https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162016-04-21T13:33:53ZpfSense bugtrackerpfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=266332016-04-21T13:33:53ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Subject</strong> changed from <i>IPSEC with OpenBGPD Package</i> to <i>IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"</i></li><li><strong>Status</strong> changed from <i>New</i> to <i>Confirmed</i></li><li><strong>Assignee</strong> set to <i>Chris Buechler</i></li></ul><p>I'm looking into a good repeatable test case for this.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=267762016-04-26T08:59:42ZMichael van der Weg
<ul></ul><p>Chris Buechler wrote:</p>
<blockquote>
<p>I'm looking into a good repeatable test case for this.</p>
</blockquote>
<p>hi, i'm affected by this bug too. i can provide a test ipsec endpoint using an aws vpc and the required configuration for the pfsense side. if you wish i can also provide a configured pfsense box with root access that is affected by the issue.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=268822016-05-01T18:09:29ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Target version</strong> set to <i>2.3.1</i></li></ul><p>setting net.raw.recvspace=16384, twice the default, has been confirmed to fix this and one other unrelated IPsec failure where there was the same PF_KEY socket error.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=268832016-05-01T22:02:39Zsht head
<ul></ul><p>Chris Buechler wrote:</p>
<blockquote>
<p>setting net.raw.recvspace=16384, twice the default, has been confirmed to fix this and one other unrelated IPsec failure where there was the same PF_KEY socket error.</p>
</blockquote>
<p>I upgraded my stand by server again to 2.3 and set this in system tunables. After I rebooted the server.</p>
<p>Its been about an hour and it looks like my tunnels have all started to drop off again one by one, so this has not fixed it for me.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=269592016-05-06T01:21:42ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Status</strong> changed from <i>Confirmed</i> to <i>Feedback</i></li></ul><p>I set it as committed on "shthead"'s system and it seems to be fine.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=269992016-05-07T11:25:42ZMichael OBrien
<ul></ul><p>Chris Buechler wrote:</p>
<blockquote>
<p>I set it as committed on "shthead"'s system and it seems to be fine.</p>
</blockquote>
<p>Still having this issue (running OpenBGPd + IPSec - transport phase 2 with GRE tunnels) after changing tunable to 16384, then 131072 per another recommendation online.</p>
<p>More:<br /><a class="external" href="https://forum.pfsense.org/index.php?topic=109908.30">https://forum.pfsense.org/index.php?topic=109908.30</a></p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=270192016-05-07T17:26:49ZChris Buechlercbuechler@gmail.com
<ul></ul><p>Michael OBrien wrote:</p>
<blockquote>
<p>Still having this issue (running OpenBGPd + IPSec - transport phase 2 with GRE tunnels) after changing tunable to 16384, then 131072 per another recommendation online.</p>
</blockquote>
<p>That's not as committed here. Set all 4 as done in the commits here, or upgrade to 2.3.1.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=271332016-05-15T23:08:18ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Confirmed</i></li><li><strong>Target version</strong> changed from <i>2.3.1</i> to <i>2.3.2</i></li></ul><p>Those changes helped some instance of this, but definitely doesn't fix the problem for all.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=279352016-07-03T11:22:07ZMichael OBrien
<ul></ul><p>Chris Buechler wrote:</p>
<blockquote>
<p>Michael OBrien wrote:</p>
<blockquote>
<p>Still having this issue (running OpenBGPd + IPSec - transport phase 2 with GRE tunnels) after changing tunable to 16384, then 131072 per another recommendation online.</p>
</blockquote>
<p>That's not as committed here. Set all 4 as done in the commits here, or upgrade to 2.3.1.</p>
</blockquote>
<p>Same issue with upgrade to 2.3.1_5, any idea if this will be resolved in 2.3.2 or 2.4.x (FreeBSD 11, right?)</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=282642016-07-13T23:43:21ZChris Buechlercbuechler@gmail.com
