[Openswan Users] errno 22: Invalid argument and add_sa ipcomp failed

SCHNEIDER Benoit ton.ami.totoro at gmail.com
Tue Jul 12 03:54:20 EDT 2011


If I uncomment the compress=yes the VPN don't be established and I have
this:

002 "vpn-name" #17749880: initiating Main Mode
104 "vpn-name" #17749880: STATE_MAIN_I1: initiate
003 "vpn-name" #17749880: ignoring unknown Vendor ID payload
[0048e2270bea8395ed778d343cc2a076]
003 "vpn-name" #17749880: ignoring unknown Vendor ID payload
[5cbeb399eb835a7d7a2eb495905db061]
003 "vpn-name" #17749880: ignoring unknown Vendor ID payload
[810fa565f8ab14369105d706fbd57279]
003 "vpn-name" #17749880: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
003 "vpn-name" #17749880: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 108
003 "vpn-name" #17749880: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
003 "vpn-name" #17749880: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
003 "vpn-name" #17749880: received Vendor ID payload [XAUTH]
003 "vpn-name" #17749880: received Vendor ID payload [Dead Peer Detection]
002 "vpn-name" #17749880: enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-05
002 "vpn-name" #17749880: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "vpn-name" #17749880: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpn-name" #17749880: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
002 "vpn-name" #17749880: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "vpn-name" #17749880: STATE_MAIN_I3: sent MI3, expecting MR3
002 "vpn-name" #17749880: Main mode peer ID is ID_IPV4_ADDR: 'public-ip-B'
002 "vpn-name" #17749880: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "vpn-name" #17749880: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
002 "vpn-name" #17749883: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+UP+IKEv2ALLOW {using isakmp#17749880
msgid:dc40bc72 proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}
117 "vpn-name" #17749883: STATE_QUICK_I1: initiate
003 "vpn-name" #17749883: You should NOT use insecure ESP algorithms
[ESP_NULL (0)]!
003 "vpn-name" #17749883: ERROR: netlink response for Add SA
comp.51750002 at public-ip-B included errno 22: Invalid argument
032 "vpn-name" #17749883: STATE_QUICK_I1: internal error
003 "vpn-name" #17749883: discarding duplicate packet; already
STATE_QUICK_I1
003 "vpn-name" #17749883: discarding duplicate packet; already
STATE_QUICK_I1
003 "vpn-name" #17749883: discarding duplicate packet; already
STATE_QUICK_I1

