IPSec VPN stop working after upgrade to 388.9

[mipo]

Hi

I use IPSec VPN with same configuration, same dns (static ip) form 4 or 5 yers but not evrytime. Today I was not able to connect and found that server are running:

router:/tmp/home/root# netstat -tulpn  | grep charon
udp        0      0 0.0.0.0:4500            0.0.0.0:*                           3628/charon
udp        0      0 0.0.0.0:500             0.0.0.0:*                           3628/charon
udp        0      0 :::4500                 :::*                                3628/charon
udp        0      0 :::500                  :::*                                3628/charon

but in log:

Apr 21 21:58:27 00[DMN] Starting IKE charon daemon (strongSwan 5.9.13, Linux 4.1.52, aarch64)
Apr 21 21:58:27 00[KNL] received netlink error: Operation not supported (95)
Apr 21 21:58:27 00[KNL] failed to create XFRM interface 'xfrmi-test-3912'
Apr 21 21:58:27 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported (95)
Apr 21 21:58:27 00[NET] installing IKE bypass policy failed
Apr 21 21:58:27 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported (95)
Apr 21 21:58:27 00[NET] installing IKE bypass policy failed
Apr 21 21:58:27 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported (95)
Apr 21 21:58:27 00[NET] installing IKE bypass policy failed
Apr 21 21:58:27 00[KNL] unable to set IPSEC_POLICY on socket: Operation not supported (95)
Apr 21 21:58:27 00[NET] installing IKE bypass policy failed
Apr 21 21:58:27 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr 21 21:58:27 00[CFG]   loaded ca certificate "C=TW, O=ASUS, CN=ASUS GT-AXE11000 Root CA" from '/etc/ipsec.d/cacerts/asusCert.pem'
Apr 21 21:58:27 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr 21 21:58:27 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr 21 21:58:27 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr 21 21:58:27 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 21 21:58:27 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 21 21:58:27 00[CFG]   loaded IKE secret for %any
Apr 21 21:58:27 00[CFG]   loaded EAP secret for A
Apr 21 21:58:27 00[CFG]   loaded EAP secret for B
Apr 21 21:58:27 00[CFG]   loaded EAP secret for C
Apr 21 21:58:27 00[CFG]   loaded EAP secret for D
Apr 21 21:58:27 00[CFG]   loaded EAP secret for E
Apr 21 21:58:27 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/svrKey.pem'
Apr 21 21:58:27 00[CFG]   loaded EAP secret for A
Apr 21 21:58:27 00[CFG]   loaded EAP secret for B
Apr 21 21:58:27 00[CFG]   loaded EAP secret for C
Apr 21 21:58:27 00[CFG]   loaded EAP secret for D
Apr 21 21:58:27 00[CFG]   loaded EAP secret for E
Apr 21 21:58:27 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf curve25519 agent xcbc cmac hmac kdf gcm drbg attr kernel-netlink socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-tls eap-peap xauth-generic counters
Apr 21 21:58:27 00[JOB] spawning 8 worker threads
Apr 21 21:58:27 05[CFG] received stroke: add connection 'Host-to-Net'
Apr 21 21:58:27 05[CFG] adding virtual IP address pool 10.10.10.0/24
Apr 21 21:58:27 05[CFG] added configuration 'Host-to-Net'
Apr 21 21:58:27 07[CFG] received stroke: add connection 'Host-to-Netv2'
Apr 21 21:58:27 07[CFG] reusing virtual IP address pool 10.10.10.0/24
Apr 21 21:58:27 07[CFG]   loaded certificate "C=TW, O=ASUS, CN=XXXXX.asuscomm.com" from 'svrCert.pem'
Apr 21 21:58:27 07[CFG] added configuration 'Host-to-Netv2'
Apr 21 21:58:28 06[CFG] received stroke: delete connection 'Host-to-Net'
Apr 21 21:58:28 06[CFG] deleted connection 'Host-to-Net'
Apr 21 21:58:28 07[CFG] received stroke: delete connection 'Host-to-Netv2'
Apr 21 21:58:28 07[CFG] deleted connection 'Host-to-Netv2'
Apr 21 21:58:28 06[CFG] received stroke: add connection 'Host-to-Net'
Apr 21 21:58:28 06[CFG] reusing virtual IP address pool 10.10.10.0/24
Apr 21 21:58:28 06[CFG] added configuration 'Host-to-Net'
Apr 21 21:58:28 07[CFG] received stroke: add connection 'Host-to-Netv2'
Apr 21 21:58:28 07[CFG] reusing virtual IP address pool 10.10.10.0/24
Apr 21 21:58:28 07[CFG]   loaded certificate "C=TW, O=ASUS, CN=XXXXX.asuscomm.com" from 'svrCert.pem'
Apr 21 21:58:28 07[CFG] added configuration 'Host-to-Netv2'

And the only change that was done is FW upgrade to 3004.388.9 so I suppose this brake my vpn but not sure. Any idea what can I do?

 

[Jeffrey Young]

I recently went down the rabbit hole trying to get IPSec working from Entware instead of the Firmware version as I wanted authentication handled by my Radius server (tied into Active Directory). As I was trouble shooting my installation, I was getting the same error messages you are (failed to create XFRM interface 'xfrmi-test-3912')

I found that I had to load kernel modules xfrm_user and xfrm4_tunnel before I could get rid of that message.

On the off chance that 388.9 somehow got mucked up and no one caught it in testing, try;

modprobe xfrm_user
modprobe xfrm4_tunnel

If you get an error along the line of the module can not be found, then try find /lib -name xfrm4_tunnel.ko to make sure the modules were included with the 388.9 build.

I am using 388.8_4 still, and finally got IPSec from Entware running using Radius for authentication, albeit not completely the way I want it working (see my full post here).

 

[mipo]

Hi

Modules are loaded :

mipo@router:/tmp/home/root# lsmod | grep xfrm
xfrm_user              26021  0
xfrm4_tunnel            1886  0
mipo@router:/tmp/home/root# find /lib -name xfrm4_tunnel.ko
/lib/modules/4.1.52/kernel/net/ipv4/xfrm4_tunnel.ko
mipo@router:/tmp/home/root# find /lib -name xfrm_user.ko
/lib/modules/4.1.52/kernel/net/xfrm/xfrm_user.ko
mipo@router:/tmp/home/root# uname -a
Linux router 4.1.52 #2 SMP PREEMPT Wed Apr 9 19:10:51 EDT 2025 aarch64 ASUSWRT-Merlin

 

[Jeffrey Young]

OK, then. I knew it was just a shot in the dark, but I have seen issues in the past with missed modules.

I am just starting to learn StrongSwan, so I am at a dead end right now. There is not a 388.9 for my RTAX86U-PRO, so I can't test there either.

Sorry. If I think of anything, I will give a shout

 

[RMerlin]

The error messages are normal and can be ignored. This is because the kernel runs in 64-bit while the userspace runs in 32-bit, it does not affect behaviour.

 

[mipo]

Thanks RMerlin for answare I do factory reset and configure all from scrach Now all is working fine but this error still exist. I have no idea why my vpn stop working ...