Date: Tue, 31 Jul 2018 00:44:25 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: freebsd-net@freebsd.org Subject: IPSec StrongSwan error sending to PF_KEY socket: Invalid argument Message-ID: <d71e1671-4bc7-7edd-36b3-7b4819d19972@quip.cz>
next in thread | raw e-mail | index | archive | help
I am trying to setup IPSec tunnel between VirtualBox gues (FreeBSD 10.4)
on one side and AWS EC3 AMI (FreeBSD 10.4) on other side.
Both sides have kernel with IPSEC and IPSEC_NAT_T but I am not able to
make it work.
It works if I make similar setup with two VirtualBox instances (no NAT),
but when I need to run it in AWS EC2 or Google Cloud Platform with teir
crazy NAT it always failed on something.
Is "error sending to PF_KEY socket: Invalid argument" error on FreeBSD
configuration or on StrongSwang side?
Jul 30 23:56:02 16[ENC] <aws0-to-vbox0|1> parsed QUICK_MODE response
1836023754 [ HASH SA No KE ID ID ]
Jul 30 23:56:02 16[CFG] <aws0-to-vbox0|1> selecting proposal:
Jul 30 23:56:02 16[CFG] <aws0-to-vbox0|1> proposal matches
Jul 30 23:56:02 16[CFG] <aws0-to-vbox0|1> received proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Jul 30 23:56:02 16[CFG] <aws0-to-vbox0|1> configured proposals:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ,
ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jul 30 23:56:02 16[CFG] <aws0-to-vbox0|1> selected proposal:
ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ
Jul 30 23:56:02 16[CHD] <aws0-to-vbox0|1> CHILD_SA aws0-to-vbox0{1}
state change: CREATED => INSTALLING
Jul 30 23:56:02 16[CHD] <aws0-to-vbox0|1> using AES_CBC for encryption
Jul 30 23:56:02 16[CHD] <aws0-to-vbox0|1> using HMAC_SHA1_96 for integrity
Jul 30 23:56:02 16[CHD] <aws0-to-vbox0|1> adding inbound ESP SA
Jul 30 23:56:02 16[CHD] <aws0-to-vbox0|1> SPI 0xc59cf5ad, src
94.124.105.47 dst 172.31.17.85
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> deleting SAD entry with SPI
c59cf5ad
Jul 30 23:56:02 02[JOB] watched FD 12 ready to read
Jul 30 23:56:02 02[JOB] watcher going to poll() 5 fds
Jul 30 23:56:02 02[JOB] watcher got notification, rebuilding
Jul 30 23:56:02 02[JOB] watcher going to poll() 6 fds
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> deleted SAD entry with SPI
c59cf5ad
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> adding SAD entry with SPI
c59cf5ad and reqid {1}
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> using encryption algorithm
AES_CBC with key size 128
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> using integrity algorithm
HMAC_SHA1_96 with key size 160
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> error sending to PF_KEY
socket: Invalid argument
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> unable to add SAD entry with
SPI c59cf5ad
Jul 30 23:56:02 16[CHD] <aws0-to-vbox0|1> adding outbound ESP SA
Jul 30 23:56:02 16[CHD] <aws0-to-vbox0|1> SPI 0xc2afbe7d, src
172.31.17.85 dst 94.124.105.47
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> adding SAD entry with SPI
c2afbe7d and reqid {1}
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> using encryption algorithm
AES_CBC with key size 128
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> using integrity algorithm
HMAC_SHA1_96 with key size 160
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> error sending to PF_KEY
socket: Invalid argument
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> unable to add SAD entry with
SPI c2afbe7d
Jul 30 23:56:02 16[IKE] <aws0-to-vbox0|1> unable to install inbound and
outbound IPsec SA (SAD) in kernel
Jul 30 23:56:02 16[IKE] <aws0-to-vbox0|1> queueing INFORMATIONAL task
Jul 30 23:56:02 16[CHD] <aws0-to-vbox0|1> CHILD_SA aws0-to-vbox0{1}
state change: INSTALLING => DESTROYING
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> deleting policy
172.21.187.0/24 === 10.211.84.0/24 in
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> deleting policy
172.21.187.0/24 === 10.211.84.0/24 in failed, not found
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> deleting SAD entry with SPI
c59cf5ad
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> unable to delete SAD entry
with SPI c59cf5ad: No such file or directory (2)
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> deleting SAD entry with SPI
c2afbe7d
Jul 30 23:56:02 16[KNL] <aws0-to-vbox0|1> unable to delete SAD entry
with SPI c2afbe7d: No such file or directory (2)
Jul 31 00:00:31 09[ENC] <aws0-to-vbox0|2> found payload of type NOTIFY_V1
Jul 31 00:00:31 09[ENC] <aws0-to-vbox0|2> parsed INFORMATIONAL_V1
request 2604834086 [ HASH N(NO_PROP) ]
Jul 31 00:00:31 09[IKE] <aws0-to-vbox0|2> received NO_PROPOSAL_CHOSEN
error notify
Jul 31 00:00:31 09[MGR] <aws0-to-vbox0|2> checkin IKE_SA aws0-to-vbox0[2]
Jul 31 00:00:31 09[MGR] <aws0-to-vbox0|2> checkin of IKE_SA successful
Jul 31 00:00:31 09[MGR] checkout IKEv1 SA by message with SPIs
7c1bf193d7093ec5_i a4ace258f6cd26f1_r
Jul 31 00:00:31 09[MGR] IKE_SA aws0-to-vbox0[2] successfully checked out
What am I doing wrong?
