Hi,
I have just moved from community version to business edition. Then, I restore the backup and most of functionalities were restored, except IPSEC.
Phase 1 looks ok, but 2 does not connect.
Logs show the following messages:
Quoteunable to delete SAD entry with SPI c9a3a7b4: No such process (3)
failed to establish CHILD_SA, keeping IKE_SA
unable to install inbound and outbound IPsec SA (SAD) in kernel
unable to add SAD entry with SPI c9a3a7b4: Invalid argument (22)
Important to mention that Business Edition runs a previous version of community.
Any idea about what this could be?
Thanks.
Rafael
Which versions exactly?
I was running 25.7 from community edition and now I'm running Business Edition 25.4.
All updates were applied.
Why you didn't wait on 25.10 as suggested in your other thread? ◔_◔
25.4 BE is based on 25.1 CE. So your configuration is probably not fully compatible with the installed version now.
I wish I could wait, but there was an urgency that force us to do it today. But I appreciate your recommendation.
So I guess my best option is to rebuild the IPSEC configs, thanks for informing about incompatible version.
Regards.
Rafael
I have just rebuilt my IPSEC tunnel and it did not work, and logs shows the same errors.
Any ideas about what could be wrong?
If you do some quick searches you will find threads, where the reason for this error was a missing IPSec kernel module.
Don't know, if it's the same with your installation, but try to load it manually.
When I try to reload the services from shell, IPSEC shows the following message:
setkey: ipsec: module not found: File exists
If there is no IPSEC module, is there a way to reinstall? how to fix it?
Thanks.
Seems to be the issue I was talking about.
See https://forum.opnsense.org/index.php?topic=26231.0
I'd recommend to do the Tunables solution suggested by Patrick.
Hi...
I did it, and still not working...
"Configuring IPsec VPN...setkey: ipsec: module not found: File exists"
Also tried this:
root@OPNsense:~ # service strongswan onestart
kldload: can't load ipsec: module already loaded or in kernel
/usr/local/etc/rc.d/strongswan: WARNING: Unable to load kernel module ipsec
/usr/local/etc/rc.d/strongswan: WARNING: failed precmd routine for strongswan
Any other help would be great... It is a brand new install of business edition. Healthy audit is ok...
After a hard time trying to make IPSEC work, the only option appears to be the of reinstall of OPNSENSE Business Edition, since the problem could be occurring because of backup from a different version. For my surprise, was not.
In my environment (server), ipsec of business edition looks like has an issue, and simply does not work.
After a reinstall and trying to set tunables on /usr/local/etc/rc.loader.d/20-modules (ipsec_load="YES"), it shows the same log messages, like:
Quoteunable to install inbound and outbound IPsec SA (SAD) in kernel
failed to establish CHILD_SA, keeping IKE_SA
When I try to restart service from shell:
Quote"Configuring IPsec VPN...setkey: ipsec: module not found: File exists"
Could it be a bug or problem with my install/hardware compatibility ?
Quote from: rafaelbs on October 10, 2025, 02:36:25 PMtrying to set tunables on /usr/local/etc/rc.loader.d/20-modules (ipsec_load="YES")
Why would you do that? That is simply not necessary. OPNsense supports IPsec as shipped, both community and business edition. I run IPsec tunnels to customers in production
- on both 25.4 and 25.7
- with the new "connections" paradigm
No fundamental problems whatsoever. Getting an IPsec tunnel between two different devices up and running is always a bit tricky.
I have just found a couple different logs on System/General:
[38635] KLD ipsec.ko: depends on kernel - not available or version mismatch
/usr/local/sbin/pluginctl: The command '/sbin/kldload ipsec' returned exit code '1', the output was 'kldload: can't load ipsec: module already loaded or in kernel'
Any ideas?
My idea would be that your installation is corrupt somehow and you should try a reinstall.
Without importing any configuration into it, try if IPsec is running.
Quote from: rafaelbs on October 10, 2025, 03:38:13 PM/usr/local/sbin/pluginctl: The command '/sbin/kldload ipsec' returned exit code '1', the output was 'kldload: can't load ipsec: module already loaded or in kernel
This is not your problem. IPsec is already in the kernel - no need to manually load any module. That's what the error messages states.
Why do you try to manually load anything? It's not necessary. IPsec is builtin.
One of your suggestions yesterday was related to a similar issue, where I saw the alternative of manually load IPSEC on 20-modules file.
I have just removed it and reboot the box. Ipsec did not start automatically.
Firewall general logs shows:
Quote2025-10-10T11:48:04-03:00 Notice kernel [201] KLD ipsec.ko: depends on kernel - not available or version mismatch
2025-10-10T11:48:04-03:00 Notice kernel [201] KLD ipsec.ko: depends on kernel - not available or version mismatch
2025-10-10T11:48:04-03:00 Notice kernel [201] KLD ipsec.ko: depends on kernel - not available or version mismatch
2025-10-10T11:48:04-03:00 Notice opnsense-business /usr/local/sbin/pluginctl: plugins_configure route_reload (execute task : system_routing_configure(1,[]))
2025-10-10T11:48:04-03:00 Notice opnsense-business /usr/local/sbin/pluginctl: plugins_configure route_reload (1,[])
2025-10-10T11:48:04-03:00 Notice root /usr/local/etc/rc.d/strongswan: WARNING: failed precmd routine for strongswan
2025-10-10T11:48:04-03:00 Notice root /usr/local/etc/rc.d/strongswan: WARNING: Unable to load kernel module ipsec
2025-10-10T11:48:04-03:00 Notice kernel [200] KLD ipsec.ko: depends on kernel - not available or version mismatch
Solution:
Since IPSEC did not work, even reinstalling, and we did not figure out what was going on, the only option was to rollback to Community (which is running perfectly), and wait for BE 25.10 that hopefully will work fine.
Thanks for all replies.