<ul><li><strong>Assignee</strong> deleted (<del><i>Chris Buechler</i></del>)</li><li><strong>Target version</strong> changed from <i>2.3.2</i> to <i>2.4.0</i></li><li><strong>Affected Version</strong> changed from <i>2.3</i> to <i>2.3.x</i></li></ul><p>bumping net.inet.raw.maxdgram, net.inet.raw.recvspace, net.raw.recvspace and net.raw.sendspace even further seems to at least make it work longer without encountering this issue. <br /><a class="external" href="https://forum.pfsense.org/index.php?topic=109908.msg623827#msg623827">https://forum.pfsense.org/index.php?topic=109908.msg623827#msg623827</a><br />but still failed with same after a month. <br /><a class="external" href="https://forum.pfsense.org/index.php?topic=109908.msg629807#msg629807">https://forum.pfsense.org/index.php?topic=109908.msg629807#msg629807</a></p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=286532016-08-19T07:31:08ZMichael OBrien
<ul></ul><p>Looks like there may be some progress here:<br /><a class="external" href="https://forum.pfsense.org/index.php?topic=109908.45">https://forum.pfsense.org/index.php?topic=109908.45</a></p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=287562016-09-01T02:08:39ZAaron Marks
<ul></ul><p>I recommend changing this to a high priority bug as it impacts anyone using IPsec and BGP together which are two ubiquitious protocols. I've worked with pfSense support and this issue is confirmed. It says that 2.4 is the current targeted for patching this, but I'd also advise doing whatever it takes to fix this I'm 2.3.3.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=288322016-09-06T15:20:06ZJim Pingle
<ul><li><strong>File</strong> <a href="/attachments/1830">charon-pfkey-event-buffer.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1830/charon-pfkey-event-buffer.patch">charon-pfkey-event-buffer.patch</a> added</li></ul><p>Anyone who can reproduce this: Try feeding the attached patch into the system patches package, which will add in the charon change mentioned on the forum post. Set path strip = 2 in the system patches package.</p>
<p>The patch will change the strongSwan config so it will either use $config['ipsec']['kernel_pfkey_events_buffer'] (no GUI knob, but you can set it by hand in the config) or the value of the net.inet.raw.recvspace sysctl oid.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=288552016-09-12T04:53:38ZPer Hodnelandper@hodneland.se
<ul></ul><p>Applied attached patch, but that only pushes the problem in the near future. Still fails after x amount of days or hours. Would be nice to see a proper fix for this as using gre+ipsec with BGP is the core that we are currently using PFsense for.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=289102016-09-23T04:12:42ZJon Haywardjon@thehaywards.me
<ul></ul><p>Hey all,</p>
<p>Do we know exactly what causes this yet?</p>
<p>Reason i ask is i have just had a 2.2.6 machine have this (been kept at 2.2.6 because of this exact issue on 2.3.x)</p>
<p><code>Sep 22 19:41:44 bgpd[64711]: dispatch_imsg in main: pipe closed<br />Sep 22 19:41:44 bgpd[65089]: session engine exiting<br />Sep 22 19:41:44 bgpd[64810]: route decision engine exiting<br />Sep 22 19:41:44 bgpd[65089]: writev (6/80): No buffer space available<br />Sep 22 19:39:54 bgpd[65089]: Connection attempt from neighbor 10.255.255.2 (Yodafone) while session is in state Idle<br />Sep 22 19:37:04 bgpd[65089]: Connection attempt from neighbor 10.255.255.2 (Yodafone) while session is in state Idle<br />Sep 22 19:34:36 bgpd[65089]: Connection attempt from neighbor 10.255.255.2 (Yodafone) while session is in state Idle<br />Sep 22 19:32:08 bgpd[65089]: Connection attempt from neighbor 10.255.255.2 (Yodafone) while session is in state Idle<br />Sep 22 19:29:39 bgpd[65089]: Connection attempt from neighbor 10.255.255.2 (Yodafone) while session is in state Idle<br />Sep 22 19:28:34 bgpd[65089]: Connection attempt from neighbor 10.255.255.2 (Yodafone) while session is in state Idle<br />Sep 22 19:27:30 bgpd[65089]: Connection attempt from neighbor 10.255.255.2 (Yodafone) while session is in state Idle<br />Sep 22 19:26:26 bgpd[65089]: Connection attempt from neighbor 10.255.255.2 (Yodafone) while session is in state Idle<br />Sep 22 19:25:50 bgpd[65089]: Connection attempt from neighbor 10.255.255.2 (Yodafone) while session is in state Idle<br />Sep 22 19:25:18 bgpd[65089]: Connection attempt from neighbor 10.255.255.2 (Yodafone) while session is in state Idle<br />Sep 22 19:25:12 bgpd[65089]: neighbor 10.255.255.2 (Yodafone): pfkey setup failed<br />Sep 22 19:25:12 bgpd[65089]: writev (8/104): No buffer space available<br />Sep 22 19:25:11 bgpd[65089]: writev (6/80): No buffer space available<br />Sep 22 19:24:41 bgpd[65089]: neighbor 10.255.255.2 (Yodafone): state change Established -> Idle, reason: HoldTimer expired</code></p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=291222016-10-24T04:16:55ZMartin Hansen
