IKEv2 fail - "unable to add SAD entry"/"Invalid argument (22)" error

CocoaPine

Hi all,

I'm trying to get an Android-derived mobile device to establish a new IPSec tunnel back to the pfSense box but I'm having quite a bit of trouble. Any help would be appreciated! Here's what I'm getting in the logs:

Feb 13 23:33:20	charon: 06[NET] <con1|8> sending packet: from 173.25.140.114[4500] to 166.170.221.137[1638] (224 bytes)
Feb 13 23:33:20	charon: 06[NET] sending packet: from 173.25.140.114[4500] to 166.170.221.137[1638] (224 bytes)
Feb 13 23:33:20	charon: 06[ENC] <con1|8> generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_DEFDOM U_SPLITDNS U_BANNER U_PFS) N(AUTH_LFT) N(NO_PROP) ]
Feb 13 23:33:20	charon: 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_DEFDOM U_SPLITDNS U_BANNER U_PFS) N(AUTH_LFT) N(NO_PROP) ]
Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to delete SAD entry with SPI 34348933: No such file or directory (2)
Feb 13 23:33:20	charon: 06[KNL] unable to delete SAD entry with SPI 34348933: No such file or directory (2)
Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to delete SAD entry with SPI c80b247d: No such file or directory (2)
Feb 13 23:33:20	charon: 06[KNL] unable to delete SAD entry with SPI c80b247d: No such file or directory (2)
Feb 13 23:33:20	charon: 06[IKE] <con1|8> failed to establish CHILD_SA, keeping IKE_SA
Feb 13 23:33:20	charon: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
Feb 13 23:33:20	charon: 06[IKE] <con1|8> unable to install inbound and outbound IPsec SA (SAD) in kernel
Feb 13 23:33:20	charon: 06[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel
Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to add SAD entry with SPI 34348933: Invalid argument (22)
Feb 13 23:33:20	charon: 06[KNL] unable to add SAD entry with SPI 34348933: Invalid argument (22)
Feb 13 23:33:20	charon: 06[CHD] <con1|8> SPI 0x34348933, src 173.25.140.114 dst 166.170.221.137
Feb 13 23:33:20	charon: 06[CHD] SPI 0x34348933, src 173.25.140.114 dst 166.170.221.137
Feb 13 23:33:20	charon: 06[CHD] <con1|8> adding outbound ESP SA
Feb 13 23:33:20	charon: 06[CHD] adding outbound ESP SA
Feb 13 23:33:20	charon: 06[KNL] <con1|8> unable to add SAD entry with SPI c80b247d: Invalid argument (22)
Feb 13 23:33:20	charon: 06[KNL] unable to add SAD entry with SPI c80b247d: Invalid argument (22)
Feb 13 23:33:20	charon: 06[CHD] <con1|8> SPI 0xc80b247d, src 166.170.221.137 dst 173.25.140.114
Feb 13 23:33:20	charon: 06[CHD] SPI 0xc80b247d, src 166.170.221.137 dst 173.25.140.114
Feb 13 23:33:20	charon: 06[CHD] <con1|8> adding inbound ESP SA
Feb 13 23:33:20	charon: 06[CHD] adding inbound ESP SA
Feb 13 23:33:20	charon: 06[CHD] <con1|8> using AES_XCBC_96 for integrity
Feb 13 23:33:20	charon: 06[CHD] using AES_XCBC_96 for integrity
Feb 13 23:33:20	charon: 06[CHD] <con1|8> using AES_CBC for encryption
Feb 13 23:33:20	charon: 06[CHD] using AES_CBC for encryption
Feb 13 23:33:20	charon: 06[CFG] <con1|8> config: 172.16.0.1/32|/0, received: 0.0.0.0/0|/0 => match: 172.16.0.1/32|/0
Feb 13 23:33:20	charon: 06[CFG] config: 172.16.0.1/32|/0, received: 0.0.0.0/0|/0 => match: 172.16.0.1/32|/0
Feb 13 23:33:20	charon: 06[CFG] <con1|8> selecting traffic selectors for other:
Feb 13 23:33:20	charon: 06[CFG] selecting traffic selectors for other:
Feb 13 23:33:20	charon: 06[CFG] <con1|8> config: 173.25.140.114/32|/0, received: 0.0.0.0/0|/0 => match: 173.25.140.114/32|/0
Feb 13 23:33:20	charon: 06[CFG] config: 173.25.140.114/32|/0, received: 0.0.0.0/0|/0 => match: 173.25.140.114/32|/0
Feb 13 23:33:20	charon: 06[CFG] <con1|8> selecting traffic selectors for us:
Feb 13 23:33:20	charon: 06[CFG] selecting traffic selectors for us:
Feb 13 23:33:20	charon: 06[CFG] <con1|8> selected proposal: ESP:AES_CBC_128/AES_XCBC_96/NO_EXT_SEQ
Feb 13 23:33:20	charon: 06[CFG] selected proposal: ESP:AES_CBC_128/AES_XCBC_96/NO_EXT_SEQ</con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8>

Everything before this point is successfully negotiating IKE phase 1, and everything after this point is just retransmitting informational messages and performing Dead Peer Detection.

