oceansw
commented
5 years ago 我也碰到了同样的问题,能请教下是哪里出错了吗?
Open PointerWild opened 5 years ago
oceansw
commented
5 years ago 我也碰到了同样的问题,能请教下是哪里出错了吗?
PointerWild
commented
5 years ago 我也碰到了同样的问题,能请教下是哪里出错了吗?
我最后也没解决掉,这个不好意思,帮不上你。
我主页转了这个,readme 上有一点修改,您可以看一下
oceansw
commented
5 years ago 我也碰到了同样的问题,能请教下是哪里出错了吗?
我最后也没解决掉,这个不好意思,帮不上你。
我主页转了这个,readme 上有一点修改,您可以看一下
多谢回复,我再研究看看哈:)
waccc
commented
5 years ago 我也碰到了同样的问题,能请教下是哪里出错了吗?
我最后也没解决掉,这个不好意思,帮不上你。
我主页转了这个,readme上有一点修改,您可以看一下
您好!我按照您主页的那个来 还是出现这个错误 请问您有成功过吗
lynchen
commented
5 years ago 我也碰到了同样的问题,能请教下是哪里出错了吗?
我最后也没解决掉,这个不好意思,帮不上你。 我主页转了这个,readme上有一点修改,您可以看一下
您好!我按照您主页的那个来 还是出现这个错误 请问您有成功过吗
这个原因是SM4 CBC解密时,in和out地址相同,导致解密失败,见我的fork,可以解决 https://github.com/lynchen/strongswan-gmalg
waccc
commented
5 years ago 我也碰到了同样的问题,能请教下是哪里出错了吗?
我最后也没解决掉,这个不好意思,帮不上你。 我主页转了这个,readme上有一点修改,您可以看一下
您好!我按照您主页的那个来 还是出现这个错误 请问您有成功过吗
这个原因是SM4 CBC解密时,in和out地址相同,导致解密失败,见我的fork,可以解决 https://github.com/lynchen/strongswan-gmalg 感谢回复! 我想请教一下 如何使用内核xfrm来建sa 按照他说的那样设置 显示函数没有实现错误,您修改之后这个可以使用内核xfrm吗
7231959
commented
4 years ago 我也碰到了同样的问题,能请教下是哪里出错了吗?
我最后也没解决掉,这个不好意思,帮不上你。 我主页转了这个,readme上有一点修改,您可以看一下
您好!我按照您主页的那个来 还是出现这个错误 请问您有成功过吗
这个原因是SM4 CBC解密时,in和out地址相同,导致解密失败,见我的fork,可以解决 https://github.com/lynchen/strongswan-gmalg @lynchen 您好!我在git上按照您在https://gitee.com/xsnxj/strongswan/commits/master 修改的代码,配置都没改过,可以到IKE 第二阶段的协商,然后就报错函数未实现 [ENC] generating QUICK_MODE request 1884303646 [ HASH SA No KE ID ID ] [NET] sending packet: from 192.168.110.35[500] to 192.168.110.159[500] (268 bytes) [NET] received packet: from 192.168.110.159[500] to 192.168.110.35[500] (268 bytes) [ENC] parsed QUICK_MODE response 1884303646 [ HASH SA No KE ID ID ] [CFG] _selected proposal: ESP:SM4_CBC_128/HMAC_SM3/CURVE_SM2/NO_EXTSEQ [KNL] received netlink error: Function not implemented (38) [KNL] unable to add SAD entry with SPI c8b2ae9a (FAILED) [KNL] received netlink error: Function not implemented (38) [KNL] unable to add SAD entry with SPI cbff431d (FAILED) [IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel [KNL] deleting policy 192.168.110.159/32 === 192.168.110.35/32 in failed, not found [KNL] deleting policy 192.168.110.159/32 === 192.168.110.35/32 fwd failed, not found initiate failed: establishing CHILD_SA 'host-host' failed 快速模式中,双方都无法解密
我对strongswan工具不是很了解,搜索了相关资料,大概意思是系统驱动内核没有实现相关算法,需要在内核xfrm上配置,但是使用说明中是这么说的:
使用内核xfrm 的配置: 编译soft_alg驱动模块并加载 服务端和客户端运行testing/tests/gmalg/libipsec/run_libipsec.sh脚本,修改配置即可
编译soft_alg驱动模块并加载 这个操作怎么操作的? 还是我们使用的tun模式 不需要加载内核的xfrm?
