IKEv2 fail - "unable to add SAD entry"/"Invalid argument (22)" error
-
Hi all,
I'm trying to get an Android-derived mobile device to establish a new IPSec tunnel back to the pfSense box but I'm having quite a bit of trouble. Any help would be appreciated! Here's what I'm getting in the logs:
Feb 13 23:33:20 charon: 06[NET] <con1|8> sending packet: from 173.25.140.114[4500] to 166.170.221.137[1638] (224 bytes) Feb 13 23:33:20 charon: 06[NET] sending packet: from 173.25.140.114[4500] to 166.170.221.137[1638] (224 bytes) Feb 13 23:33:20 charon: 06[ENC] <con1|8> generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_DEFDOM U_SPLITDNS U_BANNER U_PFS) N(AUTH_LFT) N(NO_PROP) ] Feb 13 23:33:20 charon: 06[ENC] generating IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR U_DEFDOM U_SPLITDNS U_BANNER U_PFS) N(AUTH_LFT) N(NO_PROP) ] Feb 13 23:33:20 charon: 06[KNL] <con1|8> unable to delete SAD entry with SPI 34348933: No such file or directory (2) Feb 13 23:33:20 charon: 06[KNL] unable to delete SAD entry with SPI 34348933: No such file or directory (2) Feb 13 23:33:20 charon: 06[KNL] <con1|8> unable to delete SAD entry with SPI c80b247d: No such file or directory (2) Feb 13 23:33:20 charon: 06[KNL] unable to delete SAD entry with SPI c80b247d: No such file or directory (2) Feb 13 23:33:20 charon: 06[IKE] <con1|8> failed to establish CHILD_SA, keeping IKE_SA Feb 13 23:33:20 charon: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA Feb 13 23:33:20 charon: 06[IKE] <con1|8> unable to install inbound and outbound IPsec SA (SAD) in kernel Feb 13 23:33:20 charon: 06[IKE] unable to install inbound and outbound IPsec SA (SAD) in kernel Feb 13 23:33:20 charon: 06[KNL] <con1|8> unable to add SAD entry with SPI 34348933: Invalid argument (22) Feb 13 23:33:20 charon: 06[KNL] unable to add SAD entry with SPI 34348933: Invalid argument (22) Feb 13 23:33:20 charon: 06[CHD] <con1|8> SPI 0x34348933, src 173.25.140.114 dst 166.170.221.137 Feb 13 23:33:20 charon: 06[CHD] SPI 0x34348933, src 173.25.140.114 dst 166.170.221.137 Feb 13 23:33:20 charon: 06[CHD] <con1|8> adding outbound ESP SA Feb 13 23:33:20 charon: 06[CHD] adding outbound ESP SA Feb 13 23:33:20 charon: 06[KNL] <con1|8> unable to add SAD entry with SPI c80b247d: Invalid argument (22) Feb 13 23:33:20 charon: 06[KNL] unable to add SAD entry with SPI c80b247d: Invalid argument (22) Feb 13 23:33:20 charon: 06[CHD] <con1|8> SPI 0xc80b247d, src 166.170.221.137 dst 173.25.140.114 Feb 13 23:33:20 charon: 06[CHD] SPI 0xc80b247d, src 166.170.221.137 dst 173.25.140.114 Feb 13 23:33:20 charon: 06[CHD] <con1|8> adding inbound ESP SA Feb 13 23:33:20 charon: 06[CHD] adding inbound ESP SA Feb 13 23:33:20 charon: 06[CHD] <con1|8> using AES_XCBC_96 for integrity Feb 13 23:33:20 charon: 06[CHD] using AES_XCBC_96 for integrity Feb 13 23:33:20 charon: 06[CHD] <con1|8> using AES_CBC for encryption Feb 13 23:33:20 charon: 06[CHD] using AES_CBC for encryption Feb 13 23:33:20 charon: 06[CFG] <con1|8> config: 172.16.0.1/32|/0, received: 0.0.0.0/0|/0 => match: 172.16.0.1/32|/0 Feb 13 23:33:20 charon: 06[CFG] config: 172.16.0.1/32|/0, received: 0.0.0.0/0|/0 => match: 172.16.0.1/32|/0 Feb 13 23:33:20 charon: 06[CFG] <con1|8> selecting traffic selectors for other: Feb 13 23:33:20 charon: 06[CFG] selecting traffic selectors for other: Feb 13 23:33:20 charon: 06[CFG] <con1|8> config: 173.25.140.114/32|/0, received: 0.0.0.0/0|/0 => match: 173.25.140.114/32|/0 Feb 13 23:33:20 charon: 06[CFG] config: 173.25.140.114/32|/0, received: 0.0.0.0/0|/0 => match: 173.25.140.114/32|/0 Feb 13 23:33:20 charon: 06[CFG] <con1|8> selecting traffic selectors for us: Feb 13 23:33:20 charon: 06[CFG] selecting traffic selectors for us: Feb 13 23:33:20 charon: 06[CFG] <con1|8> selected proposal: ESP:AES_CBC_128/AES_XCBC_96/NO_EXT_SEQ Feb 13 23:33:20 charon: 06[CFG] selected proposal: ESP:AES_CBC_128/AES_XCBC_96/NO_EXT_SEQ</con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8></con1|8>
Everything before this point is successfully negotiating IKE phase 1, and everything after this point is just retransmitting informational messages and performing Dead Peer Detection.
