Strongswan configuration on FreeBSD 8.1

INE · Oct 13, 2010

Hi all,

I have some troubles with using Strongswan 4.4.0 on FreeBSD 8.1. I've already recompiled the kernel with

Code:

options IPSEC
device  crypto

Yet I cannot start the daemon because the system cannot identify any IPsec stack.

The actual console messages are:

Code:

Starting strongSwan 4.4.0 IPsec [starter]...
charon is already running (/var/run/charon.pid exists) -- skipping charon start
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
starter is already running (/var/run/starter.pid exists) -- no fork done

Hope experienced users can help me solve this problem.

Thanks a lot in advance.

dulemars · Oct 15, 2010

I think you need to enable FreeBSD-specific IPSEC stack support for StrongSWAN, check this out:

http://wiki.strongswan.org/wiki/1/FreeBSD

Al-ndr · Nov 7, 2010

Hi,

I have the same problem with strongSwan 4.5.0.

Can you explain how to "enable FreeBSD-specific IPSEC stack support"?

dulemars · Nov 8, 2010

Build custom kernel, as described here:

http://www.freebsd.org/doc/handbook/kernelconfig-building.html

and during its configuration enable options mentioned in a link I previously posted.

INE · Nov 9, 2010

Hi, if you are not limited to using the Freebsd as the OS, you can choose to use opensuse, because they have the binary code there which is easy to install. and can be started with no problem.

dulemars · Nov 9, 2010

And if you are not limited with money, you can take Windows server, because it has the binary code there which is easy to install. and can be started with no problem.

Geez.x(

DutchDaemon · Nov 9, 2010

Right, instead of throwing non-solutions around, why not test, and report back on, the solution that was gracefully posted by dulemars, people?

Al-ndr · Nov 9, 2010

Thank you for answers. I compiled kernel with following options:

Code:

options IPSEC
device crypto

Then I typed command: [cmd=]/sbin/sysctl -a | grep ipsec[/cmd]:

Code:

net.inet.ipsec.def_policy: 1
net.inet.ipsec.esp_trans_deflev: 1
net.inet.ipsec.esp_net_deflev: 1
net.inet.ipsec.ah_trans_deflev: 1
net.inet.ipsec.ah_net_deflev: 1
net.inet.ipsec.ah_cleartos: 1
net.inet.ipsec.ah_offsetmask: 0
net.inet.ipsec.dfbit: 0
net.inet.ipsec.ecn: 0
net.inet.ipsec.debug: 0
net.inet.ipsec.filtertunnel: 0
net.inet.ipsec.crypto_support: 50331648
net.inet6.ipsec6.def_policy: 1
net.inet6.ipsec6.esp_trans_deflev: 1
net.inet6.ipsec6.esp_net_deflev: 1
net.inet6.ipsec6.ah_trans_deflev: 1
net.inet6.ipsec6.ah_net_deflev: 1
net.inet6.ipsec6.ecn: 0
net.inet6.ipsec6.debug: 0
net.inet6.ipsec6.filtertunnel: 0

Then [cmd=]ipsec start[/cmd]:

Code:

Starting strongSwan 4.5.0 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!

I have tried precompiled package strongswan-4.4.0.tbz and I compiled strongswan-4.5.0.tar.gz with options from http://wiki.strongswan.org/wiki/1/FreeBSD.

It doesn't work.

Does anybody have any new suggestions?

dulemars · Nov 10, 2010

Maybe you should try StrongSwan 4.4.0 from FreeBSD ports, if there isn't any particular reason why you have to use 4.5.0 ? I can't test your setup at the moment, but I'll try it in a few days, when my job allows me...

dulemars · Nov 10, 2010

Ah, sorry, you've tried it... My mistake...

Al-ndr · Nov 10, 2010

Thank you. Waiting for results.

CmdLnKid · Mar 3, 2012

Little old but in-case someone finds this like me...

Known Problems

Starter does not yet use the modular kernel interfaces, thus, when it tries to detect an IPsec stack it fails:

Starting strongSwan 4.x.x IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!

Fortunately, this detection is not really needed on FreeBSD so simply ignore this message

http://wiki.strongswan.org/projects/strongswan/wiki/FreeBSD

Strongswan configuration on FreeBSD 8.1

Administrator