Hi,
Appreciating anyone willing to suggest possible cause(s) for the below
problem found in Test "IKEv2.EN.I.1.1.1.3: Use of CHILD_SA" (TAHI IKEv2
test suite). I am using strongswan version of 4.5.2, for a endnode-
endnode test, in RHEL6.2 environment.

IKE_SA_INIT is established between NUT (node under test) and TN (test
node), but IKE_AUTH request created by NUT is not observed by TN.

Some settings used in ipsec.conf are below (and I can share others if
needed for more debugging).

         # Attempt to rekey 5 seconds before the SA expires.
         rekeymargin=5s
         # Set the encryption algorithm for the child SA.
         esp=3des-sha1
         # Set the encryption algorithm for the IKE SA.
         ike=3des-sha1-modp1024
         # Set the lifetime for the IKE SA.
         ikelifetime="64s"
         # Set the lifetime for the child SA.
         keylife="128s"
         # Use perfect forward security on the IKE SA.
         pfs=no
         type=transport

With debug mode set at level 4, following lines are caught in
charon.log (though there are other informations which may not be
required here):
...
.....
05[CFG] added configuration 'tahi_ikev2_test'
10[CFG] stroke message => -2036037751 bytes @ 0xfff80ede300
10[CFG] received stroke: route 'tahi_ikev2_test'
.....
...
10[KNL] adding policy <NUT IP6> === <TN IP6> out
10[KNL] sending XFRM_MSG_NEWPOLICY: => 252 bytes @ 0xfff80edda28
....
10[KNL] unable to add policy <NUT IP6> === <TN IP6> out
....
10[CFG] installing trap failed

I am suspecting over stroke message which is shown as negative bytes.
Before I dig something more deeper, I just liked to check this up with
anyone who has seen this problem earlier.

Thanks for the attention,
Gowri Shankar


_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to