StrongSwan – gives error “no known IPsec stack detected, ignoring!”

ipsecvpn

I'm trying to connect to my university's VPN using strongSwan on Arch Linux. They have given example ipsec.conf and ipsec.secrets files and I've installed strongSwan from the AUR.

As far as I'm aware, I just need to run ipsec up UNI, where "UNI" is the name of the connection. But before that, when I run ipsec start I get the following output:

Starting strongSwan 5.5.0 IPsec [starter]...
no netkey IPsec stack detected
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!

If I search for this error message online all I can find are answers on FreeBSD mailing lists/forums saying don't worry, it's a Linux specific error, we FreeBSDers don't need to worry about it.

There doesn't seem to be a way of running ipsec with a more verbose output so I have no idea how to resolve the error. Any help would be much appreciated.

Best Answer

That legacy check looks for /proc/net/pfkey. If not found, the code tries to load the af_key module via modprobe and then checks again. However, the PF_KEYv2 interface provided by the af_key module is not used on Linux, by default. Instead, the Netlink/XFRM interface provided by the xfrm_user module is used. The starter process has no explicit check for that, though.

So if your kernel provides all required modules for IPsec and XFRM but just not the af_key module that's not a problem and you should be able to establish the connection just fine. As the message suggests, ignore these warnings and simply try to initiate the connection with ipsec up.

Related Solutions

IPSec over L2TP: received NO_PROPOSAL_CHOSEN error notify

When connecting as a Meraki Client VPN, it only supports protocols that have been removed from the Strongswan default protocol negotiation list (because the SWEET32 birthday attack is possible against some of these protocols) so you have to specify them explicitly (as you have).

If you install ike-scan and run it against your Meraki "server" sudo ipsec stop; sudo service xl2tpd stop; sudo ike-scan YOUR.SERVER.IP you can see what the default protocol is. I'm fairly confident it is 3des-sha1-modp1024 like you have above, though in my (NetworkManager) generated ipsec.conf I don't have the phase2 and phase2alg lines, but an esp.

Here is the snippet from my working config with the protocols:

  keyexchange=ikev1
  ike=3des-sha1-modp1024!
  esp=3des-sha1!

Sidenote: This probably doesn't matter for you since you are using the CLI, but I'm using a PPA for the NM plugin for L2TP from ppa:nm-l2tp/network-manager-l2tp and in my NetworkManager GUI it refers Phase 1 and Phase 2, but in the generated ipsec config those map to the ike and esp above. I used this blog post

IPsec VPN with strongSwan to FortiGate

I've blogged about that when I needed it last. The main trick is that Fortinet requires aggressive mode, so the configuration parameters need to match closely already in the beginning.

For reference, my configuration is

conn fortinet
    left=%any
    leftauth=psk
    leftid=""
    leftauth2=xauth
    xauth_identity="your username"
    leftsourceip=%config
    right=gateway IP address
    rightsubnet=VPN subnet
    rightauth=psk
    keyexchange=ikev1
    aggressive=yes
    ike=aes128-sha1-modp1536!
    esp=aes128-sha1-modp1536!
    auto=add

You also need to configure the PSK and XAUTH secrets.

This was 2016, so the ike and esp modes could have been updated to use longer keys -- note that I enforce a particular cipher for each.

Best Answer

Related Solutions

IPSec over L2TP: received NO_PROPOSAL_CHOSEN error notify

IPsec VPN with strongSwan to FortiGate

Related Question