[Openswan Users] errno 22: Invalid argument and add_sa ipcomp failed
SCHNEIDER Benoit
ton.ami.totoro at gmail.com
Tue Jul 12 03:54:20 EDT 2011
If I uncomment the compress=yes the VPN don't be established and I have
this:
002 "vpn-name" #17749880: initiating Main Mode
104 "vpn-name" #17749880: STATE_MAIN_I1: initiate
003 "vpn-name" #17749880: ignoring unknown Vendor ID payload
[0048e2270bea8395ed778d343cc2a076]
003 "vpn-name" #17749880: ignoring unknown Vendor ID payload
[5cbeb399eb835a7d7a2eb495905db061]
003 "vpn-name" #17749880: ignoring unknown Vendor ID payload
[810fa565f8ab14369105d706fbd57279]
003 "vpn-name" #17749880: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] method set to=108
003 "vpn-name" #17749880: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 108
003 "vpn-name" #17749880: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 108
003 "vpn-name" #17749880: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
003 "vpn-name" #17749880: received Vendor ID payload [XAUTH]
003 "vpn-name" #17749880: received Vendor ID payload [Dead Peer Detection]
002 "vpn-name" #17749880: enabling possible NAT-traversal with method
draft-ietf-ipsec-nat-t-ike-05
002 "vpn-name" #17749880: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
106 "vpn-name" #17749880: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpn-name" #17749880: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed
002 "vpn-name" #17749880: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
108 "vpn-name" #17749880: STATE_MAIN_I3: sent MI3, expecting MR3
002 "vpn-name" #17749880: Main mode peer ID is ID_IPV4_ADDR: 'public-ip-B'
002 "vpn-name" #17749880: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
004 "vpn-name" #17749880: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
002 "vpn-name" #17749883: initiating Quick Mode
PSK+ENCRYPT+COMPRESS+TUNNEL+UP+IKEv2ALLOW {using isakmp#17749880
msgid:dc40bc72 proposal=NULL(11)_000-MD5(1)_128 pfsgroup=no-pfs}
117 "vpn-name" #17749883: STATE_QUICK_I1: initiate
003 "vpn-name" #17749883: You should NOT use insecure ESP algorithms
[ESP_NULL (0)]!
003 "vpn-name" #17749883: ERROR: netlink response for Add SA
comp.51750002 at public-ip-B included errno 22: Invalid argument
032 "vpn-name" #17749883: STATE_QUICK_I1: internal error
003 "vpn-name" #17749883: discarding duplicate packet; already
STATE_QUICK_I1
003 "vpn-name" #17749883: discarding duplicate packet; already
STATE_QUICK_I1
003 "vpn-name" #17749883: discarding duplicate packet; already
STATE_QUICK_I1
Regards
2011/7/12 SCHNEIDER Benoit <ton.ami.totoro at gmail.com>
> Hi thanks for your answer.
>
> We comment "compress=yes" But we steel having the message.
> Actualy we have this message too: failed to install outgoing SA: 0
>
> The VPN go up, but after few time, the second phase fall and we need to
> restart the VPN.
>
> Exempl of conf files:
>
> conn vpn-name
> auth=esp
> ike=aes128-md5-modp1024
> authby=secret
> auto=route
> #compress=no
> pfs=no
> type=tunnel
> keylife=24h
> esp=null-md5
> left=public-ip-A
> leftid=public-ip-A
> leftsubnet=subnet-A
> right=public-ip-B
> rightid=public-ip-B
> rightsubnet=subnet-B
>
> /etc/ipsec.d/examples/no_oe.conf
>
> conn block
> auto=ignore
>
> conn private
> auto=ignore
>
> conn private-or-clear
> auto=ignore
>
> conn clear-or-private
> auto=ignore
>
> conn clear
> auto=ignore
>
> conn packetdefault
> auto=ignore
>
> /etc/ipsec.conf
>
> # /etc/ipsec.conf - Openswan IPsec configuration file
> # RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $
>
> # This file: /usr/share/doc/openswan/ipsec.conf-sample
> #
> # Manual: ipsec.conf.5
>
>
> version 2.0 # conforms to second version of ipsec.conf specification
>
> # basic configuration
> config setup
> forwardcontrol=yes
> nat_traversal=yes
> uniqueids=no
> nhelpers=0
>
> # Add connections here
>
> # sample VPN connections, see /etc/ipsec.d/examples/
>
