[strongSwan] 5.0.1rc1 and FreeBSD

Tobias Brunner tobias at strongswan.org
Thu Sep 27 12:51:18 CEST 2012

Hi David,

> The first was some simple compile errors which I think I fixed in the
> attached patch.

Thanks, applied to master.

> On startup I get the following messages:
> 00[DMN] Starting IKE charon daemon (strongSwan 5.0.1rc1, FreeBSD 
> 9.0-RELEASE-p4, amd64)
> 00[KNL] unable to set UDP_ENCAP: Invalid argument
> 00[NET] enabling UDP decapsulation failed

This happens when the NAT-T IPv6 socket is opened and the daemon tries
to enable UDP en-/decapsulation for that port.  Linux supports this for
IPv6, FreeBSD apparently not.  The patch at [1] improves the error
message if this fails.  As long as it works for IPv4 (requires the
kernel to be built with the IPSEC_NAT_T option) this should be fine.

> 03[NET] received packet: from[500] to[500]
> 03[KNL] is not a local address or the interface is down
> 03[NET] received packet from[500] to[500] on 
> ignored interface

This is caused by a new check for inbound packets which together with
the new options charon.interfaces_ignore and charon.interfaces_use allow
one to ignore specific interfaces.  Unfortunately, the map used for this
check in kernel-pfroute was not properly initialized, see [2] for a
patch.  Actually, the patch at [3] avoids the check altogether if the
above options are not used.


[1] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=45178362
[2] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=9845391a
[3] http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=2e2feffb

More information about the Users mailing list