONFIG_INET6_XFRM_MODE_TRANSPORT=m >CONFIG_INET6_XFRM_MODE_TUNNEL=m >CONFIG_INET6_XFRM_MODE_BEET=m >CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION=m >CONFIG_INET_DCCP_DIAG=m >CONFIG_IP_ADVANCED_ROUTER=y >CONFIG_IP_MULTIPLE_TABLES=y >CONFIG_INET_AH=m >CONFIG_INET_ESP=m >CONFIG_INET_IPCOMP=m >CONFIG_INET_XFRM_MODE_TRANSPORT=m >CONFIG_INET_XFRM_MODE_TUNNEL=m >CONFIG_INET_XFRM_MODE_BEET=m >CONFIG_IPV6=y >CONFIG_IPV6_ROUTER_PREF=y >CONFIG_IPV6_ROUTE_INFO=y ># CONFIG_IPV6_OPTIMISTIC_DAD is not set >CONFIG_IPV6_MIP6=m >CONFIG_IPV6_ILA=m >CONFIG_IPV6_VTI=m >CONFIG_IPV6_SIT=m >CONFIG_IPV6_SIT_6RD=y >CONFIG_IPV6_NDISC_NODETYPE=y >CONFIG_IPV6_TUNNEL=m >CONFIG_IPV6_GRE=m >CONFIG_IPV6_MULTIPLE_TABLES=y >CONFIG_IPV6_SUBTREES=y >CONFIG_IPV6_MROUTE=y >CONFIG_IPV6_MROUTE_MULTIPLE_TABLES=y >CONFIG_IPV6_PIMSM_V2=y >CONFIG_INET6_AH=m >CONFIG_INET6_ESP=m >CONFIG_INET6_IPCOMP=m >CONFIG_INET6_XFRM_MODE_TRANSPORT=m >CONFIG_INET6_XFRM_MODE_TUNNEL=m >CONFIG_INET6_XFRM_MODE_BEET=m >CONFIG_IPV6_MULTIPLE_TABLES=y >CONFIG_NETFILTER=y ># CONFIG_NETFILTER_DEBUG is not set >CONFIG_NETFILTER_ADVANCED=y >CONFIG_NETFILTER_INGRESS=y >CONFIG_NETFILTER_NETLINK=m >CONFIG_NETFILTER_NETLINK_ACCT=m >CONFIG_NETFILTER_NETLINK_QUEUE=m >CONFIG_NETFILTER_NETLINK_LOG=m >CONFIG_NETFILTER_NETLINK_GLUE_CT=y >CONFIG_NETFILTER_SYNPROXY=m >CONFIG_NETFILTER_XTABLES=m >CONFIG_NETFILTER_XT_MARK=m >CONFIG_NETFILTER_XT_CONNMARK=m >CONFIG_NETFILTER_XT_SET=m >CONFIG_NETFILTER_XT_TARGET_AUDIT=m >CONFIG_NETFILTER_XT_TARGET_CHECKSUM=m >CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m >CONFIG_NETFILTER_XT_TARGET_CONNMARK=m >CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m >CONFIG_NETFILTER_XT_TARGET_CT=m >CONFIG_NETFILTER_XT_TARGET_DSCP=m >CONFIG_NETFILTER_XT_TARGET_HL=m >CONFIG_NETFILTER_XT_TARGET_HMARK=m >CONFIG_NETFILTER_XT_TARGET_IDLETIMER=m >CONFIG_NETFILTER_XT_TARGET_LED=m >CONFIG_NETFILTER_XT_TARGET_LOG=m >CONFIG_NETFILTER_XT_TARGET_MARK=m >CONFIG_NETFILTER_XT_NAT=m >CONFIG_NETFILTER_XT_TARGET_NETMAP=m >CONFIG_NETFILTER_XT_TARGET_NFLOG=m >CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m ># CONFIG_NETFILTER_XT_TARGET_NOTRACK is not set >CONFIG_NETFILTER_XT_TARGET_RATEEST=m >CONFIG_NETFILTER_XT_TARGET_REDIRECT=m >CONFIG_NETFILTER_XT_TARGET_TEE=m >CONFIG_NETFILTER_XT_TARGET_TPROXY=m >CONFIG_NETFILTER_XT_TARGET_TRACE=m >CONFIG_NETFILTER_XT_TARGET_SECMARK=m >CONFIG_NETFILTER_XT_TARGET_TCPMSS=m >CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP=m >CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=m >CONFIG_NETFILTER_XT_MATCH_BPF=m >CONFIG_NETFILTER_XT_MATCH_CGROUP=m >CONFIG_NETFILTER_XT_MATCH_CLUSTER=m >CONFIG_NETFILTER_XT_MATCH_COMMENT=m >CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m >CONFIG_NETFILTER_XT_MATCH_CONNLABEL=m >CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=m >CONFIG_NETFILTER_XT_MATCH_CONNMARK=m >CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m >CONFIG_NETFILTER_XT_MATCH_CPU=m >CONFIG_NETFILTER_XT_MATCH_DCCP=m >CONFIG_NETFILTER_XT_MATCH_DEVGROUP=m >CONFIG_NETFILTER_XT_MATCH_DSCP=m >CONFIG_NETFILTER_XT_MATCH_ECN=m >CONFIG_NETFILTER_XT_MATCH_ESP=m >CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=m >CONFIG_NETFILTER_XT_MATCH_HELPER=m >CONFIG_NETFILTER_XT_MATCH_HL=m >CONFIG_NETFILTER_XT_MATCH_IPCOMP=m >CONFIG_NETFILTER_XT_MATCH_IPRANGE=m >CONFIG_NETFILTER_XT_MATCH_IPVS=m >CONFIG_NETFILTER_XT_MATCH_L2TP=m >CONFIG_NETFILTER_XT_MATCH_LENGTH=m >CONFIG_NETFILTER_XT_MATCH_LIMIT=m >CONFIG_NETFILTER_XT_MATCH_MAC=m >CONFIG_NETFILTER_XT_MATCH_MARK=m >CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m >CONFIG_NETFILTER_XT_MATCH_NFACCT=m >CONFIG_NETFILTER_XT_MATCH_OSF=m >CONFIG_NETFILTER_XT_MATCH_OWNER=m >CONFIG_NETFILTER_XT_MATCH_POLICY=m >CONFIG_NETFILTER_XT_MATCH_PHYSDEV=m >CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m >CONFIG_NETFILTER_XT_MATCH_QUOTA=m >CONFIG_NETFILTER_XT_MATCH_RATEEST=m >CONFIG_NETFILTER_XT_MATCH_REALM=m >CONFIG_NETFILTER_XT_MATCH_RECENT=m >CONFIG_NETFILTER_XT_MATCH_SCTP=m >CONFIG_NETFILTER_XT_MATCH_SOCKET=m >CONFIG_NETFILTER_XT_MATCH_STATE=m >CONFIG_NETFILTER_XT_MATCH_STATISTIC=m >CONFIG_NETFILTER_XT_MATCH_STRING=m >CONFIG_NETFILTER_XT_MATCH_TCPMSS=m >CONFIG_NETFILTER_XT_MATCH_TIME=m >CONFIG_NETFILTER_XT_MATCH_U32=m >CONFIG_NETFILTER_XTABLES=m >CONFIG_NETFILTER_XT_MATCH_POLICY=m > > >Kernel version: 4.4.0-145-generic > >Any idea how to diagnose this issue? > >Kind regards, > > >Jeroen. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