<ul></ul><p>I can word in on this, major issue.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=296232016-11-27T18:28:50ZMichael OBrien
<ul></ul><p>Has anyone attempted this with 2.4 beta? I've already burned my downtime allowance testing with 2.3.x versions and various patches, and don't have a test setup with a busy enough BGP + GRE/IPSec link to reliably repro this.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=296272016-11-28T08:43:08ZFirstname Surname
<ul><li><strong>File</strong> <a href="/attachments/1893">ipsecmon.sh</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1893/ipsecmon.sh">ipsecmon.sh</a> added</li></ul><p>To all having this problem - while there is no fix yet, I have put together a workaround I have been using successfully with 2.3.2 for a few months now with no issues. While it does not provide an uninterrupted service, it recovers every time. If you have redundant tunnels, chances are you will survive without issues.</p>
<p>The solution is:</p>
<p>a) increasing the pfkey buffer size as per the patch attached to this issue<br />b) a cron job to run the attached script (I run it every 2 minutes, but could well be every minute).</p>
<p>Do not ask me why this works, but I have found it that it becomes possible to recover from this condition by restarting IPSec and OpenBGPd once the pfkey buffer size is increased. The script picks up any IPSec sessions with phase 1 or phase 2 down and bounces them accordingly, and restarts both openbgpd and IPSec if either all sessions are down, or the buffer space error has appeared. The script is obviously very simple so modify accordingly, but it works for me.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=299122016-12-13T07:54:23ZJames Cornman
<ul><li><strong>File</strong> <a href="/attachments/1917">ipsecmon-jc.diff</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1917/ipsecmon-jc.diff">ipsecmon-jc.diff</a> added</li><li><strong>File</strong> <a href="/attachments/1919">ipsecmon.sh</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1919/ipsecmon.sh">ipsecmon.sh</a> added</li></ul><p>I've created a little patch to the ipsecmon.sh file to actually log the output using logger, and made it a little easier to read ;)</p>
<p>It will only log a subset of the output that is displayed from the CLI command so it doesn't clutter the log for diagnostic output..</p>
<p>Lastly, as a comment, I installed the cron package via the pfsense Packaage manager in lieu of just using crontab via the CLI..hopefully this will persist through minor updates, until the developers get the 2.4 fix out for this problem.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=299132016-12-13T08:25:53ZJim Pingle
<ul></ul><p>As long as you're logging things, dump the output from <code>/usr/bin/netstat -s -ppfkey</code> as well to see if the errors in the logs correlate to any counters there.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=304422017-01-07T12:42:45ZJim Thompsonjim@netgate.com
<ul><li><strong>Assignee</strong> set to <i>Matthew Smith</i></li></ul> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=314872017-02-13T02:06:38ZFrans Gidlöf
<ul></ul><p>In 2.4 it flaps constantly... I mean every 40 seconds or so, but it varies</p>
<p>startup<br />rereading config<br />route decision engine ready<br />new ktable rdomain_0 for rtableid 0<br />RDE reconfigured<br />session engine ready<br />listening on 169.254.41.78<br />SE reconfigured<br />neighbor 169.254.41.77 (VPC): state change None -> Idle, reason: None<br />neighbor 169.254.41.77 (VPC): state change Idle -> Connect, reason: Start<br />neighbor 169.254.41.77 (VPC): state change Connect -> OpenSent, reason: Connection opened<br />neighbor 169.254.41.77 (VPC): state change OpenSent -> OpenConfirm, reason: OPEN message received<br />neighbor 169.254.41.77 (VPC): state change OpenConfirm -> Established, reason: KEEPALIVE message received<br />nexthop 169.254.41.77 now valid: via XXX.XXX.XXX.XXX<br />Traffic stops here<br />neighbor 169.254.41.77 (VPC): write error: Permission denied<br />neighbor 169.254.41.77 (VPC): state change Established -> Idle, reason: Fatal error<br />neighbor 169.254.41.77 (VPC): state change Idle -> Connect, reason: Start<br />neighbor 169.254.41.77 (VPC): state change Connect -> OpenSent, reason: Connection opened<br />neighbor 169.254.41.77 (VPC): state change OpenSent -> OpenConfirm, reason: OPEN message received<br />neighbor 169.254.41.77 (VPC): state change OpenConfirm -> Established, reason: KEEPALIVE message received<br />nexthop 169.254.41.77 now valid: via XXX.XXX.XXX.XXX</p>