谢谢大神帮忙解惑下
doubleunknown
commented
4 years ago 我也碰到了同样的问题,能请教下是哪里出错了吗?
我最后也没解决掉,这个不好意思,帮不上你。 我主页转了这个,readme上有一点修改,您可以看一下
您好!我按照您主页的那个来 还是出现这个错误 请问您有成功过吗
这个原因是SM4 CBC解密时,in和out地址相同,导致解密失败,见我的fork,可以解决 https://github.com/lynchen/strongswan-gmalg @lynchen 您好!我在git上按照您在https://gitee.com/xsnxj/strongswan/commits/master 修改的代码,配置都没改过,可以到IKE 第二阶段的协商,然后就报错函数未实现 [ENC] generating QUICK_MODE request 1884303646 [ HASH SA No KE ID ID ] [NET] sending packet: from 192.168.110.35[500] to 192.168.110.159[500] (268 bytes) [NET] received packet: from 192.168.110.159[500] to 192.168.110.35[500] (268 bytes) [ENC] parsed QUICK_MODE response 1884303646 [ HASH SA No KE ID ID ] [CFG] _selected proposal: ESP:SM4_CBC_128/HMAC_SM3/CURVE_SM2/NO_EXTSEQ [KNL] received netlink error: Function not implemented (38) [KNL] unable to add SAD entry with SPI c8b2ae9a (FAILED) [KNL] received netlink error: Function not implemented (38) [KNL] unable to add SAD entry with SPI cbff431d (FAILED) [IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel [KNL] deleting policy 192.168.110.159/32 === 192.168.110.35/32 in failed, not found [KNL] deleting policy 192.168.110.159/32 === 192.168.110.35/32 fwd failed, not found initiate failed: establishing CHILD_SA 'host-host' failed 快速模式中,双方都无法解密
我对strongswan工具不是很了解,搜索了相关资料,大概意思是系统驱动内核没有实现相关算法,需要在内核xfrm上配置,但是使用说明中是这么说的: 使用内核xfrm 的配置: 编译soft_alg驱动模块并加载 服务端和客户端运行testing/tests/gmalg/libipsec/run_libipsec.sh脚本,修改配置即可
编译soft_alg驱动模块并加载 这个操作怎么操作的? 还是我们使用的tun模式 不需要加载内核的xfrm?
谢谢大神帮忙解惑下
编译前configure时加上--enable-kernel-libipsec
ChunfengMu
commented
4 years ago 我也碰到了同样的问题,能请教下是哪里出错了吗?
我最后也没解决掉,这个不好意思,帮不上你。 我主页转了这个,readme上有一点修改,您可以看一下
您好!我按照您主页的那个来 还是出现这个错误 请问您有成功过吗
这个原因是SM4 CBC解密时,in和out地址相同,导致解密失败,见我的fork,可以解决 https://github.com/lynchen/strongswan-gmalg
使用您的fork后密钥协商可以通过了,并且esp通信正常。但是发现server和client各自sm2.sh生成证书和密钥后local.sh各种安装,server和client仍能正常协商通过,esp通信也正常。请问这个现象正常吗?
RoseBL
commented
2 years ago 我也遇到了同样的问题,能请教下吗?
我最后没解决掉,这个不好意思,帮不上你。 我主页转了这个,自述上有一点修改,你可以看一下
你好!我按照你主页的那个人来了
这个原因是SM4 CBC解密时,在和出地址相同,导致解密失败,见我的叉,解决可以 https://github.com/lynchen/strongswan-gmalg
我fork您的代码还是报同样的错误,请问一下这个是什么问题呢?
