iked(8) configuration

amnixed · Nov 8, 2021

Hello,

I'm trying to replicate a ShrewSoft client configuration from my Windows laptop to my FreeBSD 13 laptop. The ShrewSoft client on Windows works fine.

I have installed security/ike and I'm using the default config file supplied with the port. However, iked doesn't start:

Code:

# /usr/local/sbin/iked -d 6 -f /usr/local/etc/iked.conf
!! : socket set udp-encap non-ike option failed
daemon network configuration failed
 ( line 8, col 16 )

# cat /usr/local/etc/iked.conf
#
# sample client iked.conf file
#

daemon
{
    # bind to ports
    socket ike 500;
    socket natt 4500;

    # log output
    log_level debug;
    log_file "/var/log/iked.log";

#    pcap_decrypt "/var/log/ike-decrypt.pcap";
#    pcap_encrypt "/var/log/ike-encrypt.pcap";

    # retry settings
    retry_delay 10;
    retry_count 2;
}

There is nothing in the log file.

I'll appreciate any helpful pointers!

T-Daemon · Nov 8, 2021

Here is what I got on 13.0-RELEASE:

Code:

# iked -d 6 -f /usr/local/etc/iked.conf
ii : created ike socket 0.0.0.0:500
iked was compiled without NATT support ( line 9, col 18 )

Commenting out socket NATT4500; in iked.conf does start the daemon:

Code:

# iked -d 6 -f /usr/local/etc/iked.conf
ii : created ike socket 0.0.0.0:500
## : IKE Daemon, ver 2.2.1
## : Copyright 2013 Shrew Soft Inc.
## : This product linked OpenSSL 1.1.1k-freebsd  24 Aug 2021
ii : opened '/var/log/iked.log'

When NATT support is required, it needs to be enabled:

Code:

/usr/ports/security/ike # make showconfig

===> The following configuration options are available for ike-2.2.1_3:
     DEBUG=off: Build with debugging support
     LDAP=off: Enable LDAP XAuth daemon support
     NATT=off: Enable NAT-Traversal
===> Use 'make config' to modify these settings

T-Daemon · Nov 8, 2021

amnixed said:
!! : socket set udp-encap non-ike option failed

?

amnixed · Nov 9, 2021

Hello T-Daemon,

Thank you for the quick reply.

I have installed security/ike on another FreeBSD 13.0-STABLE machine. The build configuration is the same on both computers:

Code:

# make showconfig
===> The following configuration options are available for ike-2.2.1_3:
     DEBUG=on: Build with debugging support
     LDAP=off: Enable LDAP XAuth daemon support
     NATT=on: Enable NAT-Traversal
===> Use 'make config' to modify these settings

I get the same error whether the line

Code:

socket natt 4500

is commented out or not.

T-Daemon said:
?

Yes, it's the actual output:

Code:

!! : socket set udp-encap non-ike option failed

I also note that the port requires the kernel option

Code:

IPSEC_NAT_T

, but I can't find this option in either /usr/src/sys/conf/NOTES or /usr/src/sys/amd64/conf/NOTES. I guess this is a problem only once I have been able to start iked.

covacat · Nov 9, 2021

ipsec_nat_t is not required since freebsd 11
it is already in generic

T-Daemon · Nov 9, 2021

There is a closed but unresolved PR from 2017-07-29 in which the daemon fails to start with NATT enabled. After removing a code block from ike source code daemon starts, but it doesn't transmit any data. Try if removing the code block still doesn't transmit any data.

Current ike version 2.2.1 was released Jun 05 2013 and hasn't been updated since. If removing the code block still doesn't resolve the situation you could chime in the PR and report the problem still present on 13.0 so the PR can be reopened and maybe someone is willing to pick up the problem.

Not sure if there are alternatives to ike, if there are you might want to check out those instead.

221091 – security/ike: iked fails to run after FreeBSD 11.1 upgrade (socket set udp-encap non-ike option failed)

bugs.freebsd.org

amnixed · Nov 10, 2021

Very useful info, thank you! I can confirm that building the port with the option

Code:

NATT=off

iked does start, but without NATT it isn't very useful for me...