Re: ipsec broken
On 28/12/20 11:43, Mao Mei wrote: that package is maintained in the community feeds, please open an issue https://github.com/openwrt/packages/issues and use "@stintel" in the maintainer field to ping the maintainer Thanks for reply, but I think it's not strongswan issue, but a kernel issue. It's easy to verify. #opkg install ip-full kmod-ipsec4 #ip xfrm state add src 192.168.2.100 dst 192.168.1.10 proto esp spi 0x0301 mode tunnel auth sha1 0x96358c90783bbfa3d7b196ceabe0536b enc aes 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel if there is anybody in the community who cares about kmod-ipsec and is interested in fixing it is the maintainers of applications that need it to work. stintel is one of the core developers too, he has commit access to main repo, he can probably handle this. I really think you should open an issue in that repo or send him an email to ping him about the issue. -Alberto ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: Re: ipsec broken
> that package is maintained in the community feeds, please open an issue > https://github.com/openwrt/packages/issues > and use "@stintel" in the maintainer field to ping the maintainer Thanks for reply, but I think it's not strongswan issue, but a kernel issue. It's easy to verify. #opkg install ip-full kmod-ipsec4 #ip xfrm state add src 192.168.2.100 dst 192.168.1.10 proto esp spi 0x0301 mode tunnel auth sha1 0x96358c90783bbfa3d7b196ceabe0536b enc aes 0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
Re: ipsec broken
On 27/12/20 16:49, Mao Mei wrote: It seems that ipsec has been broken for a long time. see https://forum.openwrt.org/t/ipsec-has-been-broken-for-a-while/81120 log on mt7621: 12[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ 12[KNL] got SPI cecfbd68 12[KNL] adding SAD entry with SPI cecfbd68 and reqid {1} 12[KNL] using encryption algorithm AES_CBC with key size 128 12[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 12[KNL] using replay window of 32 packets 12[KNL] HW offload: no 12[KNL] received netlink error: No such file or directory (2) 12[KNL] unable to add SAD entry with SPI cecfbd68 (FAILED) 12[KNL] adding SAD entry with SPI 04c603db and reqid {1} 12[KNL] using encryption algorithm AES_CBC with key size 128 12[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 12[KNL] using replay window of 0 packets 12[KNL] HW offload: no 12[KNL] received netlink error: No such file or directory (2) 12[KNL] unable to add SAD entry with SPI 04c603db (FAILED) 12[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel 12[IKE] failed to establish CHILD_SA, keeping IKE_SA ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel that package is maintained in the community feeds, please open an issue https://github.com/openwrt/packages/issues and use "@stintel" in the maintainer field to ping the maintainer -Alberto ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
ipsec broken
It seems that ipsec has been broken for a long time. see https://forum.openwrt.org/t/ipsec-has-been-broken-for-a-while/81120 log on mt7621: 12[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ 12[KNL] got SPI cecfbd68 12[KNL] adding SAD entry with SPI cecfbd68 and reqid {1} 12[KNL] using encryption algorithm AES_CBC with key size 128 12[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 12[KNL] using replay window of 32 packets 12[KNL] HW offload: no 12[KNL] received netlink error: No such file or directory (2) 12[KNL] unable to add SAD entry with SPI cecfbd68 (FAILED) 12[KNL] adding SAD entry with SPI 04c603db and reqid {1} 12[KNL] using encryption algorithm AES_CBC with key size 128 12[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 12[KNL] using replay window of 0 packets 12[KNL] HW offload: no 12[KNL] received netlink error: No such file or directory (2) 12[KNL] unable to add SAD entry with SPI 04c603db (FAILED) 12[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel 12[IKE] failed to establish CHILD_SA, keeping IKE_SA ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel