[Swan] FAILURE in loading XFRM IPsec stack on 3.28

Paul Wouters paul at nohats.ca
Tue May 28 02:18:06 UTC 2019

On Mon, 27 May 2019, Computerisms Corporation wrote:

> _stackmanager[523]: FAILURE in loading XFRM IPsec stack
> I traced it down in the code to a file called _stackmanager.in, and it 
> appears the error is generated because of a missing file:
> /proc/net/xfrm_stat
> Here is where I have been spinning my wheels for a bit too long, I am not 
> sure if that is supposed to be created as a result of iproute2 or some other 
> package, or maybe it's a kernel module (I did install and then remove dkms 
> trying to xtables-addons working) issue and I need to modprobe something, or 
> if Libreswan was supposed to create it and didn't.

It is part of the kernel, and is created by enabling CONFIG_XFRM_STATISTICS.

We used to check XFRM using /proc/net/pf_key but that was really the
PFKEYv2 API, not the netlink/xfrm API, and work is happening in the
kernel to completely disable the PFKEYv2 API. So we needed another test.

We thought most distributions had CONFIG_XFRM_STATISTICS enabled, so it
was the easiest for us to detect XFRM support in the kernel. But some
people don't seem to have this enabled.

Does your system have /proc/sys/net/core/xfrm_acq_expires ?  Maybe we
need to switch to that to test whether XFRM support is available.

> So, did I find a real problem, or am I just in need of someone to point out a 
> glaringly obvious error on my part?

It's not you, it's us :)

Although, /proc/net/xfrm_stat is your _only_ way of getting any
debugging of the kernel level IPsec related events, so you really
do want it enabled in your custom kernels too :)


More information about the Swan mailing list