ipsec-tools: libipsec failed pfkey align(Invalid sadb message)

[hiallo]

ipsec-tools:

Maintainer: @Noah Meyerhans frodo@morgul.net

Description:

# Linux version
root@BIGTMT:~# uname -r
4.4.60
#openssl version
root@BIGTMT:~# openssl version
OpenSSL 1.1.1g  21 Apr 2020

# ipsec-tools version
Mon Nov 15 11:22:29 2021 daemon.info racoon: 2021-11-15 11:22:29: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)

# racoon.conf
# autogenerated, don't edit, look at /etc/config/racoon
#
path certificate "/var/racoon/cert";
path script "/etc/racoon";
path pre_shared_key "/var/racoon/psk.txt";
path pidfile "/var/racoon/racoon.pid";
padding { maximum_length 20; randomize off; strict_check off; exclusive_tail off; }
timer { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; }

listen {
  isakmp 172.16.1.22 [500]; isakmp_natt 172.16.1.22 [4500];
}
log debug;
remote "Office" {
  remote_address 172.16.1.26;
  ph1id 1;
  peers_identifier asn1dn;
  exchange_mode main,aggressive;
  nat_traversal on;
  support_proxy on;
  proposal_check obey;
  weak_phase1_check off;
  verify_identifier on;
  initial_contact off;
  proposal {
    lifetime time 28800 sec;
    encryption_algorithm aes;
    hash_algorithm sha1;
    authentication_method pre_shared_key;
    dh_group 2;
  }
}
sainfo address 192.168.1.0/24 any address 192.168.3.0/24 any {
  remoteid 1;
  pfs_group 2;
  lifetime time 14400 sec;
  encryption_algorithm aes;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate;
}

debug loginfo:

Thu Nov  4 17:45:05 2021 daemon.debug racoon: 2021-11-04 17:45:05: DEBUG: ===
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: ===
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: begin QUICK mode.
Thu Nov  4 17:45:06 2021 daemon.info racoon: 2021-11-04 17:45:06: INFO: initiate new phase 2 negotiation: 172.16.1.22[500]<=>172.16.1.26[500]
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: compute IV for phase2
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: phase1 last IV:
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: 
bc810355 93129f11 9ecc591a b9763f3c b952bfb0
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: hash(sha1)
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: encryption(aes)
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: phase2 IV computed:
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: 
8df728ea 6afcd34a 0f511cf0 3f576c03
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: call pfkey_send_getspi
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: pfkey GETSPI sent: ESP/Tunnel 172.16.1.26[500]->172.16.1.22[500] 
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: pfkey getspi sent.
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: pk_recv: retry[0] recv() 
Thu Nov  4 17:45:06 2021 daemon.debug racoon: 2021-11-04 17:45:06: DEBUG: got pfkey GETSPI message
Thu Nov  4 17:45:06 2021 daemon.info racoon: 2021-11-04 17:45:06: ERROR: libipsec failed pfkey align (Invalid sadb message)
Thu Nov  4 17:45:21 2021 daemon.info racoon: 2021-11-04 17:45:21: ERROR: 172.16.1.26 give up to get IPsec-SA due to time up to wait.
Thu Nov  4 17:45:21 2021 daemon.debug racoon: 2021-11-04 17:45:21: DEBUG: IV freed
Thu Nov  4 17:45:35 2021 daemon.debug racoon: 2021-11-04 17:45:35: DEBUG: pk_recv: retry[0] recv() 
Thu Nov  4 17:45:35 2021 daemon.debug racoon: 2021-11-04 17:45:35: DEBUG: got pfkey EXPIRE message
Thu Nov  4 17:45:35 2021 daemon.info racoon: 2021-11-04 17:45:35: ERROR: libipsec failed pfkey align (Invalid sadb message)
Thu Nov  4 17:45:36 2021 daemon.debug racoon: 2021-11-04 17:45:36: DEBUG: pk_recv: retry[0] recv() 
Thu Nov  4 17:45:36 2021 daemon.debug racoon: 2021-11-04 17:45:36: DEBUG: got pfkey EXPIRE message
Thu Nov  4 17:45:36 2021 daemon.info racoon: 2021-11-04 17:45:36: ERROR: libipsec failed pfkey align (Invalid sadb message)

I got a error in quick mode with ipsec-tools and I don`t konw how to fix ti,pleass help me

[nmeyerhans]

We can try to figure this out, but before we dig too deep into it, I should point out that ipsec-tools is orphaned upstream and has been removed from the OpenWRT packages master branch. Given its nature as a security-sensitive application, you should give serious consideration to switching to another IPSEC implementation, e.g. StrongSWAN or to Wireguard, both of which are available in OpenWRT.