Regards

2011/7/12 SCHNEIDER Benoit <ton.ami.totoro at gmail.com>

> Hi thanks for your answer.
>
> We comment "compress=yes" But we steel having the message.
> Actualy we have this message too: failed to install outgoing SA: 0
>
> The VPN go up, but after few time, the second phase fall and we need to
> restart the VPN.
>
> Exempl of conf files:
>
> conn vpn-name
>         auth=esp
>         ike=aes128-md5-modp1024
>         authby=secret
>         auto=route
>         #compress=no
>         pfs=no
>         type=tunnel
>         keylife=24h
>         esp=null-md5
>         left=public-ip-A
>         leftid=public-ip-A
>         leftsubnet=subnet-A
>         right=public-ip-B
>         rightid=public-ip-B
>         rightsubnet=subnet-B
>
> /etc/ipsec.d/examples/no_oe.conf
>
> conn block
>     auto=ignore
>
> conn private
>     auto=ignore
>
> conn private-or-clear
>     auto=ignore
>
> conn clear-or-private
>     auto=ignore
>
> conn clear
>     auto=ignore
>
> conn packetdefault
>     auto=ignore
>
> /etc/ipsec.conf
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $
>
> # This file:  /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual:     ipsec.conf.5
>
>
> version 2.0     # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
>         forwardcontrol=yes
>         nat_traversal=yes
>         uniqueids=no
>         nhelpers=0
>
> # Add connections here
>
> # sample VPN connections, see /etc/ipsec.d/examples/
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
> include /etc/ipsec.d/sites/*.conf
>
>
> ipsec.secrets
>
> public-ip-A public-ip-B : PSK "passkey"
>
> lsmod:
>
> Module                  Size  Used by
> xfrm_user              16134  2
> ah6                     3677  0
> ah4                     3011  0
> esp6                    3781  0
> xfrm4_mode_beet         1519  0
> xfrm4_tunnel            1201  0
> xfrm4_mode_transport      982  0
> xfrm6_mode_transport     1002  0
> xfrm6_mode_ro            870  0
> xfrm6_mode_beet         1358  0
> ipcomp                  1356  0
> ipcomp6                 1336  0
> xfrm6_tunnel            4033  1 ipcomp6
> af_key                 23286  0
> esp4                    3985  3504
> xfrm4_mode_tunnel       1264  7008
> xfrm6_mode_tunnel       1196  3504
> iptable_filter          1790  0
> ip_tables               7706  1 iptable_filter
> x_tables                8327  1 ip_tables
> authenc                 4746  3504
> deflate                 1315  0
> zlib_deflate           15822  1 deflate
> ctr                     2703  0
> camellia               16843  0
> cast5                  15593  0
> rmd160                  9448  0
> sha1_generic            1395  0
> hmac                    2033  7008
> crypto_null             1876  3504
> tunnel4                 1469  1 xfrm4_tunnel
> xfrm_ipcomp             2855  2 ipcomp,ipcomp6
> tunnel6                 1364  1 xfrm6_tunnel
> rng_core                2178  0
> ccm                     6017  0
> serpent                16187  0
> blowfish                7252  0
> twofish                 5665  0
> twofish_common         12560  1 twofish
> ecb                     1405  0
> xcbc                    1925  0
> cbc                     2047  0
> sha256_generic         10748  0
> sha512_generic          8009  0
> des_generic            15027  0
> aes_i586                6816  0
> aes_generic            25738  1 aes_i586
> loop                    9729  0
> radeon                511356  0
> ttm                    33258  1 radeon
> drm_kms_helper         18533  1 radeon
> drm                   111844  3 radeon,ttm,drm_kms_helper
> i3200_edac              2311  0
> i2c_i801                6462  0
> container               1833  0
> i2c_algo_bit            3497  1 radeon
> i2c_core               12751  5
> radeon,drm_kms_helper,drm,i2c_i801,i2c_algo_bit
> edac_core              23121  2 i3200_edac
> snd_pcm                47226  0
> snd_timer              12258  1 snd_pcm
> snd                    34387  2 snd_pcm,snd_timer
> soundcore               3450  1 snd
> snd_page_alloc          4977  1 snd_pcm
> pcspkr                  1207  0
> evdev                   5609  2
> parport_pc             15799  0
> parport                22554  1 parport_pc
> button                  3598  0
> shpchp                 21220  0
> pci_hotplug            18065  1 shpchp
> video                  14605  0
> output                  1204  1 video
> psmouse                44777  0
> serio_raw               2916  0
> processor              26259  0
> ext3                   93944  6
> jbd                    31965  1 ext3
> mbcache                 3762  1 ext3
> sd_mod                 25937  8
> crc_t10dif              1012  1 sd_mod
> usbhid                 27872  0
> hid                    50841  1 usbhid
> uhci_hcd               15989  0
> ata_generic             2247  0
> ata_piix               17704  0
> it8213                  1996  0
> floppy                 40923  0
> ide_core               59306  1 it8213
> 3w_xxxx                18465  7
> libata                115617  2 ata_generic,ata_piix
> thermal                 9206  0
> thermal_sys             9378  3 video,processor,thermal
> scsi_mod              104593  3 sd_mod,3w_xxxx,libata
> ehci_hcd               28453  0
> e1000e                 97529  0
> usbcore                98613  4 usbhid,uhci_hcd,ehci_hcd
> nls_base                4541  1 usbcore
>
> Thanks for helping.
>
> Benoit
>
> 2011/7/12 Paul Wouters <paul at xelerance.com>
>
>> On Mon, 11 Jul 2011, SCHNEIDER Benoit wrote:
>>
>>  At my office we done a upgrade from a debian etch openswan version to a
>>> sqeeze one, and we steel having some problem.
>>> For some distant site we have this error:
>>>
>>> ERROR: netlink response for Add SA comp.9005 at XX.XX.XX.XX included errno
>>> 22: Invalid argument
>>> add_sa ipcomp failed
>>>
>>> Any idear of this problem ?
>>>
>>> We look to have a MTU problem too, any idear ?
>>>
>>
>> Looks like a kernel with no ipcomp module loaded?
>>
>> Comment out compress=yes ?
>>
>> Paul
>
>


-- 
"le libre et le gratuit, c'est exorbitant le gouffre financier que cela est
pour se maintenir à jour dans la légalité" (un troll)

"Quand ils sont venus arrêter les Juifs, je n'étais pas juif, alors je n'ai
rien dit.
Quand ils sont venus arrêter les francs-maçons, je n'étais pas franc-maçon,
alors je n'ai rien dit.
Quand ils sont venus arrêter les démocrates, je ne faisais pas de politique,
alors je n'ai rien dit.
Maintenant ils sont en bas, venus pour m'arrêter moi, et je m'aperçois
qu'il est trop tard."
Un pasteur protestant pendant la seconde guerre mondiale.

“Le monde est dangereux non pas à cause de ceux qui font le mal, mais à
cause de ceux qui regardent et laissent faire”
(Albert Einstein)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110712/64bd8188/attachment.html 


More information about the Users mailing list