• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

IKEv2 fail - "unable to add SAD entry"/"Invalid argument (22)" error

Scheduled Pinned Locked Moved IPsec
4 Posts 2 Posters 4.9k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C Offline
    CocoaPine
    last edited by Feb 14, 2016, 6:22 AM

    Hi all,

    I'm trying to get an Android-derived mobile device to establish a new IPSec tunnel back to the pfSense box but I'm having quite a bit of trouble. Any help would be appreciated! Here's what I'm getting in the logs:

    Feb 13 23:33:20	charon: 06[NET] <con1|8> sending packet: from 173.25.140.114[4500] to 166.170.221.137[1638] (224 bytes)
    Feb 13 23:33:20	charon: 06[NET] sending packet: from 173.25.140.114[4500] to 166.170.221.137[1638] (224 bytes)
    Feb 13 23:33:20	charon: 06[ENC] <con1|8> generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_DEFDOM U_SPLITDNS U_BANNER U_PFS) N(AUTH_LFT) N(NO_PROP) ]
    Feb 13 23:33:20	charon: 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_DEFDOM U_SPLITDNS U_BANNER U_PFS) N(AUTH_LFT) N(NO_PROP) ]
    Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to delete SAD entry with SPI 34348933: No such file or directory (2)
    Feb 13 23:33:20	charon: 06[KNL] unable to delete SAD entry with SPI 34348933: No such file or directory (2)
    Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to delete SAD entry with SPI c80b247d: No such file or directory (2)
    Feb 13 23:33:20	charon: 06[KNL] unable to delete SAD entry with SPI c80b247d: No such file or directory (2)
    Feb 13 23:33:20	charon: 06[IKE] <con1|8> failed to establish CHILD_SA, keeping IKE_SA
    Feb 13 23:33:20	charon: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
    Feb 13 23:33:20	charon: 06[IKE] <con1|8> unable to install inbound and outbound IPsec SA (SAD) in kernel
    Feb 13 23:33:20	charon: 06[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
    Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to add SAD entry with SPI 34348933: Invalid argument (22)
    Feb 13 23:33:20	charon: 06[KNL] unable to add SAD entry with SPI 34348933: Invalid argument (22)
    Feb 13 23:33:20	charon: 06[CHD] <con1|8> SPI 0x34348933, src 173.25.140.114 dst 166.170.221.137
    Feb 13 23:33:20	charon: 06[CHD] SPI 0x34348933, src 173.25.140.114 dst 166.170.221.137
    Feb 13 23:33:20	charon: 06[CHD] <con1|8> adding outbound ESP SA
    Feb 13 23:33:20	charon: 06[CHD] adding outbound ESP SA
    Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to add SAD entry with SPI c80b247d: Invalid argument (22)
    Feb 13 23:33:20	charon: 06[KNL] unable to add SAD entry with SPI c80b247d: Invalid argument (22)
    Feb 13 23:33:20	charon: 06[CHD] <con1|8> SPI 0xc80b247d, src 166.170.221.137 dst 173.25.140.114
    Feb 13 23:33:20	charon: 06[CHD] SPI 0xc80b247d, src 166.170.221.137 dst 173.25.140.114
    Feb 13 23:33:20	charon: 06[CHD] <con1|8> adding inbound ESP SA
    Feb 13 23:33:20	charon: 06[CHD] adding inbound ESP SA
    Feb 13 23:33:20	charon: 06[CHD] <con1|8> using AES_XCBC_96 for integrity
    Feb 13 23:33:20	charon: 06[CHD] using AES_XCBC_96 for integrity
    Feb 13 23:33:20	charon: 06[CHD] <con1|8> using AES_CBC for encryption
    Feb 13 23:33:20	charon: 06[CHD] using AES_CBC for encryption
    Feb 13 23:33:20	charon: 06[CFG] <con1|8> config: 172.16.0.1/32|/0, received: 0.0.0.0/0|/0 => match: 172.16.0.1/32|/0
    Feb 13 23:33:20	charon: 06[CFG] config: 172.16.0.1/32|/0, received: 0.0.0.0/0|/0 => match: 172.16.0.1/32|/0
    Feb 13 23:33:20	charon: 06[CFG] <con1|8> selecting traffic selectors for other:
    Feb 13 23:33:20	charon: 06[CFG] selecting traffic selectors for other:
    Feb 13 23:33:20	charon: 06[CFG] <con1|8> config: 173.25.140.114/32|/0, received: 0.0.0.0/0|/0 => match: 173.25.140.114/32|/0
    Feb 13 23:33:20	charon: 06[CFG] config: 173.25.140.114/32|/0, received: 0.0.0.0/0|/0 => match: 173.25.140.114/32|/0
    Feb 13 23:33:20	charon: 06[CFG] <con1|8> selecting traffic selectors for us:
    Feb 13 23:33:20	charon: 06[CFG] selecting traffic selectors for us:
    Feb 13 23:33:20	charon: 06[CFG] <con1|8> selected proposal: ESP:AES_CBC_128/AES_XCBC_96/NO_EXT_SEQ
    Feb 13 23:33:20	charon: 06[CFG] selected proposal: ESP:AES_CBC_128/AES_XCBC_96/NO_EXT_SEQ</con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8>
    

    Everything before this point is successfully negotiating IKE phase 1, and everything after this point is just retransmitting informational messages and performing Dead Peer Detection.

