From owner-freebsd-net@freebsd.org Mon Jul 30 22:44:38 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 388B61063241 for ; Mon, 30 Jul 2018 22:44:38 +0000 (UTC) (envelope-from SRS0=WhEN=KO=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9F7D089042 for ; Mon, 30 Jul 2018 22:44:37 +0000 (UTC) (envelope-from SRS0=WhEN=KO=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 34B7F28416 for ; Tue, 31 Jul 2018 00:44:28 +0200 (CEST) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 9F72C28412 for ; Tue, 31 Jul 2018 00:44:25 +0200 (CEST) To: freebsd-net@freebsd.org From: Miroslav Lachman <000.fbsd@quip.cz> Subject: IPSec StrongSwan error sending to PF_KEY socket: Invalid argument Message-ID: Date: Tue, 31 Jul 2018 00:44:25 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jul 2018 22:44:38 -0000 I am trying to setup IPSec tunnel between VirtualBox gues (FreeBSD 10.4) on one side and AWS EC3 AMI (FreeBSD 10.4) on other side. Both sides have kernel with IPSEC and IPSEC_NAT_T but I am not able to make it work. It works if I make similar setup with two VirtualBox instances (no NAT), but when I need to run it in AWS EC2 or Google Cloud Platform with teir crazy NAT it always failed on something. Is "error sending to PF_KEY socket: Invalid argument" error on FreeBSD configuration or on StrongSwang side? Jul 30 23:56:02 16[ENC] parsed QUICK_MODE response 1836023754 [ HASH SA No KE ID ID ] Jul 30 23:56:02 16[CFG] selecting proposal: Jul 30 23:56:02 16[CFG] proposal matches Jul 30 23:56:02 16[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Jul 30 23:56:02 16[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ Jul 30 23:56:02 16[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ Jul 30 23:56:02 16[CHD] CHILD_SA aws0-to-vbox0{1} state change: CREATED => INSTALLING Jul 30 23:56:02 16[CHD] using AES_CBC for encryption Jul 30 23:56:02 16[CHD] using HMAC_SHA1_96 for integrity Jul 30 23:56:02 16[CHD] adding inbound ESP SA Jul 30 23:56:02 16[CHD] SPI 0xc59cf5ad, src 94.124.105.47 dst 172.31.17.85 Jul 30 23:56:02 16[KNL] deleting SAD entry with SPI c59cf5ad Jul 30 23:56:02 02[JOB] watched FD 12 ready to read Jul 30 23:56:02 02[JOB] watcher going to poll() 5 fds Jul 30 23:56:02 02[JOB] watcher got notification, rebuilding Jul 30 23:56:02 02[JOB] watcher going to poll() 6 fds Jul 30 23:56:02 16[KNL] deleted SAD entry with SPI c59cf5ad Jul 30 23:56:02 16[KNL] adding SAD entry with SPI c59cf5ad and reqid {1} Jul 30 23:56:02 16[KNL] using encryption algorithm AES_CBC with key size 128 Jul 30 23:56:02 16[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 Jul 30 23:56:02 16[KNL] error sending to PF_KEY socket: Invalid argument Jul 30 23:56:02 16[KNL] unable to add SAD entry with SPI c59cf5ad Jul 30 23:56:02 16[CHD] adding outbound ESP SA Jul 30 23:56:02 16[CHD] SPI 0xc2afbe7d, src 172.31.17.85 dst 94.124.105.47 Jul 30 23:56:02 16[KNL] adding SAD entry with SPI c2afbe7d and reqid {1} Jul 30 23:56:02 16[KNL] using encryption algorithm AES_CBC with key size 128 Jul 30 23:56:02 16[KNL] using integrity algorithm HMAC_SHA1_96 with key size 160 Jul 30 23:56:02 16[KNL] error sending to PF_KEY socket: Invalid argument Jul 30 23:56:02 16[KNL] unable to add SAD entry with SPI c2afbe7d Jul 30 23:56:02 16[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel Jul 30 23:56:02 16[IKE] queueing INFORMATIONAL task Jul 30 23:56:02 16[CHD] CHILD_SA aws0-to-vbox0{1} state change: INSTALLING => DESTROYING Jul 30 23:56:02 16[KNL] deleting policy 172.21.187.0/24 === 10.211.84.0/24 in Jul 30 23:56:02 16[KNL] deleting policy 172.21.187.0/24 === 10.211.84.0/24 in failed, not