IKEv2 fail - "unable to add SAD entry"/"Invalid argument (22)" error



  • Hi all,

    I'm trying to get an Android-derived mobile device to establish a new IPSec tunnel back to the pfSense box but I'm having quite a bit of trouble. Any help would be appreciated! Here's what I'm getting in the logs:

    Feb 13 23:33:20	charon: 06[NET] <con1|8> sending packet: from 173.25.140.114[4500] to 166.170.221.137[1638] (224 bytes)
    Feb 13 23:33:20	charon: 06[NET] sending packet: from 173.25.140.114[4500] to 166.170.221.137[1638] (224 bytes)
    Feb 13 23:33:20	charon: 06[ENC] <con1|8> generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_DEFDOM U_SPLITDNS U_BANNER U_PFS) N(AUTH_LFT) N(NO_PROP) ]
    Feb 13 23:33:20	charon: 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_DEFDOM U_SPLITDNS U_BANNER U_PFS) N(AUTH_LFT) N(NO_PROP) ]
    Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to delete SAD entry with SPI 34348933: No such file or directory (2)
    Feb 13 23:33:20	charon: 06[KNL] unable to delete SAD entry with SPI 34348933: No such file or directory (2)
    Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to delete SAD entry with SPI c80b247d: No such file or directory (2)
    Feb 13 23:33:20	charon: 06[KNL] unable to delete SAD entry with SPI c80b247d: No such file or directory (2)
    Feb 13 23:33:20	charon: 06[IKE] <con1|8> failed to establish CHILD_SA, keeping IKE_SA
    Feb 13 23:33:20	charon: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
    Feb 13 23:33:20	charon: 06[IKE] <con1|8> unable to install inbound and outbound IPsec SA (SAD) in kernel
    Feb 13 23:33:20	charon: 06[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
    Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to add SAD entry with SPI 34348933: Invalid argument (22)
    Feb 13 23:33:20	charon: 06[KNL] unable to add SAD entry with SPI 34348933: Invalid argument (22)
    Feb 13 23:33:20	charon: 06[CHD] <con1|8> SPI 0x34348933, src 173.25.140.114 dst 166.170.221.137
    Feb 13 23:33:20	charon: 06[CHD] SPI 0x34348933, src 173.25.140.114 dst 166.170.221.137
    Feb 13 23:33:20	charon: 06[CHD] <con1|8> adding outbound ESP SA
    Feb 13 23:33:20	charon: 06[CHD] adding outbound ESP SA
    Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to add SAD entry with SPI c80b247d: Invalid argument (22)
    Feb 13 23:33:20	charon: 06[KNL] unable to add SAD entry with SPI c80b247d: Invalid argument (22)
    Feb 13 23:33:20	charon: 06[CHD] <con1|8> SPI 0xc80b247d, src 166.170.221.137 dst 173.25.140.114
    Feb 13 23:33:20	charon: 06[CHD] SPI 0xc80b247d, src 166.170.221.137 dst 173.25.140.114
    Feb 13 23:33:20	charon: 06[CHD] <con1|8> adding inbound ESP SA
    Feb 13 23:33:20	charon: 06[CHD] adding inbound ESP SA
    Feb 13 23:33:20	charon: 06[CHD] <con1|8> using AES_XCBC_96 for integrity
    Feb 13 23:33:20	charon: 06[CHD] using AES_XCBC_96 for integrity
    Feb 13 23:33:20	charon: 06[CHD] <con1|8> using AES_CBC for encryption
    Feb 13 23:33:20	charon: 06[CHD] using AES_CBC for encryption
    Feb 13 23:33:20	charon: 06[CFG] <con1|8> config: 172.16.0.1/32|/0, received: 0.0.0.0/0|/0 => match: 172.16.0.1/32|/0
    Feb 13 23:33:20	charon: 06[CFG] config: 172.16.0.1/32|/0, received: 0.0.0.0/0|/0 => match: 172.16.0.1/32|/0
    Feb 13 23:33:20	charon: 06[CFG] <con1|8> selecting traffic selectors for other:
    Feb 13 23:33:20	charon: 06[CFG] selecting traffic selectors for other:
    Feb 13 23:33:20	charon: 06[CFG] <con1|8> config: 173.25.140.114/32|/0, received: 0.0.0.0/0|/0 => match: 173.25.140.114/32|/0
    Feb 13 23:33:20	charon: 06[CFG] config: 173.25.140.114/32|/0, received: 0.0.0.0/0|/0 => match: 173.25.140.114/32|/0
    Feb 13 23:33:20	charon: 06[CFG] <con1|8> selecting traffic selectors for us:
    Feb 13 23:33:20	charon: 06[CFG] selecting traffic selectors for us:
    Feb 13 23:33:20	charon: 06[CFG] <con1|8> selected proposal: ESP:AES_CBC_128/AES_XCBC_96/NO_EXT_SEQ
    Feb 13 23:33:20	charon: 06[CFG] selected proposal: ESP:AES_CBC_128/AES_XCBC_96/NO_EXT_SEQ</con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8>
    

    Everything before this point is successfully negotiating IKE phase 1, and everything after this point is just retransmitting informational messages and performing Dead Peer Detection.

