Required Kernel Modules

Include the following modules:

Networking  --->
  Networking options  --->
    Transformation user configuration interface [CONFIG_XFRM_USER]
    TCP/IP networking [CONFIG_INET]
      IP: advanced router [CONFIG_IP_ADVANCED_ROUTER]
      IP: policy routing [CONFIG_IP_MULTIPLE_TABLES]
      IP: AH transformation [CONFIG_INET_AH]
      IP: ESP transformation [CONFIG_INET_ESP]
      IP: IPComp transformation [CONFIG_INET_IPCOMP]
    The IPv6 protocol ---> [CONFIG_IPV6]
      IPv6: AH transformation [CONFIG_INET6_AH]
      IPv6: ESP transformation [CONFIG_INET6_ESP]
      IPv6: IPComp transformation [CONFIG_INET6_IPCOMP]
      IPv6: Multiple Routing Tables  [CONFIG_IPV6_MULTIPLE_TABLES]
    Network packet filtering framework (Netfilter) ---> [CONFIG_NETFILTER]
      Core Netfilter Configuration --->
        Netfilter Xtables support [CONFIG_NETFILTER_XTABLES]
          IPsec "policy" match support [CONFIG_NETFILTER_XT_MATCH_POLICY]

For kernel versions before 5.2, the required IPsec modes have to be enabled explicitly (they are built-in for newer kernels).

Networking  --->
  Networking options  --->
    TCP/IP networking [CONFIG_INET]
      IP: IPsec transport mode [CONFIG_INET_XFRM_MODE_TRANSPORT]
      IP: IPsec tunnel mode [CONFIG_INET_XFRM_MODE_TUNNEL]
      IP: IPsec BEET mode [CONFIG_INET_XFRM_MODE_BEET]
    The IPv6 protocol ---> [CONFIG_IPV6]
      IPv6: IPsec transport mode [CONFIG_INET6_XFRM_MODE_TRANSPORT]
      IPv6: IPsec tunnel mode [CONFIG_INET6_XFRM_MODE_TUNNEL]
      IPv6: IPsec BEET mode [CONFIG_INET6_XFRM_MODE_BEET]

For kernel versions 4.2-4.5, you will have to select Encrypted Chain IV Generator manually in order to use any encryption algorithm in CBC mode.

Cryptographic API
   Select algorithms you want to use...
   Encrypted Chain IV Generator [CRYPTO_ECHAINIV]

Name List of Required Modules

Make sure you have the following modules loaded when you try to establish a tunnel:

ah4
ah6
esp4
esp6
xfrm4_tunnel
xfrm6_tunnel
xfrm_user
ip_tunnel
tunnel
tunnel6
xfrm4_mode_tunnel
xfrm6_mode_tunnel

Optional Modules

xfrm_ipcomp
deflate

If you want to use compression (compress=yes), you need the xfrm_ipcomp module and the deflate module for the compression algorithm.

Shell Script Checking Required Kernel Modules

#!/bin/sh
grep '\<CONFIG_XFRM_USER\>' /boot/config-`uname -r`
grep '\<CONFIG_NET_KEY\>' /boot/config-`uname -r`
grep '\<CONFIG_INET\>' /boot/config-`uname -r`
grep '\<CONFIG_IP_ADVANCED_ROUTER\>' /boot/config-`uname -r`
grep '\<CONFIG_IP_MULTIPLE_TABLES\>' /boot/config-`uname -r`
grep '\<CONFIG_INET_AH\>' /boot/config-`uname -r`
grep '\<CONFIG_INET_ESP\>' /boot/config-`uname -r`
grep '\<CONFIG_INET_IPCOMP\>' /boot/config-`uname -r`
grep '\<CONFIG_INET_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
grep '\<CONFIG_INET_XFRM_MODE_TUNNEL\>' /boot/config-`uname -r`
grep '\<CONFIG_INET_XFRM_MODE_BEET\>' /boot/config-`uname -r`
grep '\<CONFIG_IPV6\>' /boot/config-`uname -r`
grep '\<CONFIG_INET6_AH\>' /boot/config-`uname -r`
grep '\<CONFIG_INET6_ESP\>' /boot/config-`uname -r`
grep '\<CONFIG_INET6_IPCOMP\>' /boot/config-`uname -r`
grep '\<CONFIG_INET6_XFRM_MODE_TRANSPORT\>' /boot/config-`uname -r`
grep '\<CONFIG_INET6_XFRM_MODE_TUNNEL\>' /boot/config-`uname -r`
grep '\<CONFIG_INET6_XFRM_MODE_BEET\>' /boot/config-`uname -r`
grep '\<CONFIG_IPV6_MULTIPLE_TABLES\>' /boot/config-`uname -r`
grep '\<CONFIG_NETFILTER\>' /boot/config-`uname -r`
grep '\<CONFIG_NETFILTER_XTABLES\>' /boot/config-`uname -r`
grep '\<CONFIG_NETFILTER_XT_MATCH_POLICY\>' /boot/config-`uname -r`