The behavior on the mobile device is that it will hang saying it is trying to connect, until about 60 seconds then it times out and quits. At any point during those 60 seconds though, I can run "ipsec status" using the Diagnostics –> Command Prompt, and it shows something like this:
$ ipsec status Shunted Connections: bypasslan: 192.168.1.0/24|/0 === 192.168.1.0/24|/0 PASS Security Associations (1 up, 0 connecting): con1[9]: ESTABLISHED 14 seconds ago, 173.25.140.114[localID]...166.170.221.137[remoteID]
So clearly pfSense thinks the tunnel is established and it's trying to move on to phase 2.
It seems that these two messages are key to the problem I'm having:
-
unable to add SAD entry with SPI 34348933: Invalid argument (22)
-
failed to establish CHILD_SA, keeping IKE_SA
I believe I'm running into the issue that was fixed in StrongSwan bug #446 (see link below). I'd like to make sure that version 5.1.2 or later of StrongSwan is included in the latest pfSense. If it already is this version or later, then I'm guessing I'm running into a new bug with the "Invalid argument (22)" message. I can't seem to crank the logging up high enough to find out what arguments are actually being passed to the kernel though.
Here is my ipsec.conf file so you get an idea of my VPN configuration:
# This file is automatically generated. Do not edit config setup uniqueids = yes conn bypasslan leftsubnet = 192.168.1.0/24 rightsubnet = 192.168.1.0/24 authby = never type = passthrough auto = route conn con1 fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = no mobike = yes rekey = yes installpolicy = yes compress = no tfc = no dpdaction = clear dpddelay = 10s dpdtimeout = 60s auto = add left = 173.25.140.114 right = %any leftid = fqdn:localID ikelifetime = 28800s rightsourceip = 172.16.0.0/24 ike = aes256-sha256-modp1024! leftauth = psk rightauth = psk
Note that I manually added "compress = no" and "tfc = no" (also tried "tfc = 0") to this file as troubleshooting steps. I fully realize that ipsec.conf is automatically generated and these values will be overwritten next time I make a change; no problem, just wanted to see if they made a difference. I generated the Phase 1 config by going through the Mobile Clients tab first.
References that I've found so far:
-
Official pfSense IPSec Troubleshooting document: https://doc.pfsense.org/index.php/IPsec_Troubleshooting
-
StrongSwan mailing list entry where some guy ran into much the same thing I am, but didn't post what he did to get it to connect: https://lists.strongswan.org/pipermail/users/2013-April/004582.html
-
StrongSwan bug #446: https://wiki.strongswan.org/issues/446
-
-
Hi,
you have a setup with
leftsubnet = 192.168.1.0/24
rightsubnet = 192.168.1.0/24you can't have two diffrent subnets with same ip(range)
-
Thank you for taking a crack at this issue. I don't actually need the 'bypasslan' connection so I went ahead and unchecked the "Auto-exclude LAN address" / "Enable bypass for LAN interface IP" check box in the IPSec Advanced Settings. This removes that whole 'bypasslan' section of the ipsec.conf and just leaves the default-named 'con1' connection left, which is the meat and potatoes of my attempt at configuring it. Scrolling down in that code block you'll see these two lines:
left = 173.25.140.114
and
rightsourceip = 172.16.0.0/24
Still getting the same behavior after doing this… Any other ideas?
-
Oh sorry last time i did not realize that you try to connect to a mobile android
For my android 5.1.1 with strongswan app as a road warrior it looks like
( important part; leftsub 0.0.0.0)conn con3 fragmentation = yes keyexchange = ikev2 reauth = yes forceencaps = no mobike = yes rekey = yes installpolicy = yes type = tunnel dpdaction = clear dpddelay = 10s dpdtimeout = 60s auto = add left = xxx.xxx.xxx.xxx right = %any leftid = "C=xxx, ST=xxxx, L=xxxx, O=xxxx, E=postmaster@xxx, CN=xxxxxx" ikelifetime = 28800s lifetime = 3600s rightsourceip = 192.168.123.0/24 ike = aes256-sha512-modp2048! esp = aes256-sha512! eap_identity=%identity leftauth=pubkey rightauth=eap-tls leftcert=/var/etc/ipsec/ipsec.d/certs/cert-3.crt leftsendcert=always rightca="/C=xxx/ST=xxx/L=xxx/O=xxx/emailAddress=postmaster@xxx/CN=xxx-internal-ca/" leftsubnet = 0.0.0.0/0
But maybe just remove all ipsec config and restart pfsense, i had this once wit a hanging ipsec tunnel…
regards max