    The behavior on the mobile device is that it will hang saying it is trying to connect, until about 60 seconds then it times out and quits. At any point during those 60 seconds though, I can run "ipsec status" using the Diagnostics –> Command Prompt, and it shows something like this:

    $ ipsec status
    Shunted Connections:
       bypasslan:  192.168.1.0/24|/0 === 192.168.1.0/24|/0 PASS
    Security Associations (1 up, 0 connecting):
            con1[9]: ESTABLISHED 14 seconds ago, 173.25.140.114[localID]...166.170.221.137[remoteID]
    
    

    So clearly pfSense thinks the tunnel is established and it's trying to move on to phase 2.

    It seems that these two messages are key to the problem I'm having:

    • unable to add SAD entry with SPI 34348933: Invalid argument (22)

    • failed to establish CHILD_SA, keeping IKE_SA

    I believe I'm running into the issue that was fixed in StrongSwan bug #446 (see link below). I'd like to make sure that version 5.1.2 or later of StrongSwan is included in the latest pfSense. If it already is this version or later, then I'm guessing I'm running into a new bug with the "Invalid argument (22)" message. I can't seem to crank the logging up high enough to find out what arguments are actually being passed to the kernel though.

    Here is my ipsec.conf file so you get an idea of my VPN configuration:

    # This file is automatically generated. Do not edit
    config setup
    	uniqueids = yes
    
    conn bypasslan
    	leftsubnet = 192.168.1.0/24
    	rightsubnet = 192.168.1.0/24
    	authby = never
    	type = passthrough
    	auto = route
    
    conn con1
    	fragmentation = yes
    	keyexchange = ikev2
    	reauth = yes
    	forceencaps = no
    	mobike = yes
    	rekey = yes
    	installpolicy = yes
    
    	compress = no
    	tfc = no
    	dpdaction = clear
    	dpddelay = 10s
    	dpdtimeout = 60s
    	auto = add
    	left = 173.25.140.114
    	right = %any
    	leftid = fqdn:localID
    	ikelifetime = 28800s
    	rightsourceip = 172.16.0.0/24
    	ike = aes256-sha256-modp1024!
    	leftauth = psk
    	rightauth = psk
    

    Note that I manually added "compress = no" and "tfc = no" (also tried "tfc = 0") to this file as troubleshooting steps. I fully realize that ipsec.conf is automatically generated and these values will be overwritten next time I make a change; no problem, just wanted to see if they made a difference. I generated the Phase 1 config by going through the Mobile Clients tab first.

    References that I've found so far:



  • Hi,

    you have a setup with

    leftsubnet = 192.168.1.0/24
    rightsubnet = 192.168.1.0/24

    you can't have two diffrent subnets with same  ip(range)



  • Thank you for taking a crack at this issue. I don't actually need the 'bypasslan' connection so I went ahead and unchecked the "Auto-exclude LAN address" / "Enable bypass for LAN interface IP" check box in the IPSec Advanced Settings. This removes that whole 'bypasslan' section of the ipsec.conf and just leaves the default-named 'con1' connection left, which is the meat and potatoes of my attempt at configuring it. Scrolling down in that code block you'll see these two lines:

    left = 173.25.140.114
    

    and

    rightsourceip = 172.16.0.0/24
    

    Still getting the same behavior after doing this… Any other ideas?



  • Oh sorry last time i did not  realize that you try to connect to a mobile android

    For my android 5.1.1 with strongswan app  as a road warrior it looks like
    ( important part;  leftsub 0.0.0.0)

    
    conn con3
    	fragmentation = yes
    	keyexchange = ikev2
    	reauth = yes
    	forceencaps = no
    	mobike = yes
    	rekey = yes
    	installpolicy = yes
    	type = tunnel
    	dpdaction = clear
    	dpddelay = 10s
    	dpdtimeout = 60s
    	auto = add
    	left = xxx.xxx.xxx.xxx
    	right = %any
    	leftid = "C=xxx, ST=xxxx, L=xxxx, O=xxxx, E=postmaster@xxx, CN=xxxxxx"
    	ikelifetime = 28800s
    	lifetime = 3600s
    	rightsourceip = 192.168.123.0/24
    	ike = aes256-sha512-modp2048!
    	esp = aes256-sha512!
    	eap_identity=%identity
    	leftauth=pubkey
    	rightauth=eap-tls
    	leftcert=/var/etc/ipsec/ipsec.d/certs/cert-3.crt
    	leftsendcert=always
    	rightca="/C=xxx/ST=xxx/L=xxx/O=xxx/emailAddress=postmaster@xxx/CN=xxx-internal-ca/"
    	leftsubnet = 0.0.0.0/0
    
    

    But maybe just remove all ipsec config and restart pfsense, i had this once wit a hanging ipsec tunnel…

    regards max