Text only | Text with Images

OPNsense Forum

English Forums => Virtual private networks => Topic started by: rafaelbs on October 08, 2025, 09:58:52 PM

Title: IPSEC fail after move to Business Edition
Post by: rafaelbs on October 08, 2025, 09:58:52 PM
Hi,


I have just moved from community version to business edition. Then, I restore the backup and most of functionalities were restored, except IPSEC.

Phase 1 looks ok, but 2 does not connect.

Logs show the following messages:

Quoteunable to delete SAD entry with SPI c9a3a7b4: No such process (3)
failed to establish CHILD_SA, keeping IKE_SA
unable to install inbound and outbound IPsec SA (SAD) in kernel
unable to add SAD entry with SPI c9a3a7b4: Invalid argument (22)

Important to mention that Business Edition runs a previous version of community.

Any idea about what this could be?

Thanks.
Rafael
Title: Re: IPSEC fail after move to Business Edition
Post by: Patrick M. Hausen on October 08, 2025, 10:09:29 PM
Which versions exactly?
Title: Re: IPSEC fail after move to Business Edition
Post by: rafaelbs on October 08, 2025, 10:14:05 PM
I was running 25.7 from community edition and now I'm running Business Edition 25.4.

All updates were applied.
Title: Re: IPSEC fail after move to Business Edition
Post by: viragomann on October 08, 2025, 10:29:00 PM
Why you didn't wait on 25.10 as suggested in your other thread? ◔_◔

25.4 BE is based on 25.1 CE. So your configuration is probably not fully compatible with the installed version now.
Title: Re: IPSEC fail after move to Business Edition
Post by: rafaelbs on October 08, 2025, 10:49:53 PM
I wish I could wait, but there was an urgency that force us to do it today. But I appreciate your recommendation.

So I guess my best option is to rebuild the IPSEC configs, thanks for informing about incompatible version.

Regards.
Rafael

Title: Re: IPSEC fail after move to Business Edition
Post by: rafaelbs on October 08, 2025, 11:26:26 PM
I have just rebuilt my IPSEC tunnel and it did not work, and logs shows the same errors.

Any ideas about what could be wrong?
Title: Re: IPSEC fail after move to Business Edition
Post by: viragomann on October 09, 2025, 12:37:18 PM
If you do some quick searches you will find threads, where the reason for this error was a missing IPSec kernel module.
Don't know, if it's the same with your installation, but try to load it manually.
Title: Re: IPSEC fail after move to Business Edition
Post by: rafaelbs on October 09, 2025, 02:56:00 PM
When I try to reload the services from shell, IPSEC shows the following message:

setkey: ipsec: module not found: File exists

If there is no IPSEC module, is there a way to reinstall? how to fix it?

Thanks.
Title: Re: IPSEC fail after move to Business Edition
Post by: viragomann on October 09, 2025, 03:06:11 PM
Seems to be the issue I was talking about.
See https://forum.opnsense.org/index.php?topic=26231.0

I'd recommend to do the Tunables solution suggested by Patrick.
Title: Re: IPSEC fail after move to Business Edition
Post by: rafaelbs on October 09, 2025, 04:09:15 PM
Hi...

I did it, and still not working...

"Configuring IPsec VPN...setkey: ipsec: module not found: File exists"

Also tried this:

root@OPNsense:~ # service strongswan onestart
kldload: can't load ipsec: module already loaded or in kernel
/usr/local/etc/rc.d/strongswan: WARNING: Unable to load kernel module ipsec
/usr/local/etc/rc.d/strongswan: WARNING: failed precmd routine for strongswan

Any other help would be great... It is a brand new install of business edition. Healthy audit is ok...

Text only | Text with Images