Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Trouble with P2 tunnel, missing packages?

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 318 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CoupleBananas
      last edited by

      I'm trying to setup S2S IPSec between an on prem network (out of my control) and an Azure environment. I am using the official Netgate Azure Marketplace image*. The P1 tunnel establishes fine, but things go awry when building the P2. These are the relevant log entries (most recent entry at the top):

      Jun 29 00:48:03	charon	32674	06[CHD] <con1|28> CHILD_SA con1{83} state change: INSTALLING => DESTROYING
      Jun 29 00:48:03	charon	32674	06[IKE] <con1|28> failed to establish CHILD_SA, keeping IKE_SA
      Jun 29 00:48:03	charon	32674	06[IKE] <con1|28> unable to install outbound IPsec SA (SAD) in kernel
      Jun 29 00:48:03	charon	32674	06[KNL] <con1|28> unable to add SAD entry with SPI c2af8d63: File exists (17)
      Jun 29 00:48:03	charon	32674	06[KNL] <con1|28> using integrity algorithm HMAC_SHA2_256_128 with key size 256
      Jun 29 00:48:03	charon	32674	06[KNL] <con1|28> using encryption algorithm AES_CBC with key size 256
      Jun 29 00:48:03	charon	32674	06[CHD] <con1|28> SPI 0xc2af8d63, src 10.0.0.4 dst <<<remote ip redacted>>>
      Jun 29 00:48:03	charon	32674	06[CHD] <con1|28> adding outbound ESP SA
      Jun 29 00:48:03	charon	32674	06[KNL] <con1|28> using integrity algorithm HMAC_SHA2_256_128 with key size 256
      Jun 29 00:48:03	charon	32674	06[KNL] <con1|28> using encryption algorithm AES_CBC with key size 256
      Jun 29 00:48:03	charon	32674	06[CHD] <con1|28> SPI 0xcc17488f, src <<<remote ip redacted>>> dst 10.0.0.4
      Jun 29 00:48:03	charon	32674	06[CHD] <con1|28> adding inbound ESP SA
      Jun 29 00:48:03	charon	32674	06[CHD] <con1|28> using HMAC_SHA2_256_128 for integrity
      Jun 29 00:48:03	charon	32674	06[CHD] <con1|28> using AES_CBC for encryption
      Jun 29 00:48:03	charon	32674	06[CHD] <con1|28> CHILD_SA con1{83} state change: CREATED => INSTALLING
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> config: 145.45.14.131/32|/0, received: 145.45.14.131/32|/0 => match: 145.45.14.131/32|/0
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> selecting traffic selectors for other:
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> config: 145.45.14.131/32|145.31.254.94/32, received: 145.45.14.131/32|/0 => match: 145.45.14.131/32|145.31.254.94/32
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> selecting traffic selectors for us:
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_521/NO_EXT_SEQ
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> proposal matches
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> selecting proposal:
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> found matching child config "con1" with prio 10
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> candidate "con1" with prio 5+5
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> 145.45.14.131/32|/0
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> proposing traffic selectors for other:
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> 145.45.14.131/32|145.31.254.94/32
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> proposing traffic selectors for us:
      Jun 29 00:48:03	charon	32674	06[CFG] <con1|28> looking for a child config for 145.45.14.131/32|/0 === 145.45.14.131/32|/0
      Jun 29 00:48:03	charon	32674	06[IKE] <con1|28> IKE_SA con1[28] state change: CONNECTING => ESTABLISHED
      

      (more entries: https://pastebin.com/zYVbXXMC)

      Note: 145.31.254.94/32 and 145.45.14.131/32 are private subnets, not public. This is required by the admins of the on prem network.

      The relevant line here is (I think):

      unable to install outbound IPsec SA (SAD) in kernel
      

      After some research, it seems to me that this indicates that some crypto library is missing. Is this correct? What is the solution?

      *22.01-RELEASE (amd64)
      built on Mon Feb 07 16:37:59 UTC 2022
      FreeBSD 12.3-STABLE

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.