    The behavior on the mobile device is that it will hang saying it is trying to connect, until about 60 seconds then it times out and quits. At any point during those 60 seconds though, I can run "ipsec status" using the Diagnostics –> Command Prompt, and it shows something like this:

    $ ipsec status
    Shunted Connections:
       bypasslan:  192.168.1.0/24|/0 === 192.168.1.0/24|/0 PASS
    Security Associations (1 up, 0 connecting):
            con1[9]: ESTABLISHED 14 seconds ago, 173.25.140.114[localID]...166.170.221.137[remoteID]
    
    

    So clearly pfSense thinks the tunnel is established and it's trying to move on to phase 2.

    It seems that these two messages are key to the problem I'm having:

    • unable to add SAD entry with SPI 34348933: Invalid argument (22)

    • failed to establish CHILD_SA, keeping IKE_SA

    I believe I'm running into the issue that was fixed in StrongSwan bug #446 (see link below). I'd like to make sure that version 5.1.2 or later of StrongSwan is included in the latest pfSense. If it already is this version or later, then I'm guessing I'm running into a new bug with the "Invalid argument (22)" message. I can't seem to crank the logging up high enough to find out what arguments are actually being passed to the kernel though.

    Here is my ipsec.conf file so you get an idea of my VPN configuration:

    # This file is automatically generated. Do not edit
    config setup
    	uniqueids = yes
    
    conn bypasslan
    	leftsubnet = 192.168.1.0/24
    	rightsubnet = 192.168.1.0/24
    	authby = never
    	type = passthrough
    	auto = route
    
    conn con1
    	fragmentation = yes
    	keyexchange = ikev2
    	reauth = yes
    	forceencaps = no
    	mobike = yes
    	rekey = yes
    	installpolicy = yes
    
    	compress = no
    	tfc = no
    	dpdaction = clear
    	dpddelay = 10s
    	dpdtimeout = 60s
    	auto = add
    	left = 173.25.140.114
    	right = %any
    	leftid = fqdn:localID
    	ikelifetime = 28800s
    	rightsourceip = 172.16.0.0/24
    	ike = aes256-sha256-modp1024!
    	leftauth = psk
    	rightauth = psk
    

    Note that I manually added "compress = no" and "tfc = no" (also tried "tfc = 0") to this file as troubleshooting steps. I fully realize that ipsec.conf is automatically generated and these values will be overwritten next time I make a change; no problem, just wanted to see if they made a difference. I generated the Phase 1 config by going through the Mobile Clients tab first.

    References that I've found so far:

    • Official pfSense IPSec Troubleshooting document: https://doc.pfsense.org/index.php/IPsec_Troubleshooting

    • StrongSwan mailing list entry where some guy ran into much the same thing I am, but didn't post what he did to get it to connect: https://lists.strongswan.org/pipermail/users/2013-April/004582.html

    • StrongSwan bug #446: https://wiki.strongswan.org/issues/446

    1 Reply Last reply Reply Quote 0
    • M Offline
      MaxHeadroom
      last edited by Feb 22, 2016, 6:07 PM

      Hi,

      you have a setup with

      leftsubnet = 192.168.1.0/24
      rightsubnet = 192.168.1.0/24

      you can't have two diffrent subnets with same  ip(range)

      1 Reply Last reply Reply Quote 0
      • C Offline
        CocoaPine
        last edited by Feb 24, 2016, 4:18 PM Feb 24, 2016, 4:14 PM

        Thank you for taking a crack at this issue. I don't actually need the 'bypasslan' connection so I went ahead and unchecked the "Auto-exclude LAN address" / "Enable bypass for LAN interface IP" check box in the IPSec Advanced Settings. This removes that whole 'bypasslan' section of the ipsec.conf and just leaves the default-named 'con1' connection left, which is the meat and potatoes of my attempt at configuring it. Scrolling down in that code block you'll see these two lines:

        left = 173.25.140.114
        

        and

        rightsourceip = 172.16.0.0/24
        

        Still getting the same behavior after doing this… Any other ideas?

        1 Reply Last reply Reply Quote 0
        • M Offline
          MaxHeadroom
          last edited by Mar 1, 2016, 8:07 PM

          Oh sorry last time i did not  realize that you try to connect to a mobile android

          For my android 5.1.1 with strongswan app  as a road warrior it looks like
          ( important part;  leftsub 0.0.0.0)

          
          conn con3
          	fragmentation = yes
          	keyexchange = ikev2
          	reauth = yes
          	forceencaps = no
          	mobike = yes
          	rekey = yes
          	installpolicy = yes
          	type = tunnel
          	dpdaction = clear
          	dpddelay = 10s
          	dpdtimeout = 60s
          	auto = add
          	left = xxx.xxx.xxx.xxx
          	right = %any
          	leftid = "C=xxx, ST=xxxx, L=xxxx, O=xxxx, E=postmaster@xxx, CN=xxxxxx"
          	ikelifetime = 28800s
          	lifetime = 3600s
          	rightsourceip = 192.168.123.0/24
          	ike = aes256-sha512-modp2048!
          	esp = aes256-sha512!
          	eap_identity=%identity
          	leftauth=pubkey
          	rightauth=eap-tls
          	leftcert=/var/etc/ipsec/ipsec.d/certs/cert-3.crt
          	leftsendcert=always
          	rightca="/C=xxx/ST=xxx/L=xxx/O=xxx/emailAddress=postmaster@xxx/CN=xxx-internal-ca/"
          	leftsubnet = 0.0.0.0/0
          
          

          But maybe just remove all ipsec config and restart pfsense, i had this once wit a hanging ipsec tunnel…

          regards max

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received