I either don't know what to look for on the web or am having trouble finding
settings for IKE phase 1 and phase 2 negotiation. It seems that the '"ike="
ipsec.conf parameter specifies settings for Phase 1 but I'm not finding
anything for Phase 2 for Strongswan. Other IPSec implementations
Thanks Tobias. Few follow up questions:
1. I'm only adding or removing connections in ipsec.conf and not modifying
existing connections. And also I only use complete IP addresses for both
left and right. So, would `ipsec update` be better suited and would still
cause any other known issues?
2.
Thanks Tobias for your response.
I recompiled the kernel with:
+CONFIG_CRYPTO_XCBC=y
And it worked for me.
Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Hi Karuna,
> The issue is intermittent
> and possibly coincides with ipsec reload command execution used when we
> make changes in the ipsec.conf file.
Don't use `ipsec reload`, if anything use `ipsec update` as it only
affects the actually modified configs. Either way, there are known
issues
Hi Makarand,
> It works when I use it with IKE but throws a netlink error while trying to
> use with ESP.
Obviously, your kernel does not support the algorithm.
Regards,
Tobias
Hi Makarand,
> All the same, the packets are not pushed into the tunnel:
>
> ping 192.168.9.3 -I 10.10.9.4
> PING 192.168.9.3 (192.168.9.3) from 10.10.9.4 : 56(84) bytes of data.
> ping: sendmsg: Network is unreachable
> ping: sendmsg: Network is unreachable
>
> The ip xfrm policy seems to be