Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec in 2.2RC: "Error sending to PF_KEY socket: No buffer space available"

    Scheduled Pinned Locked Moved 2.2 Snapshot Feedback and Problems - RETIRED
    5 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kogir
      last edited by

      I'm having trouble with IPsec. We use two AWS VPN Gateways to connect our office premises to cloud instances, and use BGP to handle the routing. In 2.1.5 everything works pretty well, but in testing 2.2RC (even today's snapshot), IPsec just doesn't work.

      I have four phase 1 entries each with two phase 2 entries. Nothing crazy. I can only get one to come up at a time, and even then it won't last.

      The logs contain errors about buffer space:

      
Dec 14 12:11:43 pfsense1 charon: 08[KNL] error sending to PF_KEY socket: No buffer space available
Dec 14 12:11:43 pfsense1 charon: 08[KNL] unable to add SAD entry with SPI c2c6769b
Dec 14 12:11:43 pfsense1 charon: 08[KNL] error sending to PF_KEY socket: No buffer space available
Dec 14 12:11:43 pfsense1 charon: 08[KNL] unable to add SAD entry with SPI 3714240b
Dec 14 12:11:43 pfsense1 charon: 08[IKE] <con1|9>unable to install inbound and outbound IPsec SA (SAD) in kernel
Dec 14 12:11:43 pfsense1 charon: 08[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Dec 14 12:11:43 pfsense1 charon: 08[KNL] error sending to PF_KEY socket: No buffer space available
Dec 14 12:11:43 pfsense1 charon: 08[KNL] unable to delete SAD entry with SPI c2c6769b
Dec 14 12:11:43 pfsense1 charon: 08[KNL] error sending to PF_KEY socket: No buffer space available
Dec 14 12:11:43 pfsense1 charon: 08[KNL] unable to delete SAD entry with SPI 3714240b
Dec 14 12:11:43 pfsense1 charon: 08[IKE] <con1|9>sending DELETE for ESP CHILD_SA with SPI 3714240b
Dec 14 12:11:43 pfsense1 charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI 3714240b</con1|9></con1|9>

      Might this be relevant? https://wiki.strongswan.org/issues/783

      I tried increasing net.inet.raw.maxdgram and net.inet.raw.recvspace from the default of 9216 to 131072, but still get the messages.

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Please can you upgrade to next coming snapshot there should be a fix for this issue.

        1 Reply Last reply Reply Quote 0
        • K
          kogir
          last edited by

          @ermal:

          Please can you upgrade to next coming snapshot there should be a fix for this issue.

          Absolutely. Thanks!

          1 Reply Last reply Reply Quote 0
          • K
            kogir
            last edited by

            The version self-reporting as

            
2.2-RC (amd64) 
built on Tue Dec 16 16:14:58 CST 2014

            is much improved. All tunnels appear to come and stay up. charon is still super chatty in the logs, even on silent log level, but I've seen no more PF_KEY errors.

            1 Reply Last reply Reply Quote 0
            • E
              eri--
              last edited by

              I put a fix for the logging issue.
              It will behave better now since it was not properly configuring silent.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.