> #Disable Opportunistic Encryption
> include /etc/ipsec.d/examples/no_oe.conf
>
> include /etc/ipsec.d/sites/*.conf
>
>
> ipsec.secrets
>
> public-ip-A public-ip-B : PSK "passkey"
>
> lsmod:
>
> Module Size Used by
> xfrm_user 16134 2
> ah6 3677 0
> ah4 3011 0
> esp6 3781 0
> xfrm4_mode_beet 1519 0
> xfrm4_tunnel 1201 0
> xfrm4_mode_transport 982 0
> xfrm6_mode_transport 1002 0
> xfrm6_mode_ro 870 0
> xfrm6_mode_beet 1358 0
> ipcomp 1356 0
> ipcomp6 1336 0
> xfrm6_tunnel 4033 1 ipcomp6
> af_key 23286 0
> esp4 3985 3504
> xfrm4_mode_tunnel 1264 7008
> xfrm6_mode_tunnel 1196 3504
> iptable_filter 1790 0
> ip_tables 7706 1 iptable_filter
> x_tables 8327 1 ip_tables
> authenc 4746 3504
> deflate 1315 0
> zlib_deflate 15822 1 deflate
> ctr 2703 0
> camellia 16843 0
> cast5 15593 0
> rmd160 9448 0
> sha1_generic 1395 0
> hmac 2033 7008
> crypto_null 1876 3504
> tunnel4 1469 1 xfrm4_tunnel
> xfrm_ipcomp 2855 2 ipcomp,ipcomp6
> tunnel6 1364 1 xfrm6_tunnel
> rng_core 2178 0
> ccm 6017 0
> serpent 16187 0
> blowfish 7252 0
> twofish 5665 0
> twofish_common 12560 1 twofish
> ecb 1405 0
> xcbc 1925 0
> cbc 2047 0
> sha256_generic 10748 0
> sha512_generic 8009 0
> des_generic 15027 0
> aes_i586 6816 0
> aes_generic 25738 1 aes_i586
> loop 9729 0
> radeon 511356 0
> ttm 33258 1 radeon
> drm_kms_helper 18533 1 radeon
> drm 111844 3 radeon,ttm,drm_kms_helper
> i3200_edac 2311 0
> i2c_i801 6462 0
> container 1833 0
> i2c_algo_bit 3497 1 radeon
> i2c_core 12751 5
> radeon,drm_kms_helper,drm,i2c_i801,i2c_algo_bit
> edac_core 23121 2 i3200_edac
> snd_pcm 47226 0
> snd_timer 12258 1 snd_pcm
> snd 34387 2 snd_pcm,snd_timer
> soundcore 3450 1 snd
> snd_page_alloc 4977 1 snd_pcm
> pcspkr 1207 0
> evdev 5609 2
> parport_pc 15799 0
> parport 22554 1 parport_pc
> button 3598 0
> shpchp 21220 0
> pci_hotplug 18065 1 shpchp
> video 14605 0
> output 1204 1 video
> psmouse 44777 0
> serio_raw 2916 0
> processor 26259 0
> ext3 93944 6
> jbd 31965 1 ext3
> mbcache 3762 1 ext3
> sd_mod 25937 8
> crc_t10dif 1012 1 sd_mod
> usbhid 27872 0
> hid 50841 1 usbhid
> uhci_hcd 15989 0
> ata_generic 2247 0
> ata_piix 17704 0
> it8213 1996 0
> floppy 40923 0
> ide_core 59306 1 it8213
> 3w_xxxx 18465 7
> libata 115617 2 ata_generic,ata_piix
> thermal 9206 0
> thermal_sys 9378 3 video,processor,thermal
> scsi_mod 104593 3 sd_mod,3w_xxxx,libata
> ehci_hcd 28453 0
> e1000e 97529 0
> usbcore 98613 4 usbhid,uhci_hcd,ehci_hcd
> nls_base 4541 1 usbcore
>
> Thanks for helping.
>
> Benoit
>
> 2011/7/12 Paul Wouters <paul at xelerance.com>
>
>> On Mon, 11 Jul 2011, SCHNEIDER Benoit wrote:
>>
>> At my office we done a upgrade from a debian etch openswan version to a
>>> sqeeze one, and we steel having some problem.
>>> For some distant site we have this error:
>>>
>>> ERROR: netlink response for Add SA comp.9005 at XX.XX.XX.XX included errno
>>> 22: Invalid argument
>>> add_sa ipcomp failed
>>>
>>> Any idear of this problem ?
>>>
>>> We look to have a MTU problem too, any idear ?
>>>
>>
>> Looks like a kernel with no ipcomp module loaded?
>>
>> Comment out compress=yes ?
>>
>> Paul
>
>
--
"le libre et le gratuit, c'est exorbitant le gouffre financier que cela est
pour se maintenir à jour dans la légalité" (un troll)
"Quand ils sont venus arrêter les Juifs, je n'étais pas juif, alors je n'ai
rien dit.
Quand ils sont venus arrêter les francs-maçons, je n'étais pas franc-maçon,
alors je n'ai rien dit.
Quand ils sont venus arrêter les démocrates, je ne faisais pas de politique,
alors je n'ai rien dit.
Maintenant ils sont en bas, venus pour m'arrêter moi, et je m'aperçois
qu'il est trop tard."
Un pasteur protestant pendant la seconde guerre mondiale.
“Le monde est dangereux non pas à cause de ceux qui font le mal, mais à
cause de ceux qui regardent et laissent faire”
(Albert Einstein)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110712/64bd8188/attachment.html
More information about the Users
mailing list