Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 fail - "unable to add SAD entry"/"Invalid argument (22)" error

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 4.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CocoaPine
      last edited by

      Hi all,

      I'm trying to get an Android-derived mobile device to establish a new IPSec tunnel back to the pfSense box but I'm having quite a bit of trouble. Any help would be appreciated! Here's what I'm getting in the logs:

      Feb 13 23:33:20	charon: 06[NET] <con1|8> sending packet: from 173.25.140.114[4500] to 166.170.221.137[1638] (224 bytes)
      Feb 13 23:33:20	charon: 06[NET] sending packet: from 173.25.140.114[4500] to 166.170.221.137[1638] (224 bytes)
      Feb 13 23:33:20	charon: 06[ENC] <con1|8> generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_DEFDOM U_SPLITDNS U_BANNER U_PFS) N(AUTH_LFT) N(NO_PROP) ]
      Feb 13 23:33:20	charon: 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_DEFDOM U_SPLITDNS U_BANNER U_PFS) N(AUTH_LFT) N(NO_PROP) ]
      Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to delete SAD entry with SPI 34348933: No such file or directory (2)
      Feb 13 23:33:20	charon: 06[KNL] unable to delete SAD entry with SPI 34348933: No such file or directory (2)
      Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to delete SAD entry with SPI c80b247d: No such file or directory (2)
      Feb 13 23:33:20	charon: 06[KNL] unable to delete SAD entry with SPI c80b247d: No such file or directory (2)
      Feb 13 23:33:20	charon: 06[IKE] <con1|8> failed to establish CHILD_SA, keeping IKE_SA
      Feb 13 23:33:20	charon: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
      Feb 13 23:33:20	charon: 06[IKE] <con1|8> unable to install inbound and outbound IPsec SA (SAD) in kernel
      Feb 13 23:33:20	charon: 06[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
      Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to add SAD entry with SPI 34348933: Invalid argument (22)
      Feb 13 23:33:20	charon: 06[KNL] unable to add SAD entry with SPI 34348933: Invalid argument (22)
      Feb 13 23:33:20	charon: 06[CHD] <con1|8> SPI 0x34348933, src 173.25.140.114 dst 166.170.221.137
      Feb 13 23:33:20	charon: 06[CHD] SPI 0x34348933, src 173.25.140.114 dst 166.170.221.137
      Feb 13 23:33:20	charon: 06[CHD] <con1|8> adding outbound ESP SA
      Feb 13 23:33:20	charon: 06[CHD] adding outbound ESP SA
      Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to add SAD entry with SPI c80b247d: Invalid argument (22)
      Feb 13 23:33:20	charon: 06[KNL] unable to add SAD entry with SPI c80b247d: Invalid argument (22)
      Feb 13 23:33:20	charon: 06[CHD] <con1|8> SPI 0xc80b247d, src 166.170.221.137 dst 173.25.140.114
      Feb 13 23:33:20	charon: 06[CHD] SPI 0xc80b247d, src 166.170.221.137 dst 173.25.140.114
      Feb 13 23:33:20	charon: 06[CHD] <con1|8> adding inbound ESP SA
      Feb 13 23:33:20	charon: 06[CHD] adding inbound ESP SA
      Feb 13 23:33:20	charon: 06[CHD] <con1|8> using AES_XCBC_96 for integrity
      Feb 13 23:33:20	charon: 06[CHD] using AES_XCBC_96 for integrity
      Feb 13 23:33:20	charon: 06[CHD] <con1|8> using AES_CBC for encryption
      Feb 13 23:33:20	charon: 06[CHD] using AES_CBC for encryption
      Feb 13 23:33:20	charon: 06[CFG] <con1|8> config: 172.16.0.1/32|/0, received: 0.0.0.0/0|/0 => match: 172.16.0.1/32|/0
      Feb 13 23:33:20	charon: 06[CFG] config: 172.16.0.1/32|/0, received: 0.0.0.0/0|/0 => match: 172.16.0.1/32|/0
      Feb 13 23:33:20	charon: 06[CFG] <con1|8> selecting traffic selectors for other:
      Feb 13 23:33:20	charon: 06[CFG] selecting traffic selectors for other:
      Feb 13 23:33:20	charon: 06[CFG] <con1|8> config: 173.25.140.114/32|/0, received: 0.0.0.0/0|/0 => match: 173.25.140.114/32|/0
      Feb 13 23:33:20	charon: 06[CFG] config: 173.25.140.114/32|/0, received: 0.0.0.0/0|/0 => match: 173.25.140.114/32|/0
      Feb 13 23:33:20	charon: 06[CFG] <con1|8> selecting traffic selectors for us:
      Feb 13 23:33:20	charon: 06[CFG] selecting traffic selectors for us:
      Feb 13 23:33:20	charon: 06[CFG] <con1|8> selected proposal: ESP:AES_CBC_128/AES_XCBC_96/NO_EXT_SEQ
      Feb 13 23:33:20	charon: 06[CFG] selected proposal: ESP:AES_CBC_128/AES_XCBC_96/NO_EXT_SEQ</con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8>
      

      Everything before this point is successfully negotiating IKE phase 1, and everything after this point is just retransmitting informational messages and performing Dead Peer Detection.

