StrongSWAN error: unable to install inbound and outbound IPsec SA (SAD) in kernel

Christian_Kuhnel · October 8, 2016, 10:53am

I’m trying to set up a site-to-site VPN connection between the Turris and a Fritz!Box 7490. I’ve gotten to the point that the connection seems to be established, but StrongSWAN fails to load some stuff into the kernel.

The console output is:

generating QUICK_MODE request 1206673144 [ HASH SA No KE ID ID ]
sending packet: from LOCAL_IP[500] to REMOTE_IP[500] (308 bytes)
received packet: from REMOTE_IP[500] to LOCAL_IP[500] (292 bytes)
parsed QUICK_MODE response 1206673144 [ HASH SA No KE ID ID ]
received netlink error: No such file or directory (2)
unable to add SAD entry with SPI cf94fd61
received netlink error: No such file or directory (2)
unable to add SAD entry with SPI 939a5d3b
unable to install inbound and outbound IPsec SA (SAD) in kernel
generating INFORMATIONAL_V1 request 1179177243 [ HASH N(NO_PROP) ]
sending packet: from LOCAL_IP[500] to REMOTE_IP[500] (76 bytes)
establishing connection 'FRITZBOX' failed

My ipsec.conf:
config setup
#uniqueids=no
charondebug=“ike 2, knl 2, cfg 2, mgr 2, chd 2, dmn 2, esp 2, lib 5, tnc 2”

conn %default
    ike=3des-sha-modp1024
     esp=3des-sha1-modp1024
     ikelifetime=60m
        keylife=60m
        keyexchange=ikev1
    #compress=no

conn FRITZBOX
     aggressive =no 
    auto=add
        authby=secret
    #
    left=LOCAL_FQDN
        leftsubnet=192.168.1.0/24
    #
        right=REMOTE_FDQN
    rightid=@REMOTE_FDQN
        rightsubnet=192.168.0.0/24

Is anyone successfully running StrongSWAN on the Turris?
Any ideas what the problem might be?

br Christian

nerdpunk · October 8, 2016, 11:34am

missing crypto modules, maybe?

adminX · October 8, 2016, 11:44am

Second guess: xfrm modules not loaded. These get loaded on boot normally. Packages are kmod-ipsec4 for IPv4 and kmod-ipsec6 for IPv6. These packages automatically install the crypto packages through dependencies.

Christian_Kuhnel · October 8, 2016, 12:58pm

I checked my kernel modules and all of the modules on this list are loaded, except “deflate” and “xfrm_user”. I could not find those two modules in any package.

Originally, I installed the meta package “strongswan-full” and it seems that all of these modules are installed along with this.

How can I figure out what StrongSWAN is trying to do, that causes the error message “No such file or directory”?
I did not see anything useful in /var/log/messages…

Christian_Kuhnel · October 8, 2016, 1:07pm

That page explains how to figure out which modules StrongSWAN tries to load:
https://digitalenginesoftware.com/blog/archives/67-Troubleshooting-OpenSwan-with-NETKEY.html

That gives me this list of modules:

crypto-blowfish
crypto-blowfish-all
crypto-camellia
crypto-camellia-all
crypto-cast5
crypto-cast5-all
crypto-cbc
crypto-ctr
crypto-echainiv
crypto-rfc3686
crypto-stdrng
crypto-stdrng-all
crypto-xcbc

All of these are either loaded already or I could not find them in any package either

achim71 · October 8, 2016, 1:36pm

Maybe loading the authenc modules fixes your issue like it is mentioned here https://forum.openwrt.org/viewtopic.php?id=48447.

During my testings connection Caos Calmer strongswan i needed this in the connection settings:

leftfirewall=yes
lefthostaccess=yes

and this additional firewall rule

iptables -t nat -A postrouting_rule -m policy --dir out --pol ipsec --proto esp -j ACCEPT

I never got traffic shaping working with strongswan. Used sqm qos and not wondershaper and it always applied the ipsec packaes twice for bandwidth management so the max ipsec bandwidth was always half of the defined max bandwidth.