root@ipsec-gw etc/# uname -srmi
FreeBSD 10.4-RELEASE-p9 amd64 GEN_IPSEC
root@ipsec-gw etc/# sysctl kern.features.ipsec
kern.features.ipsec: 1
## ipsec.conf
config setup
nat_traversal=yes
# Add connections here.
conn %default
keyexchange=ikev1
authby=secret ## secret or psk are userd for PSK
type=tunnel
ikelifetime=28800
lifetime=3600
dpddelay=30
dpdtimeout=120
dpdaction=restart
ike=3des-md5-modp1024 #Phase 1 integrity check algos
esp=aes128-sha1-modp1024 #Phase 2 Encryption algos
conn vbox0-to-aws0
left=94.xx.yy.47 #Host internal IP address
leftid=94.xx.yy.47
leftsubnet=172.21.187.0/24
right=35.aa.bb.117 #Peer2 IP address
rightid=35.aa.bb.117
rightsubnet=10.211.84.0/24 #Peer2 accesible intranet
auto=start
## local public IP to remote public IP
conn vbox0-to-aws0-peer0
also=vbox0-to-aws0
leftsubnet=94.xx.yy.47/32
rightsubnet=35.aa.bb.117/32
auto=start
## local LAN to remote public IP
conn vbox0-to-aws0-peer1
also=vbox0-to-aws0
leftsubnet=172.21.187.0/24
rightsubnet=35.aa.bb.117/32
auto=start
## local public IP to remote LAN
conn vbox0-to-aws0-peer2
also=vbox0-to-aws0
leftsubnet=94.xx.yy.47/32
rightsubnet=10.211.84.0/24
auto=start
# ipsec status aws0-to-vbox0
Security Associations (1 up, 0 connecting):
aws0-to-vbox0[2]: ESTABLISHED 41 minutes ago,
172.31.17.85[35.aa.bb.117]...94.xx.yy.47[94.xx.yy.47]
# ipsec statusall aws0-to-vbox0
Status of IKE charon daemon (strongSwan 5.6.3, FreeBSD 10.4-RELEASE-p9,
amd64):
uptime: 45 minutes, since Jul 30 23:56:01 2018
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 7
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr
kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown
eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap
xauth-generic whitelist addrblock counters
Listening IP addresses:
172.31.17.85
Connections:
aws0-to-vbox0: 172.31.17.85...94.xx.yy.47 IKEv1, dpddelay=30s
aws0-to-vbox0: local: [35.aa.bb.117] uses pre-shared key authentication
aws0-to-vbox0: remote: [94.xx.yy.47] uses pre-shared key authentication
aws0-to-vbox0: child: 10.211.84.0/24 === 172.21.187.0/24 TUNNEL,
dpdaction=restart
aws0-to-vbox0-peer0: child: 35.aa.bb.117/32 === 94.xx.yy.47/32
TUNNEL, dpdaction=restart
aws0-to-vbox0-peer1: child: 10.211.84.0/24 === 94.xx.yy.47/32 TUNNEL,
dpdaction=restart
aws0-to-vbox0-peer2: child: 35.aa.bb.117/32 === 172.21.187.0/24
TUNNEL, dpdaction=restart
aws0-to-vbox0-peer3: child: 172.31.17.85/32 === 94.xx.yy.47/32
TUNNEL, dpdaction=restart
aws0-to-vbox0-peer4: child: 172.31.17.85/32 === 172.21.187.0/24
TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
aws0-to-vbox0[2]: ESTABLISHED 41 minutes ago,
172.31.17.85[35.aa.bb.117]...94.xx.yy.47[94.xx.yy.47]
aws0-to-vbox0[2]: IKEv1 SPIs: 7c1bf193d7093ec5_i a4ace258f6cd26f1_r*,
pre-shared key reauthentication in 7 hours
aws0-to-vbox0[2]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
aws0-to-vbox0[2]: Tasks passive: QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d71e1671-4bc7-7edd-36b3-7b4819d19972>