The behavior on the mobile device is that it will hang saying it is trying to connect, until about 60 seconds then it times out and quits. At any point during those 60 seconds though, I can run "ipsec status" using the Diagnostics –> Command Prompt, and it shows something like this:

$ ipsec status
Shunted Connections:
   bypasslan:  192.168.1.0/24|/0 === 192.168.1.0/24|/0 PASS
Security Associations (1 up, 0 connecting):
        con1[9]: ESTABLISHED 14 seconds ago, 173.25.140.114[localID]...166.170.221.137[remoteID]

So clearly pfSense thinks the tunnel is established and it's trying to move on to phase 2.

It seems that these two messages are key to the problem I'm having:

• unable to add SAD entry with SPI 34348933: Invalid argument (22)

• failed to establish CHILD_SA, keeping IKE_SA

I believe I'm running into the issue that was fixed in StrongSwan bug #446 (see link below). I'd like to make sure that version 5.1.2 or later of StrongSwan is included in the latest pfSense. If it already is this version or later, then I'm guessing I'm running into a new bug with the "Invalid argument (22)" message. I can't seem to crank the logging up high enough to find out what arguments are actually being passed to the kernel though.

Here is my ipsec.conf file so you get an idea of my VPN configuration:

# This file is automatically generated. Do not edit
config setup
	uniqueids = yes

conn bypasslan
	leftsubnet = 192.168.1.0/24
	rightsubnet = 192.168.1.0/24
	authby = never
	type = passthrough
	auto = route

conn con1
	fragmentation = yes
	keyexchange = ikev2
	reauth = yes
	forceencaps = no
	mobike = yes
	rekey = yes
	installpolicy = yes

	compress = no
	tfc = no
	dpdaction = clear
	dpddelay = 10s
	dpdtimeout = 60s
	auto = add
	left = 173.25.140.114
	right = %any
	leftid = fqdn:localID
	ikelifetime = 28800s
	rightsourceip = 172.16.0.0/24
	ike = aes256-sha256-modp1024!
	leftauth = psk
	rightauth = psk

Note that I manually added "compress = no" and "tfc = no" (also tried "tfc = 0") to this file as troubleshooting steps. I fully realize that ipsec.conf is automatically generated and these values will be overwritten next time I make a change; no problem, just wanted to see if they made a difference. I generated the Phase 1 config by going through the Mobile Clients tab first.

References that I've found so far:

• Official pfSense IPSec Troubleshooting document: https://doc.pfsense.org/index.php/IPsec_Troubleshooting

• StrongSwan mailing list entry where some guy ran into much the same thing I am, but didn't post what he did to get it to connect: https://lists.strongswan.org/pipermail/users/2013-April/004582.html

• StrongSwan bug #446: https://wiki.strongswan.org/issues/446

MaxHeadroom

Hi,

you have a setup with

leftsubnet = 192.168.1.0/24
rightsubnet = 192.168.1.0/24

you can't have two diffrent subnets with same  ip(range)

CocoaPine

Thank you for taking a crack at this issue. I don't actually need the 'bypasslan' connection so I went ahead and unchecked the "Auto-exclude LAN address" / "Enable bypass for LAN interface IP" check box in the IPSec Advanced Settings. This removes that whole 'bypasslan' section of the ipsec.conf and just leaves the default-named 'con1' connection left, which is the meat and potatoes of my attempt at configuring it. Scrolling down in that code block you'll see these two lines:

left = 173.25.140.114

and

rightsourceip = 172.16.0.0/24

Still getting the same behavior after doing this… Any other ideas?

MaxHeadroom

Oh sorry last time i did not  realize that you try to connect to a mobile android

For my android 5.1.1 with strongswan app  as a road warrior it looks like
( important part;  leftsub 0.0.0.0)

conn con3
	fragmentation = yes
	keyexchange = ikev2
	reauth = yes
	forceencaps = no
	mobike = yes
	rekey = yes
	installpolicy = yes
	type = tunnel
	dpdaction = clear
	dpddelay = 10s
	dpdtimeout = 60s
	auto = add
	left = xxx.xxx.xxx.xxx
	right = %any
	leftid = "C=xxx, ST=xxxx, L=xxxx, O=xxxx, E=postmaster@xxx, CN=xxxxxx"
	ikelifetime = 28800s
	lifetime = 3600s
	rightsourceip = 192.168.123.0/24
	ike = aes256-sha512-modp2048!
	esp = aes256-sha512!
	eap_identity=%identity
	leftauth=pubkey
	rightauth=eap-tls
	leftcert=/var/etc/ipsec/ipsec.d/certs/cert-3.crt
	leftsendcert=always
	rightca="/C=xxx/ST=xxx/L=xxx/O=xxx/emailAddress=postmaster@xxx/CN=xxx-internal-ca/"
	leftsubnet = 0.0.0.0/0

But maybe just remove all ipsec config and restart pfsense, i had this once wit a hanging ipsec tunnel…

regards max