<p>Against AWS VPC with dynamic routing via OpenBGPD, more stable in 2.3 but the same issue as the rest of this thread/bug.</p>
<p>Can provide a testing environment if needed.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=316952017-02-20T22:32:39ZWade Blackwell
<ul></ul><p>I'm also seeing this issue over Ovpn site to site tunnels with static keys on 2.3.2-RELEASE-p1 (i386). The remote sites are running 2.3.2-RELEASE-p1 (amd64) but the issue appears to originate on the core site which is running i386 version. Can provide debugs and configs if needed.</p>
<p>Feb 20 20:02:21 bgpd 72490 neighbor 172.39.0.14 (Bonney Lake Campus): state change Idle -> Connect, reason: Start<br />Feb 20 20:02:21 bgpd 72490 neighbor 172.39.0.14 (Bonney Lake Campus): state change Established -> Idle, reason: Fatal error<br />Feb 20 20:02:21 bgpd 72490 neighbor 172.39.0.14 (Bonney Lake Campus): graceful restart of IPv4 unicast, keeping routes<br />Feb 20 20:02:21 bgpd 72490 neighbor 172.39.0.14 (Bonney Lake Campus): write error: Permission denied</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=319832017-03-05T01:47:29ZJim Thompsonjim@netgate.com
<ul><li><strong>Assignee</strong> changed from <i>Matthew Smith</i> to <i>Luiz Souza</i></li></ul> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=325602017-04-19T12:12:06ZMichael OBrien
<ul></ul><p>Has anyone been able to test this with 2.4? Unfortunately I don't have a good test environment with IPSEC + BGP.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=332942017-07-25T14:14:38Zjosue escalante
<ul></ul><p>Any progress on this?</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=332952017-07-25T14:18:47ZJim Pingle
<ul></ul><p>Only in that we're making progress on replacing OpenBGPD with FRR, which hopefully will not suffer from the same issue(s).</p>
<p>It is worth testing on 2.4 as well to see if the newer base OS helps.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=333292017-07-27T17:42:11ZMichael OBrien
<ul></ul><p>Jim Pingle wrote:</p>
<blockquote>
<p>Only in that we're making progress on replacing OpenBGPD with FRR</p>
</blockquote>
<p>Well that's exciting! I assume this is a super long-term thing?</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=334212017-08-09T23:53:28ZLuiz Souzaluiz@netgate.com
<ul><li><strong>Target version</strong> changed from <i>2.4.0</i> to <i>2.4.1</i></li></ul> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=338842017-09-13T09:30:19ZJim Pingle
<ul></ul><p>FYI- FRR is now available for 2.4, 2.3.5 (snapshots), and 2.3.4 users. Internal tests show that it does not suffer from this problem.</p>
<p>If the problem is specific to OpenBGPD then replacing OpenBGPD with FRR seems to be the better path forward at the moment.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=342572017-10-12T10:05:02ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.4.1</i> to <i>2.4.2</i></li></ul> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=343192017-10-13T21:52:57ZMichael OBrien
<ul></ul><p>Jim Pingle wrote:</p>
<blockquote>
<p>FYI- FRR is now available for 2.4, 2.3.5 (snapshots), and 2.3.4 users. Internal tests show that it does not suffer from this problem.</p>
<p>If the problem is specific to OpenBGPD then replacing OpenBGPD with FRR seems to be the better path forward at the moment.</p>
</blockquote>
<p>I suspect I'll have a test case for this in the next few weeks, implementing BGP with a big carrier for private mobile network using 2.4.0 with frr. Is there a reason you're moving this to 2.4.2, or you just need confirmation that it's good to go?</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=343212017-10-14T07:04:51ZJim Pingle
<ul></ul><p>Michael OBrien wrote:</p>
<blockquote>
<p>Is there a reason you're moving this to 2.4.2, or you just need confirmation that it's good to go?</p>
</blockquote>
<p>We would like the see the original problem fixed as well, if possible. The workaround (FRR) is better but we don't necessarily want to consider the matter closed entirely yet. Confirmation also helps. As long as there is a viable workaround it doesn't hurt for this issue to remain open so we can keep an eye on it.</p>
<p>In addition to FRR, FreeBSD 11.1 has some significant changes to the IPsec stack, so it's worth re-tested the original bug there.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=346002017-10-23T12:19:10ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.4.2</i> to <i>2.4.3</i></li></ul> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=349452017-11-07T05:55:11ZAndrew Wasilczuk
