In my case at least, the problem was that I had protostack=auto
in the config setup
section of /etc/ipsec.conf
, which is how it came by default. The corresponding comment in the default configuration file suggests this should work: "which IPsec stack to use. auto will try netkey, then klips then mast".
In fact, the problem was that auto
apparently does not work as advertised. I changed it explicitly to protostack=netkey
and it worked. Credit to this thread that did ultimately have this answer, although it took a long time to find it amongst the many configurations on the web and the apparently many causes for this error message.
I should also give a nod to this post, which also addressed the same error. The author there tracked it to the fact that NETKEY was not loading. I followed his suggestions and executed the command modprobe af_key
, which did, in the logs, appear to get me past the problem of not having NETKEY start. As noted above, that wasn't sufficient for me though as I continued to get the same error after doing this as before. I cannot, therefore, be certain if this was an additional necessary step or a red herring in my case.