Date: Wed, 03 Jun 2026 19:18:37 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 295828] security/strongswan: enable KERNELLIBIPSEC option by default for vnet jail support Message-ID: <bug-295828-7788@https.bugs.freebsd.org/bugzilla/>
index | next in thread | raw e-mail
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=295828 Bug ID: 295828 Summary: security/strongswan: enable KERNELLIBIPSEC option by default for vnet jail support Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: 2269804@gmail.com CC: strongswan@Nanoteq.com CC: strongswan@Nanoteq.com Flags: maintainer-feedback?(strongswan@Nanoteq.com) Summary ======= The security/strongswan port has KERNELLIBIPSEC=off by default. This makes it impossible to run strongSwan as a VPN client inside a FreeBSD vnet jail, which is a legitimate and increasingly common use case. Problem ======= In a vnet jail, the pfkey socket is isolated to the jail's own vnet instance. It cannot install SAD/SPD entries into the host kernel's IPsec stack. This causes phase 2 to fail with: [KNL] unable to add SAD entry with SPI xxxxxxxx: Invalid argument (22) [IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel The kernel-libipsec plugin bypasses this limitation by handling IPsec entirely in userspace via a TUN device. However, since KERNELLIBIPSEC=off in the default pkg build, the plugin .so is not installed (@comment in plist). Environment =========== - FreeBSD 15.0-RELEASE-p9, GENERIC kernel (VIMAGE present) - strongSwan 6.0.6 from pkg - vnet jail with epair interface - IKEv1 Aggressive Mode + XAuth PSK (FortiGate) - IKE phase 1 and XAuth complete successfully; phase 2 fails as described above Proposal ======== Enable KERNELLIBIPSEC in OPTIONS_DEFAULT so that the plugin is available in the pkg binary. It is already a documented, supported plugin on FreeBSD/macOS (uses kernel-pfroute for routing). Users who do not need it incur no functional regression. Alternatively, document the recommended devfs ruleset and jail.conf configuration required to use kernel-libipsec with TUN inside a vnet jail. A detailed technical write-up including logs has been posted to the FreeBSD Forums: https://forums.freebsd.org/forums/networking.7/ This bug report and the forum post were prepared with the assistance of Claude (Anthropic), based on actual debugging sessions on FreeBSD 15.0. -- You are receiving this mail because: You are the assignee for the bug.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-295828-7788>