Hi,
I'm trying to setup an ipsec client using openwrt. The tunnel is already working on an old linux that is not maintained anymore, that's why I'm trying to migrate. So I have a working config that uses the old fashion config with ipsec.conf.
Translated the config to the /etc/config/ipsec on my OpenWrt box using this piece of documentation : https://openwrt.org/docs/guide-user/services/vpn/strongswan/configuration
I cannot get rid of that error
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
[KNL] received netlink error: Function not implemented (89)
From what I understand there is some missing crypto function. But I have installed every single "strongswan" crypto. And also: the used algorithms are pretty common.
Does someone have a clue?
Complete swanctl initiate log:
[IKE] initiating IKE_SA company[3] to x.x.x.x
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 10.7.0.1[500] to x.x.x.x[500] (334 bytes)
[NET] received packet: from x.x.x.x[500] to 10.7.0.1[500] (304 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
[IKE] local host is behind NAT, sending keep alives
[IKE] authentication of 'me@company.com' (myself) with pre-shared key
[IKE] establishing CHILD_SA tun_company{2}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 10.7.0.1[4500] to x.x.x.x[4500] (352 bytes)
[NET] received packet: from x.x.x.x[4500] to 10.7.0.1[4500] (224 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr ]
[IKE] authentication of 'x.x.x.x' with pre-shared key successful
[IKE] IKE_SA company[3] established between 10.7.0.1[me@company.com]...x.x.x.x[x.x.x.x]
[IKE] scheduling rekeying in 13394s
[IKE] maximum IKE_SA lifetime 14834s
[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
[KNL] received netlink error: Function not implemented (89)
[KNL] unable to add SAD entry with SPI c7dc0cda (FAILED)
[KNL] received netlink error: Function not implemented (89)
[KNL] unable to add SAD entry with SPI 99f7e4aa (FAILED)
[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
[IKE] failed to establish CHILD_SA, keeping IKE_SA
[IKE] sending DELETE for ESP CHILD_SA with SPI c7dc0cda
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 10.7.0.1[4500] to x.x.x.x[4500] (80 bytes)
[NET] received packet: from x.x.x.x[4500] to 10.7.0.1[4500] (80 bytes)
[ENC] parsed INFORMATIONAL response 2 [ D ]
initiate failed: establishing CHILD_SA 'tun_company' failed