core: IPsec with 22.1 does not work out of the box
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
- I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
- I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue
Describe the bug
When configuring an IPsec connection within 22.1 the connection does not start up automatically.
To Reproduce
- Create an IPsec configuration (P1+P2)
- Enable IPsec
- Check logs
- connection does not come up
- Error:
unable to add SAD entry with SPI c6651939: Invalid argument (22)
- Manually load ipsec kernel module (e.g.
kldload ipsecor via tunables GUI). - Connection starts up
Expected behavior
Connection should start in default configuration without additional configurations by the user.
Describe alternatives you considered
User can manually add the “ipsec_load yes” configuration to the tunables GUI - not really practicable
Screenshots
If applicable, add screenshots to help explain your problem.
Relevant log files
Following log lines are present during charon startup when the kernel module is not loaded:
2022-01-04T13:30:35 Informational charon 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set UDP_ENCAP: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set UDP_ENCAP: Invalid argument
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[NET] installing IKE bypass policy failed
2022-01-04T13:30:35 Informational charon 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
2022-01-04T13:30:35 Informational charon 00[DMN] Starting IKE charon daemon (strongSwan 5.9.4, FreeBSD 13.0-STABLE, amd64)
Additional context
https://forum.opnsense.org/index.php?topic=26231.0
Environment
Software version used and hardware type if relevant, e.g.:
OPNsense 22.1_b189 (amd64, OpenSSL).
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 17 (17 by maintainers)
I guess we should just follow https://github.com/freebsd/freebsd-ports/commit/3b35676c7a812c7 as the commit implied when we start strongswan (ipsec configure)
https://github.com/opnsense/src/commit/542970fa2d3fb4 then