On 01.10.22 16:43, Carlos Velasco wrote:
Hi Michael,
I think remote end wants Transport mode "N(USE_TRANSP)", and local
says it is not supported.
I suppose you are using Linux in local with "kernel-netlink" module
for strongswan (default), so I would check if module transport is
enabled in your kernel.
Refer to this doc:
https://docs.strongswan.org/docs/5.9/install/kernelModules.html
"IP: IPsec transport mode [CONFIG_INET_XFRM_MODE_TRANSPORT]" usually
can be checked with command in doc:
grep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
Also, if it is compiled as module (m), try to load it manually, I
think module name is "xfrm4_mode_transport".
If it is not Linux, you must check your local OS (or strongswan
module, if not using kernel-netlink) to properly support Transport mode.
Regards,
Carlos Velasco
Thanks. Will check.
Michael Schwartzkopff escribió el 01/10/2022 a las 15:48:
Hi,
I googled but I did not find a reasonable answer. We try to set up some
specific strongswan-strongswan connection in transport mode. The log
says:
NET received packet: from x.x.x.x[4500] to y.y.y.y[4500] (240 bytes)}
ENC parsed CREATE_CHILD_SA request 7 [ N(USE_TRANSP) SA No KE TSi TSr ]}
CFG selected proposal: ESP:CHACHA20_POLY1305/CURVE_25519/NO_EXT_SEQ}
ESP IPsec SA: unsupported mode}
ESP failed to create SAD entry}
ESP IPsec SA: unsupported mode}
ESP failed to create SAD entry}
IKE unable to install inbound and outbound IPsec SA (SAD) in kernel}
IKE failed to establish CHILD_SA, keeping IKE_SA}
ENC generating CREATE_CHILD_SA response 7 [ N(NO_PROP) ]}
What exactly does "IPsec SA: unsupported mode" mean? unsupported mode
"transport"?
Or unsupported cipher algorithms? Or anything else went wrong?
Mit freundlichen Grüßen,
Mit freundlichen Grüßen,
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