Christian_Kuhnel · October 8, 2016, 2:06pm

Hi @achim71,

yes it seems these kernel modules are missing:

chainiv
krng
rng

But where can I get them from?
opkg search chainiv did not return anyting

achim71 · October 8, 2016, 2:44pm

kmod-crypto-iv and kmod-crypto-rng is what i have on my router.

Christian_Kuhnel · October 8, 2016, 4:47pm

Yep, I have these packages installed too, but they only contain the scripts to load the modules but not the modules themselves:

root@turris:~# opkg files kmod-crypto-iv
Package kmod-crypto-iv (4.4.13+7-1-05df79f63527051ea0071350f86faf76-7) is installed on root and has the following files:
/etc/modules.d/10-crypto-iv

root@turris:~# cat  /etc/modules.d/10-crypto-iv
eseqiv
chainiv

So I guess the packages are broken…

Do you know where to file bug reports? I did not find a bug tracker around here…

achim71 · October 8, 2016, 4:51pm

Seems the package is broken in the turris repo.

This is the package from the openwrt repo:

opkg files kmod-crypto-iv
Package kmod-crypto-iv (3.18.23-1) is installed on root and has the following files:
/etc/modules.d/10-crypto-iv
/lib/modules/3.18.23/chainiv.ko
/lib/modules/3.18.23/eseqiv.ko
opkg files kmod-crypto-rng
Package kmod-crypto-rng (3.18.23-1) is installed on root and has the following files:
/lib/modules/3.18.23/rng.ko
/etc/modules.d/09-crypto-rng
/lib/modules/3.18.23/krng.ko

I’d post a issue on the git repo

Christian_Kuhnel · October 8, 2016, 5:09pm

Done: https://github.com/CZ-NIC/turris-os/issues/5

achim71 · October 8, 2016, 6:22pm

Can be those modules are builtin. I grabbed the git tree and if I add the strongswan packges iv and rng packages are marked as buildtin and not separate kernel modules.

Pepe · October 8, 2016, 6:40pm

Better would be to email them this issue to: tech.support(at)turris(dot)cz

Meanwhile when it will be fixed you can download these packages directly from OpenWRT and you can hope that it will work

Christian_Kuhnel · October 8, 2016, 6:57pm

Tried that and I did not find any precompiled modules for kernel 4.4.13 in OpenWRT.

achim71 · October 8, 2016, 7:24pm

Tried my caos calmer config on the turris router and also received your error messages.
Found that thread https://lists.strongswan.org/pipermail/users/2013-August/005104.html
So i installed strongswan-mod-kernel-libipsec and now i can ping the remote subnet from the turris router.
I’m using ike2 and x509 certs so my config is different.

Christian_Kuhnel · October 8, 2016, 7:40pm

@achim71, you’re a genius! That also solves my problem
I can now ping my other subnet from my turris.

Thx!

achim71 · October 8, 2016, 7:48pm

Never mind, I wound have run into that problem in a few days anyway.
With that libipsec module the ipsec0 interface is back, hope it works like openswan again, which was much easier configurable in regards to routing.

Christian_Kuhnel · October 8, 2016, 7:57pm

The routing is quite simple (for my site-to-site usecase), you can do everything in luci:

Go to Network -> Interfaces and “add new interface”
Set protocol to “unmanaged” and select your ipsec0 device
In “Firewall settings” add a new zone, I’m using “vpn” as name
Go to Network -> Firewall and edit your new “vpn” zone
allow all trafic from lan to vpn and from vpn to lan.
save & apply

That should be it.

achim71 · October 8, 2016, 8:40pm

With these settings it works from the turris router to the other router and the other subnet and from the other router to the turris router. everything else (othersubnet to turris and local subnet and other router to local subnet) gives me Destination Port unreacheble atm. Gotta setup an proper test environment tomorrow.
Also libipsec does not seem to be as performant as the kernel implementation.
https://wiki.strongswan.org/projects/strongswan/wiki/Kernel-libipsec

adminX · October 8, 2016, 9:11pm

I shudder when i see ipsecX virtual interfaces. Am i alone or are there others out there like me?