<ul></ul><p>I can confirm that this is still an issue on 2.4.0</p>
<p>Switching to FRR solved this for me.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=349532017-11-07T09:53:45ZMitch Claborn
<ul></ul><p>What is the process for switching to FRR? Do I just install the FRR package or is there more to it?</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=349542017-11-07T09:55:49ZJim Pingle
<ul></ul><p>Mitch Claborn wrote:</p>
<blockquote>
<p>What is the process for switching to FRR? Do I just install the FRR package or is there more to it?</p>
</blockquote>
<p>That's more of a topic for the forum. tl;dr is that it's a completely separate package. Remove OpenBGPD, install FRR, configure FRR for BGP. If you need more help, follow up on the forum.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=353912017-12-14T08:27:25ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Confirmed</i> to <i>Closed</i></li></ul><p>It's still broken with FreeBSD 11.x and OpenBGPD and it's unclear if that combination will be fixed upstream.</p>
<p>If you need BGP with IPsec, remove the OpenBGPD packages and install FRR instead. FRR+IPsec has been confirmed to work fine by multiple sources.</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=358672018-02-16T08:20:58ZJim Pingle
<ul><li><strong>Target version</strong> deleted (<del><i>2.4.3</i></del>)</li></ul> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=362072018-04-03T05:10:42Zxavier Lemairexavier@amassi-network.com
<ul></ul><p>just make upgrade to 2.4.3-RELEASE (amd64) built on Mon Mar 26 18:02:04 CDT 2018</p>
<p>I have openbgp (ok i ll move to FRR one of those nights to come)...and I have CARP</p>
<p>after about 14 hrs i got ipsec fall<br />Apr 3 04:31:22 46.28.168.123 charon: 07[KNL] <con1000|6> error sending to PF_KEY socket: No buffer space available<br />Apr 3 04:31:22 46.28.168.123 charon: 07[KNL] <con1000|6> unable to delete SAD entry with SPI c3fe38a9<br />Apr 3 04:31:22 46.28.168.123 charon: 07[KNL] <con1000|6> deleting SPI allocation SA failed<br />Apr 3 04:31:22 46.28.168.123 charon: 07[KNL] <con1000|6> error sending to PF_KEY socket: No buffer space available<br />Apr 3 04:31:22 46.28.168.123 charon: 07[KNL] <con1000|6> unable to add SAD entry with SPI c3fe38a9<br />Apr 3 04:31:22 46.28.168.123 charon: 07[KNL] <con1000|6> error sending to PF_KEY socket: No buffer space available<br />Apr 3 04:31:22 46.28.168.123 charon: 07[KNL] <con1000|6> unable to add SAD entry with SPI c87d469d<br />Apr 3 04:31:22 46.28.168.123 charon: 07[IKE] <con1000|6> unable to install inbound and outbound IPsec SA (SAD) in kernel<br />Apr 3 04:31:22 46.28.168.123 charon: 07[KNL] <con1000|6> error sending to PF_KEY socket: No buffer space available<br />Apr 3 04:31:22 46.28.168.123 charon: 07[KNL] <con1000|6> unable to delete SAD entry with SPI c3fe38a9<br />Apr 3 04:31:22 46.28.168.123 charon: 07[KNL] <con1000|6> error sending to PF_KEY socket: No buffer space available<br />Apr 3 04:31:22 46.28.168.123 charon: 07[KNL] <con1000|6> unable to delete SAD entry with SPI c87d469d<br />Apr 3 04:31:22 46.28.168.123 charon: 07[IKE] <con1000|6> sending DELETE for ESP CHILD_SA with SPI c87d469d</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=364422018-04-30T03:39:00Zxavier Lemairexavier@amassi-network.com
<ul></ul><p>Just finish to migrate to FRRouting</p>
<p>IPV4 OK but IPV6 bad dream... fortunately there is a great thing called vtysh <br />for those who go by there i advise you to look at the neighbor 2001 option: neighbor xxx:xxx::xxx next-hop-self force</p>
<p>second advice : be patient, be patient with 22 peers the routing tables put an astronomical time before updating with a bgpd process that burns a core for very very long minutes... it is clear that my cpu must be a fucking wheelbarrow : Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz 16 CPUs: 1 package(s) x 8 core(s) x 2 hardware threads ...</p>
<p>nice job thx</p> pfSense - Bug #6223: IPsec + OpenBGPD fails with "PF_KEY socket: No buffer space available"https://redmine.pfsense.org/issues/6223?journal_id=366902018-06-10T06:14:25ZRoman Hroman.g@qspark.co
<ul></ul><p>Bump.<br />Issue still persist.<br />Installed OpenBGPd for get pfsense connected to AWS via BGP , and also having IPsec IKE v2 to homesite - and its loosing P2 connections after ~24Hrs.<br />I began to search - and found this bug in tracker. <br />Tried to increase net.raw.recvspace=16384 and 32768 - no help, still dropping after some time.</p>
<p>Also will migrate to FRR, but this definetly should be fixed</p>