您好: 不知道什么原因,一直是报错,希望能从您这里获得帮助。 前几步都完成了,然后我把server端的ca 完全拷贝到 client 端, 之后分别初始化,再执行run.sh
麻烦问一下,是我server端的 主机IP地址配错了吗? server本地IP: 192.168.224.158 server.conf 中 ,local_addr 192.268.224.158 remote_addr 192.168.224.187
client本地IP: 192.168.224.187 client.conf 中 ,local_addr 192.268.224.187 remote_addr 192.168.224.158 以下是报错信息
root@zcah-virtual-machine:/opt/strongswan/testing/tests/gmalg# ./run.sh loaded certificate from '/ipsec/etc/swanctl/x509/client.cert.pem' loaded certificate from '/ipsec/etc/swanctl/x509/server.cert.pem' loaded certificate from '/ipsec/etc/swanctl/x509ca/ca.cert.pem' unsupported key type in '/ipsec/etc/swanctl/private/client.key.pem' loaded private key from '/ipsec/etc/swanctl/private/client.key.pem' unsupported key type in '/ipsec/etc/swanctl/private/server.key.pem' loaded private key from '/ipsec/etc/swanctl/private/server.key.pem' loaded xauth secret 'xauth-client' no authorities found, 0 unloaded no pools found, 0 unloaded loaded connection 'host-host' successfully loaded 1 connections, 0 unloaded [IKE] initiating Main Mode IKE_SA host-host[6] to 192.168.224.187 [ENC] generating ID_PROT request 0 [ SA V V V V V ] [NET] sending packet: from 192.168.224.158[500] to 192.168.224.187[500] (180 bytes) [NET] received packet: from 192.168.224.187[500] to 192.168.224.158[500] (160 bytes) [ENC] parsed ID_PROT response 0 [ SA V V V V ] [IKE] received XAuth vendor ID [IKE] received DPD vendor ID [IKE] received FRAGMENTATION vendor ID [IKE] received NAT-T (RFC 3947) vendor ID [CFG] selected proposal: IKE:SM4_CBC_128/HMAC_SM3/PRF_HMAC_SM3/CURVE_SM2 [ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ] [NET] sending packet: from 192.168.224.158[500] to 192.168.224.187[500] (204 bytes) [NET] received packet: from 192.168.224.187[500] to 192.168.224.158[500] (257 bytes) [ENC] parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ] [IKE] received cert request for 'C=cn, O=ilove, CN=VPN CA' [IKE] sending cert request for "C=cn, O=ilove, CN=VPN CA" [IKE] authentication of 'C=cn, O=ilove, CN=VPN Server' (myself) successful [IKE] sending end entity cert "C=cn, O=ilove, CN=VPN Server" [ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ] [NET] sending packet: from 192.168.224.158[500] to 192.168.224.187[500] (684 bytes) [NET] received packet: from 192.168.224.187[500] to 192.168.224.158[500] (92 bytes) [ENC] invalid HASH_V1 payload length, decryption failed? [ENC] could not decrypt payloads [IKE] message parsing failed [IKE] ignore malformed INFORMATIONAL request [IKE] INFORMATIONAL_V1 request with message ID 1268233978 processing failed [IKE] sending retransmit 1 of request message ID 0, seq 3 [NET] sending packet: from 192.168.224.158[500] to 192.168.224.187[500] (684 bytes) [NET] received packet: from 192.168.224.187[500] to 192.168.224.158[500] (92 bytes) [ENC] invalid HASH_V1 payload length, decryption failed? [ENC] could not decrypt payloads [IKE] message parsing failed [IKE] ignore malformed INFORMATIONAL request [IKE] INFORMATIONAL_V1 request with message ID 1424871220 processing failed [IKE] sending retransmit 2 of request message ID 0, seq 3 [NET] sending packet: from 192.168.224.158[500] to 192.168.224.187[500] (684 bytes) [NET] received packet: from 192.168.224.187[500] to 192.168.224.158[500] (92 bytes) [ENC] invalid HASH_V1 payload length, decryption failed? [ENC] could not decrypt payloads [IKE] message parsing failed [IKE] ignore malformed INFORMATIONAL request [IKE] INFORMATIONAL_V1 request with message ID 3998078836 processing failed [IKE] sending retransmit 3 of request message ID 0, seq 3 [NET] sending packet: from 192.168.224.158[500] to 192.168.224.187[500] (684 bytes) [NET] received packet: from 192.168.224.187[500] to 192.168.224.158[500] (92 bytes) [ENC] invalid HASH_V1 payload length, decryption failed? [ENC] could not decrypt payloads [IKE] message parsing failed [IKE] ignore malformed INFORMATIONAL request [IKE] INFORMATIONAL_V1 request with message ID 2821072826 processing failed [IKE] sending retransmit 4 of request message ID 0, seq 3 [NET] sending packet: from 192.168.224.158[500] to 192.168.224.187[500] (684 bytes) [IKE] sending retransmit 5 of request message ID 0, seq 3 [NET] sending packet: from 192.168.224.158[500] to 192.168.224.187[500] (684 bytes) [IKE] giving up after 5 retransmits [IKE] establishing IKE_SA failed, peer not responding initiate failed: establishing CHILD_SA 'host-host' failed