Hi Gabriel, are you using esp=sha256 ?
strongSwan 4.3.6 now implements the correct HMAC truncation to 128 bits compliant with RFC 4868 http://tools.ietf.org/html/rfc4868 with the help of an additional XFRM struct which kernels older than 2.6.33 do not recognize without our official SHA2 kernel patch: http://download.strongswan.org/uml/sha2.patch.bz2 There are the following workarounds: 1) Do not use esp=sha256 2) Use the old truncation esp=sha256_96 on both sides of the connection. This requires the installation of strongSwan 4.3.6 on both IPsec end points, though, because this ESP algorithm uses a protocol number belonging to the IANA private range. 3) Apply the SHA2 kernel patch on both end points and configure strongswan 4.3.6 with esp=sha256. Best regards Andreas Gabriel VLASIU wrote: > Hi. > > strongswan-4.3.6 does not work for me: > > Feb 12 16:43:41 xxx pluto[3721]: "xyzNet" #1: ISAKMP SA established > Feb 12 16:43:41 xxx pluto[3721]: "xyz" #2: initiating Quick Mode > PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} > Feb 12 16:43:43 xxx pluto[3721]: "xyzNet" #3: initiating Quick Mode > PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} > Feb 12 16:43:48 xxx pluto[3721]: "xyz" #2: ERROR: netlink response for Add SA > [email protected] included errno 22: Invalid argument > Feb 12 16:43:51 xxx pluto[3721]: "xyzNet" #3: ERROR: netlink response for Add > SA [email protected] included errno 22: Invalid argument > Feb 12 16:43:57 xxx pluto[3721]: "xyz" #2: ERROR: netlink response for Add SA > [email protected] included errno 22: Invalid argument > Feb 12 16:44:00 xxx pluto[3721]: "xyzNet" #3: ERROR: netlink response for Add > SA [email protected] included errno 22: Invalid argument > Feb 12 16:44:18 xxx pluto[3721]: "xyz" #2: ERROR: netlink response for Add SA > [email protected] included errno 22: Invalid argument > Feb 12 16:44:21 xxx pluto[3721]: "xyzNet" #3: ERROR: netlink response for Add > SA [email protected] included errno 22: Invalid argument > > What could be the problem? Also, strongswan-4.3.5 works just fine... > > > Sincerely, > Gabriel ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
