# "UDP_ENCAP: Invalid argument" on 12.0 GENERIC r350477



## pkc (Aug 6, 2019)

I have read some material on the internet and the following documents:
https://svnweb.freebsd.org/base?view=revision&revision=347410
https://svnweb.freebsd.org/base?view=revision&revision=313330

It is my understanding that IPsec including IPSEC_NAT_T was enabled in GENERIC at some point in 12.0, and then removed but kept available in the ipsec module since then. I have a system built from r350477 which appears to already have ipsec in the kernel when I try to `kldload ipsec.ko`. However with StrongSwan I get the error message I quoted in the title.


```
unable to set UDP_ENCAP: Invalid argument
```

I understand this to mean that NAT traversal is not available in the kernel.



```
FreeBSD box 12.0-RELEASE-p8 FreeBSD 12.0-RELEASE-p8 r350477 GENERIC  amd64
```


----------



## SirDice (Aug 6, 2019)

If I read the first (r347410) correctly (time lines), that's a change on 13-CURRENT, so it does not apply to 12.0-RELEASE or 12-STABLE. The r31330 revision seems to have been done before the branching of 12-STABLE so we can assume it's included the 12.0-RELEASE branch.

I am running Strongswan on a recent 12-STABLE but it's a custom kernel too so I haven't seen this error.


----------



## pkc (Aug 6, 2019)

Ah OK, I see. I suppose somehow IPSEC_NAT_T is not enabled in my system. I had a specific reason that I could not use a custom kernel, but I can try to get around that at least temporarily to see if a custom one with that IPSEC_NAT_T fixes it.


----------



## SirDice (Aug 6, 2019)

For what it's worth, I don't have the IPSEC_NAT_T option enabled (I don't need it), I do have IPSEC in my kernel config.


----------



## pkc (Aug 6, 2019)

I see. Unfortunately I will require it


----------

