freebsd stable - Jan 2015 - IPSec and racoon issue...

So I have been running a stable ipsec tunnel between my MacBook Pro and a
FreeBSD 10-stable server, I just rebuilt world today and raccoon has become
pissy and refuses to start, and as usual with ipsec, debugging it is like
winning gold in the pain olympics. So here's the issue, my working config
has not changed at all. I'm simply running a new FreeBSD 10-stable r276472
world + kernel. I have looked all over at UPDATING, source commits to
stable, google, etc and I can't figure this error out.

Anytime I try to start racoon it looks like it starts but it doesn't. The
only error I can get is to run it with "racoon -F -ddd -f
/usr/local/etc/racoon/racoon.conf", and I get the following

"ERROR: libipsec failed pfkey open (Address family not supported by
protocol family)
racoon: failed to initialize pfkey socket"

Doing a "setkey -F" produces "pfkey_open: Address family not
supported by
protocol family"

I saw that ae made some commits to stable during december that touched
ipsec but they looked benign.

Has anyone seen this before? Pointers? A general direction for a clue?

Chris

On Wed, 31 Dec 2014, Chris Watson wrote:

> Anytime I try to start racoon it looks like it starts but it doesn't.
The
> only error I can get is to run it with "racoon -F -ddd -f
> /usr/local/etc/racoon/racoon.conf", and I get the following
>
> "ERROR: libipsec failed pfkey open (Address family not supported by
> protocol family)
> racoon: failed to initialize pfkey socket"
>
> Doing a "setkey -F" produces "pfkey_open: Address family not
supported by
> protocol family"
Do you have the following in your kernel config file?

options		IPSEC
device		crypto
device		cryptodev

-- 
Tod

> On 01 Jan 2015, at 04:36 , Chris Watson <bsdunix44 at gmail.com>
wrote:
> 
> So I have been running a stable ipsec tunnel between my MacBook Pro and a
> FreeBSD 10-stable server, I just rebuilt world today and raccoon has become
> pissy and refuses to start, and as usual with ipsec, debugging it is like
> winning gold in the pain olympics. So here's the issue, my working
config
> has not changed at all. I'm simply running a new FreeBSD 10-stable
r276472
> world + kernel. I have looked all over at UPDATING, source commits to
> stable, google, etc and I can?t figure this error out.
Do you know the old revision as well, to limit the search time?

> Anytime I try to start racoon it looks like it starts but it doesn't.
The
> only error I can get is to run it with "racoon -F -ddd -f
> /usr/local/etc/racoon/racoon.conf", and I get the following
> 
> "ERROR: libipsec failed pfkey open (Address family not supported by
> protocol family)
> racoon: failed to initialize pfkey socket"
> 
> Doing a "setkey -F" produces "pfkey_open: Address family not
supported by
> protocol family?

That smells like a raw socket issue to me.   But the only changes there I can
remember is that someone changed the source address selection but nothing that
would trigger this.

You could turn net.inet.ipsec.debug to 0xff and check that there is nothing in
dmesg -a after trying to start racoon, just to rule that out.

Also could you paste the output of `sysctl -a | grep ipsec` and `sysctl -a
net.key` just trying to make sure ? ;-)


? 
Bjoern A. Zeeb                                  Charles Haddon Spurgeon:
"Friendship is one of the sweetest joys of life.  Many might have failed
 beneath the bitterness of their trial  had they not found a friend."