Cannot establish IPsec tunnel with 22.1

[8191]

I'm struggling since a few days to establish a simple IPsec tunnel between two 22.1 systems or a 21.7 and a 22.1 system. Finally I've tried precisely the same configuration between to 21.7 systems and it works.
The error on the 22.1 side is

Code Select Expand


15[KNL] <con1|3> unable to add SAD entry with SPI c6651939: Invalid argument (22)


I could not find many useful details to this error, except that some specific situation might not be supported by the kernel. But my example is really simple and I've even tried very many other scenarios.

One suspicious thing I saw is during startup of charon is:

Code Select Expand


2022-01-04T13:30:35 Informational charon 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set UDP_ENCAP: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set UDP_ENCAP: Invalid argument
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[DMN] Starting IKE charon daemon (strongSwan 5.9.4, FreeBSD 13.0-STABLE, amd64)


Any ideas?

Attached the complete log from charon startup incl. one session initiation cycle. P1 succeeds, only the SAD of P2 cannot be written.

[madj42]

Was going to post something about this eventually since I noticed the same behavior including the error messages in the logs.  I guess I'll just say me too here.

[HappyOpnSense]

Looks like the IPSEC kernel module has not been loaded. Seen this before and while speaking looking for a solution to have this module always loaded at start up automatically.

In more detail, adding this to loader.conf but it seems that this file is overwritten every time.

[HappyOpnSense]

BTW, solved the issue of the IPSEC module not loading by adding

ipsec_load="YES"

in /boot/loader.conf.local as this file will not be overwritten

[Patrick M. Hausen]

You can add that in the Tunables section of System > Settings without manually editing files.

[8191]

Thanks that was the issue...
Seems like with the move from HardenedBSD to FreeBSD the module needs to be loaded explicitly now...?

Will you create a PR or shall I?

[8191]

You can add that in the Tunables section of System > Settings without manually editing files.

I believe it should be enabled by default anyway (or at least loaded automatically upon enabling of the IPsec service).
It should go to /usr/local/etc/rc.loader.d/20-modules I'd say.

[madj42]

Adding the tunable fixed it here as well.  Thank you!

[mimugmail]

Thanks that was the issue...
Seems like with the move from HardenedBSD to FreeBSD the module needs to be loaded explicitly now...?

Will you create a PR or shall I?

I'd say its worth to start a discussion via github

[8191]

I'd say its worth to start a discussion via github

opnsense/core#5464 it is  ;)