found Jul 30 23:56:02 16[KNL] deleting SAD entry with SPI c59cf5ad Jul 30 23:56:02 16[KNL] unable to delete SAD entry with SPI c59cf5ad: No such file or directory (2) Jul 30 23:56:02 16[KNL] deleting SAD entry with SPI c2afbe7d Jul 30 23:56:02 16[KNL] unable to delete SAD entry with SPI c2afbe7d: No such file or directory (2) Jul 31 00:00:31 09[ENC] found payload of type NOTIFY_V1 Jul 31 00:00:31 09[ENC] parsed INFORMATIONAL_V1 request 2604834086 [ HASH N(NO_PROP) ] Jul 31 00:00:31 09[IKE] received NO_PROPOSAL_CHOSEN error notify Jul 31 00:00:31 09[MGR] checkin IKE_SA aws0-to-vbox0[2] Jul 31 00:00:31 09[MGR] checkin of IKE_SA successful Jul 31 00:00:31 09[MGR] checkout IKEv1 SA by message with SPIs 7c1bf193d7093ec5_i a4ace258f6cd26f1_r Jul 31 00:00:31 09[MGR] IKE_SA aws0-to-vbox0[2] successfully checked out What am I doing wrong? root@ipsec-gw etc/# uname -srmi FreeBSD 10.4-RELEASE-p9 amd64 GEN_IPSEC root@ipsec-gw etc/# sysctl kern.features.ipsec kern.features.ipsec: 1 ## ipsec.conf config setup nat_traversal=yes # Add connections here. conn %default keyexchange=ikev1 authby=secret ## secret or psk are userd for PSK type=tunnel ikelifetime=28800 lifetime=3600 dpddelay=30 dpdtimeout=120 dpdaction=restart ike=3des-md5-modp1024 #Phase 1 integrity check algos esp=aes128-sha1-modp1024 #Phase 2 Encryption algos conn vbox0-to-aws0 left=94.xx.yy.47 #Host internal IP address leftid=94.xx.yy.47 leftsubnet=172.21.187.0/24 right=35.aa.bb.117 #Peer2 IP address rightid=35.aa.bb.117 rightsubnet=10.211.84.0/24 #Peer2 accesible intranet auto=start ## local public IP to remote public IP conn vbox0-to-aws0-peer0 also=vbox0-to-aws0 leftsubnet=94.xx.yy.47/32 rightsubnet=35.aa.bb.117/32 auto=start ## local LAN to remote public IP conn vbox0-to-aws0-peer1 also=vbox0-to-aws0 leftsubnet=172.21.187.0/24 rightsubnet=35.aa.bb.117/32 auto=start ## local public IP to remote LAN conn vbox0-to-aws0-peer2 also=vbox0-to-aws0 leftsubnet=94.xx.yy.47/32 rightsubnet=10.211.84.0/24 auto=start # ipsec status aws0-to-vbox0 Security Associations (1 up, 0 connecting): aws0-to-vbox0[2]: ESTABLISHED 41 minutes ago, 172.31.17.85[35.aa.bb.117]...94.xx.yy.47[94.xx.yy.47] # ipsec statusall aws0-to-vbox0 Status of IKE charon daemon (strongSwan 5.6.3, FreeBSD 10.4-RELEASE-p9, amd64): uptime: 45 minutes, since Jul 30 23:56:01 2018 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7 loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters Listening IP addresses: 172.31.17.85 Connections: aws0-to-vbox0: 172.31.17.85...94.xx.yy.47 IKEv1, dpddelay=30s aws0-to-vbox0: local: [35.aa.bb.117] uses pre-shared key authentication aws0-to-vbox0: remote: [94.xx.yy.47] uses pre-shared key authentication aws0-to-vbox0: child: 10.211.84.0/24 === 172.21.187.0/24 TUNNEL, dpdaction=restart aws0-to-vbox0-peer0: child: 35.aa.bb.117/32 === 94.xx.yy.47/32 TUNNEL, dpdaction=restart aws0-to-vbox0-peer1: child: 10.211.84.0/24 === 94.xx.yy.47/32 TUNNEL, dpdaction=restart aws0-to-vbox0-peer2: child: 35.aa.bb.117/32 === 172.21.187.0/24 TUNNEL, dpdaction=restart aws0-to-vbox0-peer3: child: 172.31.17.85/32 === 94.xx.yy.47/32 TUNNEL, dpdaction=restart aws0-to-vbox0-peer4: child: 172.31.17.85/32 === 172.21.187.0/24 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): aws0-to-vbox0[2]: ESTABLISHED 41 minutes ago, 172.31.17.85[35.aa.bb.117]...94.xx.yy.47[94.xx.yy.47] aws0-to-vbox0[2]: IKEv1 SPIs: 7c1bf193d7093ec5_i a4ace258f6cd26f1_r*, pre-shared key reauthentication in 7 hours aws0-to-vbox0[2]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 aws0-to-vbox0[2]: Tasks passive: QUICK_MODE QUICK_MODE QUICK_MODE QUICK_MODE