Re: ipsec not working

On 12/05/2019 4:20 pm, Alexandr Krivulya wrote:
> Hi,
> after upgrading from r347050 to r347483 ipsec tunel on my notebook does 
> not work any more. Connection is established as usual but no policies 
> are installed.
> 
> 2019-05-12 09:12:10 00[DMN] Starting IKE charon daemon (strongSwan 
> 5.7.2, FreeBSD 13.0-CURRENT, amd64)
> 2019-05-12 09:12:10 00[KNL] unable to set IPSEC_POLICY on socket: 
> Protocol not available
> 2019-05-12 09:12:10 00[NET] installing IKE bypass policy failed
> 2019-05-12 09:12:10 00[KNL] unable to set IPSEC_POLICY on socket: 
> Protocol not available
> 2019-05-12 09:12:10 00[NET] installing IKE bypass policy failed
> 2019-05-12 09:12:10 00[KNL] unable to set UDP_ENCAP: Invalid argument
> 2019-05-12 09:12:10 00[NET] enabling UDP decapsulation for IPv6 on port 
> 4500 failed
> 2019-05-12 09:12:10 00[KNL] unable to set IPSEC_POLICY on socket: 
> Protocol not available
> 2019-05-12 09:12:10 00[NET] installing IKE bypass policy failed
> 2019-05-12 09:12:10 00[KNL] unable to set IPSEC_POLICY on socket: 
> Protocol not available
> 2019-05-12 09:12:10 00[NET] installing IKE bypass policy failed
> 2019-05-12 09:12:10 00[KNL] unable to set UDP_ENCAP: Protocol not available
> 2019-05-12 09:12:10 00[NET] enabling UDP decapsulation for IPv4 on port 
> 4500 failed
> 
> ...
> 
> 2019-05-12 09:12:10 01[CFG] <ikev2-client|1> selected proposal: 
> ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
> 2019-05-12 09:12:10 01[KNL] <ikev2-client|1> unable to add SAD entry 
> with SPI c96b2b97: Invalid argument (22)
> 2019-05-12 09:12:10 01[KNL] <ikev2-client|1> unable to add SAD entry 
> with SPI cc951335: Invalid argument (22)
> 2019-05-12 09:12:10 01[IKE] <ikev2-client|1> unable to install inbound 
> and outbound IPsec SA (SAD) in kernel
> 2019-05-12 09:12:10 01[IKE] <ikev2-client|1> failed to establish 
> CHILD_SA, keeping IKE_SA

See:

https://svnweb.freebsd.org/changeset/base/347410

Ongoing thread:

https://lists.freebsd.org/pipermail/svn-src-head/2019-May/124878.html