Trouble with P2 tunnel, missing packages?
-
I'm trying to setup S2S IPSec between an on prem network (out of my control) and an Azure environment. I am using the official Netgate Azure Marketplace image*. The P1 tunnel establishes fine, but things go awry when building the P2. These are the relevant log entries (most recent entry at the top):
Jun 29 00:48:03 charon 32674 06[CHD] <con1|28> CHILD_SA con1{83} state change: INSTALLING => DESTROYING Jun 29 00:48:03 charon 32674 06[IKE] <con1|28> failed to establish CHILD_SA, keeping IKE_SA Jun 29 00:48:03 charon 32674 06[IKE] <con1|28> unable to install outbound IPsec SA (SAD) in kernel Jun 29 00:48:03 charon 32674 06[KNL] <con1|28> unable to add SAD entry with SPI c2af8d63: File exists (17) Jun 29 00:48:03 charon 32674 06[KNL] <con1|28> using integrity algorithm HMAC_SHA2_256_128 with key size 256 Jun 29 00:48:03 charon 32674 06[KNL] <con1|28> using encryption algorithm AES_CBC with key size 256 Jun 29 00:48:03 charon 32674 06[CHD] <con1|28> SPI 0xc2af8d63, src 10.0.0.4 dst <<<remote ip redacted>>> Jun 29 00:48:03 charon 32674 06[CHD] <con1|28> adding outbound ESP SA Jun 29 00:48:03 charon 32674 06[KNL] <con1|28> using integrity algorithm HMAC_SHA2_256_128 with key size 256 Jun 29 00:48:03 charon 32674 06[KNL] <con1|28> using encryption algorithm AES_CBC with key size 256 Jun 29 00:48:03 charon 32674 06[CHD] <con1|28> SPI 0xcc17488f, src <<<remote ip redacted>>> dst 10.0.0.4 Jun 29 00:48:03 charon 32674 06[CHD] <con1|28> adding inbound ESP SA Jun 29 00:48:03 charon 32674 06[CHD] <con1|28> using HMAC_SHA2_256_128 for integrity Jun 29 00:48:03 charon 32674 06[CHD] <con1|28> using AES_CBC for encryption Jun 29 00:48:03 charon 32674 06[CHD] <con1|28> CHILD_SA con1{83} state change: CREATED => INSTALLING Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> config: 145.45.14.131/32|/0, received: 145.45.14.131/32|/0 => match: 145.45.14.131/32|/0 Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> selecting traffic selectors for other: Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> config: 145.45.14.131/32|145.31.254.94/32, received: 145.45.14.131/32|/0 => match: 145.45.14.131/32|145.31.254.94/32 Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> selecting traffic selectors for us: Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/ECP_521/NO_EXT_SEQ Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> proposal matches Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> selecting proposal: Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> found matching child config "con1" with prio 10 Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> candidate "con1" with prio 5+5 Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> 145.45.14.131/32|/0 Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> proposing traffic selectors for other: Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> 145.45.14.131/32|145.31.254.94/32 Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> proposing traffic selectors for us: Jun 29 00:48:03 charon 32674 06[CFG] <con1|28> looking for a child config for 145.45.14.131/32|/0 === 145.45.14.131/32|/0 Jun 29 00:48:03 charon 32674 06[IKE] <con1|28> IKE_SA con1[28] state change: CONNECTING => ESTABLISHED
(more entries: https://pastebin.com/zYVbXXMC)
Note: 145.31.254.94/32 and 145.45.14.131/32 are private subnets, not public. This is required by the admins of the on prem network.
The relevant line here is (I think):
unable to install outbound IPsec SA (SAD) in kernel
After some research, it seems to me that this indicates that some crypto library is missing. Is this correct? What is the solution?
*22.01-RELEASE (amd64)
built on Mon Feb 07 16:37:59 UTC 2022
FreeBSD 12.3-STABLE