Project

General

Profile

Bug #566

Can't use virtual IP on FreeBSD "failed to set address on tun1: Invalid argument"

Added by Olivier Cochard-Labbe over 11 years ago. Updated over 11 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Tobias Brunner
Category:
libstrongswan
Target version:
5.2.0
Start date:
12.04.2014
Due date:
Estimated time:
Affected version:
5.1.1
Resolution:
Fixed

Description

Hi,
I'm trying to setup a simple road-warior client on FreeBSD 10-stable.
All IKE seems OK, but there is a problem during IP addresse setup on the tun interface that prevent to connect.

Log file here:

[root@router]/usr/local/etc# ipsec up home
initiating IKE_SA home[2] to 10.0.23.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 10.0.34.4[500] to 10.0.23.2[500] (924 bytes)
received packet: from 10.0.23.2[500] to 10.0.34.4[500] (440 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
authentication of 'R4' (myself) with pre-shared key
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH CPRQ(ADDR DNS) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR)
 N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 10.0.34.4[4500] to 10.0.23.2[4500] (460 bytes)
received packet: from 10.0.23.2[4500] to 10.0.34.4[4500] (204 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH CPRP(ADDR) N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]
authentication of 'R2' with pre-shared key successful
IKE_SA home[2] established between 10.0.34.4[R4]...10.0.23.2[R2]
scheduling reauthentication in 3420s
maximum IKE_SA lifetime 3600s
installing new virtual IP 1.1.1.1
created TUN device: tun1
failed to set address on tun1: Invalid argument
installing virtual IP 1.1.1.1 failed
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
received AUTH_LIFETIME of 3367s, scheduling reauthentication in 3187s
peer supports MOBIKE
establishing connection 'home' failed

[root@router]/usr/local/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.1, FreeBSD 10.0-STABLE, amd64):
  uptime: 50 seconds, since Apr 12 00:38:48 2014
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf xcbc cmac hmac attr kernel-pfkey kernel-pfroute resolve socket-default stroke updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-ttls eap-peap whitelist addrblock
Listening IP addresses:
  10.0.34.4
  2001:db8:34::4
  10.0.45.4
  2001:db8:45::4
Connections:
        home:  %any...10.0.23.2  IKEv2
        home:   local:  [R4] uses pre-shared key authentication
        home:   remote: [R2] uses pre-shared key authentication
        home:   child:  dynamic === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
        home[2]: ESTABLISHED 31 seconds ago, 10.0.34.4[R4]...10.0.23.2[R2]
        home[2]: IKEv2 SPIs: f7115afe56d89157_i* ac77c2a57c381c6a_r, pre-shared key reauthentication in 52 minutes
        home[2]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048

History

#1 Updated by Olivier Cochard-Labbe over 11 years ago

FreeBSD needs, like Apple, a source and a destination IP addresse configured on the tun interface.
But it need to be configured in the same time too like that:
memcpy(&ifr.ifr_addr, addr->get_sockaddr(addr),*addr->get_sockaddr_len(addr));
memcpy(&ifr.ifr_dstaddr, addr->get_sockaddr(addr),*addr->get_sockaddr_len(addr));
if (ioctl(this->sock, SIOCSIFPHYADDR, &ifr) < 0)

Here is an example of the FreeBSD's ifconfig code:
http://svnweb.freebsd.org/base/head/sbin/ifconfig/af_inet.c?revision=228574&view=markup#l176

#2 Updated by Tobias Brunner over 11 years ago

  • Tracker changed from Issue to Bug
  • Status changed from New to Closed
  • Assignee set to Tobias Brunner
  • Target version set to 5.2.0
  • Resolution set to Fixed

FreeBSD needs, like Apple, a source and a destination IP addresse configured on the tun interface.

Indeed, FreeBSD 10 requires a destination address on TUN devices.

But that's actually only part of the problem. The logged error is caused because FreeBSD 10 deprecated the SIOCSIFADDR, and SIOCSIFNETMASK commands we use to set the address and netmask (which worked fine on FreeBSD 9, which also doesn't require a destination address). Instead FreeBSD 10 supports the SIOCAIFADDR and SIOCDIFADDR commands to add and remove an address on an interface.

The associated commit fixes the issue.