[strongSwan] opnsense: conflicts with IKE traffic

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Tue Sep 11 22:27:41 CEST 2018


Hello Andrew,

On BSD, a route based VPN has to be used, because it has no policy based implementation (as far as I know).
Because IKE traffic must not go through the tunnel, a route to the IP of the peer has to exist that ensures the former.
Because of that, you can't establish tunnels with a TS where the remote IP is the IP of the peer.

Kind regards

Noel

Am 09.09.18 um 16:43 schrieb Andrew Russell:
> hello please can you advise on these errors from opnsense ipsec log:  
> 
> Sep  9 01:01:24 opnsense charon: 00[DMN] signal of type SIGINT received. Shutting down
> Sep  9 01:01:37 opnsense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, FreeBSD 11.1-RELEASE-p13, amd64)
> Sep  9 01:01:37 opnsense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
> Sep  9 01:01:37 opnsense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
> Sep  9 01:01:37 opnsense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> Sep  9 01:01:37 opnsense charon: 00[CFG]   loaded ca certificate "XXXXXXXXXXX"XXXXXXXXXXX"XXXXXXXXXXX"XXXXXXXXXXX'
> Sep  9 01:01:37 opnsense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> Sep  9 01:01:37 opnsense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
> Sep  9 01:01:37 opnsense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> Sep  9 01:01:37 opnsense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> Sep  9 01:01:37 opnsense charon: 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> Sep  9 01:01:37 opnsense charon: 00[CFG]   loaded IKE secret for XXXXXX at XXXXXX
> Sep  9 01:01:37 opnsense charon: 00[CFG] loaded 0 RADIUS server configurations
> Sep  9 01:01:37 opnsense charon: 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic whitelist addrblock counters
> Sep  9 01:01:37 opnsense charon: 00[JOB] spawning 16 worker threads
> Sep  9 01:01:37 opnsense charon: 05[CFG] received stroke: add connection 'con1'
> Sep  9 01:01:37 opnsense charon: 05[CFG] added configuration 'con1'
> Sep  9 01:01:37 opnsense charon: 16[CFG] received stroke: route 'con1'
> Sep  9 01:01:37 opnsense charon: 16[KNL] can't install route for 192.168.2.0/24 <http://192.168.2.0/24> === XXX.XXX.XXX.XXX/32 out, conflicts with IKE traffic

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180911/acedf88e/attachment.sig>


More information about the Users mailing list