      The behavior on the mobile device is that it will hang saying it is trying to connect, until about 60 seconds then it times out and quits. At any point during those 60 seconds though, I can run "ipsec status" using the Diagnostics –> Command Prompt, and it shows something like this:

      $ ipsec status
      Shunted Connections:
         bypasslan:  192.168.1.0/24|/0 === 192.168.1.0/24|/0 PASS
      Security Associations (1 up, 0 connecting):
              con1[9]: ESTABLISHED 14 seconds ago, 173.25.140.114[localID]...166.170.221.137[remoteID]
      
      

      So clearly pfSense thinks the tunnel is established and it's trying to move on to phase 2.

      It seems that these two messages are key to the problem I'm having:

      • unable to add SAD entry with SPI 34348933: Invalid argument (22)

      • failed to establish CHILD_SA, keeping IKE_SA

      I believe I'm running into the issue that was fixed in StrongSwan bug #446 (see link below). I'd like to make sure that version 5.1.2 or later of StrongSwan is included in the latest pfSense. If it already is this version or later, then I'm guessing I'm running into a new bug with the "Invalid argument (22)" message. I can't seem to crank the logging up high enough to find out what arguments are actually being passed to the kernel though.

      Here is my ipsec.conf file so you get an idea of my VPN configuration:

      # This file is automatically generated. Do not edit
      config setup
      	uniqueids = yes
      
      conn bypasslan
      	leftsubnet = 192.168.1.0/24
      	rightsubnet = 192.168.1.0/24
      	authby = never
      	type = passthrough
      	auto = route
      
      conn con1
      	fragmentation = yes
      	keyexchange = ikev2
      	reauth = yes
      	forceencaps = no
      	mobike = yes
      	rekey = yes
      	installpolicy = yes
      
      	compress = no
      	tfc = no
      	dpdaction = clear
      	dpddelay = 10s
      	dpdtimeout = 60s
      	auto = add
      	left = 173.25.140.114
      	right = %any
      	leftid = fqdn:localID
      	ikelifetime = 28800s
      	rightsourceip = 172.16.0.0/24
      	ike = aes256-sha256-modp1024!
      	leftauth = psk
      	rightauth = psk
      

      Note that I manually added "compress = no" and "tfc = no" (also tried "tfc = 0") to this file as troubleshooting steps. I fully realize that ipsec.conf is automatically generated and these values will be overwritten next time I make a change; no problem, just wanted to see if they made a difference. I generated the Phase 1 config by going through the Mobile Clients tab first.

      References that I've found so far:

      • Official pfSense IPSec Troubleshooting document: https://doc.pfsense.org/index.php/IPsec_Troubleshooting

      • StrongSwan mailing list entry where some guy ran into much the same thing I am, but didn't post what he did to get it to connect: https://lists.strongswan.org/pipermail/users/2013-April/004582.html

      • StrongSwan bug #446: https://wiki.strongswan.org/issues/446

      1 Reply Last reply Reply Quote 0
      • M
        MaxHeadroom
        last edited by

        Hi,

        you have a setup with

        leftsubnet = 192.168.1.0/24
        rightsubnet = 192.168.1.0/24

        you can't have two diffrent subnets with same  ip(range)

        1 Reply Last reply Reply Quote 0
        • C
          CocoaPine
          last edited by

          Thank you for taking a crack at this issue. I don't actually need the 'bypasslan' connection so I went ahead and unchecked the "Auto-exclude LAN address" / "Enable bypass for LAN interface IP" check box in the IPSec Advanced Settings. This removes that whole 'bypasslan' section of the ipsec.conf and just leaves the default-named 'con1' connection left, which is the meat and potatoes of my attempt at configuring it. Scrolling down in that code block you'll see these two lines:

          left = 173.25.140.114
          

          and

          rightsourceip = 172.16.0.0/24
          

          Still getting the same behavior after doing this… Any other ideas?

          1 Reply Last reply Reply Quote 0
          • M
            MaxHeadroom
            last edited by

            Oh sorry last time i did not  realize that you try to connect to a mobile android

            For my android 5.1.1 with strongswan app  as a road warrior it looks like
            ( important part;  leftsub 0.0.0.0)

            
            conn con3
            	fragmentation = yes
            	keyexchange = ikev2
            	reauth = yes
            	forceencaps = no
            	mobike = yes
            	rekey = yes
            	installpolicy = yes
            	type = tunnel
            	dpdaction = clear
            	dpddelay = 10s
            	dpdtimeout = 60s
            	auto = add
            	left = xxx.xxx.xxx.xxx
            	right = %any
            	leftid = "C=xxx, ST=xxxx, L=xxxx, O=xxxx, E=postmaster@xxx, CN=xxxxxx"
            	ikelifetime = 28800s
            	lifetime = 3600s
            	rightsourceip = 192.168.123.0/24
            	ike = aes256-sha512-modp2048!
            	esp = aes256-sha512!
            	eap_identity=%identity
            	leftauth=pubkey
            	rightauth=eap-tls
            	leftcert=/var/etc/ipsec/ipsec.d/certs/cert-3.crt
            	leftsendcert=always
            	rightca="/C=xxx/ST=xxx/L=xxx/O=xxx/emailAddress=postmaster@xxx/CN=xxx-internal-ca/"
            	leftsubnet = 0.0.0.0/0
            
            

            But maybe just remove all ipsec config and restart pfsense, i had this once wit a hanging ipsec tunnel…

            regards max

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.