Good morning All, I am trying to use aesxcbc for integrity. It works when I use it with IKE but throws a netlink error while trying to use with ESP.
Strongswan is compiled with --enable-xcbc. Would highly appreciate any suggestions to resolve the problem. Tx. Logs below: My ipsec.conf is given below: ike=aes256-aesxcbc-modp1536! esp=aes256-aesxcbc-modp2048! AESXBC is listed in Integrity algos: root@t1024rdb:~# swanctl --list-algs encryption: AES_CBC[aes] AES_ECB[aes] 3DES_CBC[des] DES_CBC[des] DES_ECB[des] BLOWFISH_CBC[blowfish] RC2_CBC[rc2] integrity: AES_XCBC_96[xcbc] AES_CMAC_96[cmac] HMAC_SHA1_96[hmac] HMAC_SHA1_128[hmac] HMAC_SHA1_160[hmac] HMAC_MD5_96[hmac] HMAC_MD5_128[hmac] HMAC_SHA2_256_128[hmac] HMAC_SHA2_256_256[hmac] HMAC_SHA2_384_192[hmac] HMAC_SHA2_384_384[hmac] HMAC_SHA2_512_256[hmac] HMAC_SHA2_512_512[hmac] aead: hasher: HASH_SHA1[sha1] HASH_SHA2_224[sha2] HASH_SHA2_256[sha2] HASH_SHA2_384[sha2] HASH_SHA2_512[sha2] HASH_MD5[md5] HASH_IDENTITY[curve25519] SA Established: root@t1024rdb:~# ipsec statusall m1 Status of IKE charon daemon (weakSwan 5.8.2, Linux 4.1.35-rt41, ppc64): uptime: 9 seconds, since Nov 05 21:27:35 2018 malloc: sbrk 2027520, mmap 0, used 288528, free 1738992 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon aes des blowfish rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac drbg attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters Listening IP addresses: 10.10.5.1 192.168.51.2 192.168.52.2 172.16.31.1 172.16.32.1 Connections: m1: 172.16.31.1...172.16.31.2 IKEv2, dpddelay=60s m1: local: [172.16.31.1] uses pre-shared key authentication m1: remote: [172.16.31.2] uses pre-shared key authentication m1: child: 192.168.9.0/24 192.168.51.0/24 === 10.10.9.0/24 192.168.61.0/24 TUNNEL, dpdaction=clear Routed Connections: m1{1}: ROUTED, TUNNEL, reqid 1 m1{1}: 192.168.9.0/24 192.168.51.0/24 === 10.10.9.0/24 192.168.61.0/24 Security Associations (1 up, 0 connecting): m1[1]: ESTABLISHED 7 seconds ago, 172.16.31.1[172.16.31.1]...172.16.31.2[172.16.31.2] m1[1]: IKEv2 SPIs: eca1d32c9e634128_i* b1157e6f487ea502_r, pre-shared key reauthentication in 39 minutes m1[1]: IKE proposal: AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_1536 root@t1024rdb:~# CHILD-SA fails: 11[IKE] 172.16.31.1 is initiating an IKE_SA 11[CFG] selected proposal: IKE:AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_1536 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] 11[NET] sending packet: from 172.16.31.2[500] to 172.16.31.1[500] (408 bytes) 13[NET] received packet: from 172.16.31.1[500] to 172.16.31.2[500] (268 bytes) 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 13[CFG] looking for peer configs matching 172.16.31.2[172.16.31.2]...172.16.31.1[172.16.31.1] 13[CFG] selected peer config 'm1' 13[IKE] authentication of '172.16.31.1' with pre-shared key successful 13[IKE] authentication of '172.16.31.2' (myself) with pre-shared key 13[IKE] IKE_SA m1[1] established between 172.16.31.2[172.16.31.2]...172.16.31.1[172.16.31.1] 13[IKE] scheduling reauthentication in 2921s 13[IKE] maximum IKE_SA lifetime 3461s 13[CFG] selected proposal: ESP:AES_CBC_256/AES_XCBC_96/NO_EXT_SEQ 13[KNL] received netlink error: Function not implemented (38) 13[KNL] unable to add SAD entry with SPI cadbb51e (FAILED) 13[KNL] received netlink error: Function not implemented (38) 13[KNL] unable to add SAD entry with SPI c05ee772 (FAILED) 13[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel 13[IKE] failed to establish CHILD_SA, keeping IKE_SA Kind rgds, Makarand Pradhan Senior Software Engineer. iS5 Communications Inc. 5895 Ambler Dr, Mississauga, Ontario L4W 5B7 Main Line: +1-844-520-0588 Ext. 129 Direct Line: +1-289-724-2296 Cell: +1-226-501-5666 Fax:+1-289-401-5206 Email: makarandprad...@is5com.com Website: www.iS5Com.com Confidentiality Notice: This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.