OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • Cannot establish IPsec tunnel with 22.1
« previous next »
  • Print
Pages: [1]

Author Topic: Cannot establish IPsec tunnel with 22.1  (Read 3771 times)

8191

  • Jr. Member
  • **
  • Posts: 80
  • Karma: 4
    • View Profile
Cannot establish IPsec tunnel with 22.1
« on: January 04, 2022, 01:53:09 pm »
I'm struggling since a few days to establish a simple IPsec tunnel between two 22.1 systems or a 21.7 and a 22.1 system. Finally I've tried precisely the same configuration between to 21.7 systems and it works.
The error on the 22.1 side is
Code: [Select]
15[KNL] <con1|3> unable to add SAD entry with SPI c6651939: Invalid argument (22)

I could not find many useful details to this error, except that some specific situation might not be supported by the kernel. But my example is really simple and I've even tried very many other scenarios.

One suspicious thing I saw is during startup of charon is:
Code: [Select]
2022-01-04T13:30:35 Informational charon 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set UDP_ENCAP: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set UDP_ENCAP: Invalid argument
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[DMN] Starting IKE charon daemon (strongSwan 5.9.4, FreeBSD 13.0-STABLE, amd64)

Any ideas?

Attached the complete log from charon startup incl. one session initiation cycle. P1 succeeds, only the SAD of P2 cannot be written.
Logged

madj42

  • Newbie
  • *
  • Posts: 47
  • Karma: 3
    • View Profile
Re: Cannot establish IPsec tunnel with 22.1
« Reply #1 on: January 04, 2022, 05:52:16 pm »
Was going to post something about this eventually since I noticed the same behavior including the error messages in the logs.  I guess I'll just say me too here.
Logged

HappyOpnSense

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Cannot establish IPsec tunnel with 22.1
« Reply #2 on: January 05, 2022, 06:08:19 pm »
Looks like the IPSEC kernel module has not been loaded. Seen this before and while speaking looking for a solution to have this module always loaded at start up automatically.

In more detail, adding this to loader.conf but it seems that this file is overwritten every time.
Logged

HappyOpnSense

  • Newbie
  • *
  • Posts: 7
  • Karma: 0
    • View Profile
Re: Cannot establish IPsec tunnel with 22.1
« Reply #3 on: January 05, 2022, 06:25:43 pm »
BTW, solved the issue of the IPSEC module not loading by adding

ipsec_load="YES"

in /boot/loader.conf.local as this file will not be overwritten
Logged

pmhausen

  • Hero Member
  • *****
  • Posts: 2545
  • Karma: 227
    • View Profile
Re: Cannot establish IPsec tunnel with 22.1
« Reply #4 on: January 05, 2022, 07:35:02 pm »
You can add that in the Tunables section of System > Settings without manually editing files.
Logged
Supermicro A2SDi-4C-HLN4F mainboard and SC101F chassis
16 GB ECC memory
Crucial MX300 275 GB SATA 2.5" plus
Crucial MX300 275 GB SATA M.2 (ZFS mirror)
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

8191

  • Jr. Member
  • **
  • Posts: 80
  • Karma: 4
    • View Profile
Re: Cannot establish IPsec tunnel with 22.1
« Reply #5 on: January 05, 2022, 07:42:14 pm »
Thanks that was the issue…
Seems like with the move from HardenedBSD to FreeBSD the module needs to be loaded explicitly now…?

Will you create a PR or shall I?
Logged

8191

  • Jr. Member
  • **
  • Posts: 80
  • Karma: 4
    • View Profile
Re: Cannot establish IPsec tunnel with 22.1
« Reply #6 on: January 05, 2022, 07:44:05 pm »
Quote from: pmhausen on January 05, 2022, 07:35:02 pm
You can add that in the Tunables section of System > Settings without manually editing files.
I believe it should be enabled by default anyway (or at least loaded automatically upon enabling of the IPsec service).
It should go to /usr/local/etc/rc.loader.d/20-modules I’d say.
Logged

madj42

  • Newbie
  • *
  • Posts: 47
  • Karma: 3
    • View Profile
Re: Cannot establish IPsec tunnel with 22.1
« Reply #7 on: January 06, 2022, 04:50:24 am »
Adding the tunable fixed it here as well.  Thank you!
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6296
  • Karma: 433
    • View Profile
Re: Cannot establish IPsec tunnel with 22.1
« Reply #8 on: January 06, 2022, 07:39:23 am »
Quote from: 8191 on January 05, 2022, 07:42:14 pm
Thanks that was the issue…
Seems like with the move from HardenedBSD to FreeBSD the module needs to be loaded explicitly now…?

Will you create a PR or shall I?

I'd say its worth to start a discussion via github
Logged
Twitter: mimu_muc
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

8191

  • Jr. Member
  • **
  • Posts: 80
  • Karma: 4
    • View Profile
Re: Cannot establish IPsec tunnel with 22.1
« Reply #9 on: January 06, 2022, 08:49:35 am »
Quote from: mimugmail on January 06, 2022, 07:39:23 am
I'd say its worth to start a discussion via github

opnsense/core#5464 it is  ;)
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • Cannot establish IPsec tunnel with 22.1
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2