<div dir="ltr"><div id="gmail-m_-2183893369765891977divtagdefaultwrapper" dir="ltr" style="color:rgb(0,0,0);font-family:calibri,arial,helvetica,sans-serif;font-size:12pt"><p style="margin-top:0px;margin-bottom:0px">Dear all,</p><p style="margin-top:0px;margin-bottom:0px"><br></p><p style="margin-top:0px;margin-bottom:0px">With the following config running on NixOS, strongswan fails to start (or route) on boot:</p><p style="margin-top:0px;margin-bottom:0px"><br></p><p style="margin-top:0px;margin-bottom:0px"></p></div><blockquote style="color:rgb(0,0,0);font-family:calibri,arial,helvetica,sans-serif;font-size:16px;margin:0px 0px 0px 40px;border:none;padding:0px"><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">config setup</span></div></blockquote><div dir="ltr" style="color:rgb(0,0,0);font-family:calibri,arial,helvetica,sans-serif;font-size:12pt"><div></div><div><br></div><p style="margin-top:0px;margin-bottom:0px"></p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><p style="margin-top:0px;margin-bottom:0px"></p><div><span style="font-family:"courier new",monospace">conn workstationVpn</span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  auto=route # Also tried with auto=start</span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  closeaction=restart</span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  dpdaction=restart</span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  keyexchange=ikev2</span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  leftauth=pubkey</span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  leftcert=/nix/store/xxx-<wbr>certificate.der</span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  leftfirewall=yes</span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  leftid=<a href="mailto:foo@bar.com" target="_blank">foo@bar.com</a></span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  leftsourceip=%config4</span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  right=<a href="http://gateway.bar.com/" target="_blank">gateway.bar.com</a></span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  rightfirewall=yes</span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  rightid=<a href="http://gateway.bar.com/" target="_blank">gateway.bar.com</a></span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  rightsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a></span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">ca fooCert</span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  auto=add</span></div><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><p style="margin-top:0px;margin-bottom:0px"></p><span style="font-family:"courier new",monospace"></span><div><span style="font-family:"courier new",monospace">  cacert=/nix/store/yyy-<wbr>CACertificate.der</span></div><p style="margin-top:0px;margin-bottom:0px"></p></blockquote><p style="margin-top:0px;margin-bottom:0px"></p><div></div><br><p style="margin-top:0px;margin-bottom:0px"></p><p style="margin-top:0px;margin-bottom:0px">IPSec statusall gives the following:</p><p style="margin-top:0px;margin-bottom:0px"><br></p><p style="margin-top:0px;margin-bottom:0px"></p></div><blockquote style="color:rgb(0,0,0);font-family:calibri,arial,helvetica,sans-serif;font-size:16px;margin:0px 0px 0px 40px;border:none;padding:0px"><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.4.39, x86_64):</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">  uptime: 7 minutes, since Jan 10 14:01:34 2017</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">  malloc: sbrk 2686976, mmap 266240, used 425584, free 2261392</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">  loaded plugins: charon unbound pkcs11 aesni aes des rc2 sha2 sha1 md5 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert pem af-alg fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 xauth-generic xauth-eap dhcp</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">Listening IP addresses:</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">  192.168.42.223 # wlan local IP</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">  192.168.42.199 # eth0 local IP</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">Connections:</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">workstationVpn:  %any...<a href="http://gateway.bar.com/" target="_blank">gateway.bar.com</a>  IKEv2, dpddelay=30s</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">workstationVpn:   local:  [<a href="mailto:foo@bar.com" target="_blank">foo@bar.com</a>] uses public key authentication</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">workstationVpn:    cert:  "C=NL, O=Bar, L=Baz, S=Quux, CN=<a href="mailto:foo@bar.com" target="_blank">foo@bar.com</a>"</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">workstationVpn:   remote: [<a href="http://gateway.bar.com/" target="_blank">gateway.bar.com</a>] uses public key authentication</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">workstationVpn:   child:  dynamic === <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> TUNNEL, dpdaction=restart</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">Security Associations (0 up, 0 connecting):</span></div><div dir="ltr" style="font-size:12pt"><span style="font-family:"courier new",monospace">  none</span></div></blockquote><div dir="ltr" style="color:rgb(0,0,0);font-family:calibri,arial,helvetica,sans-serif;font-size:12pt"><div></div><br><p style="margin-top:0px;margin-bottom:0px"></p><p style="margin-top:0px;margin-bottom:0px"><br></p><p style="margin-top:0px;margin-bottom:0px">Even with all logging options set to 3, the journal doesn't seem to mention anything about even trying to route or start the connection. </p><p style="margin-top:0px;margin-bottom:0px"><br></p><p style="margin-top:0px;margin-bottom:0px">After a clean boot, the following lists shows some commands and their effects:</p><p style="margin-top:0px;margin-bottom:0px"><br></p><p style="margin-top:0px;margin-bottom:0px"></p><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><p style="margin-top:0px;margin-bottom:0px"><span style="font-family:"courier new",monospace">systemctl restart strongswan</span> - Both restarts strongswan and actually starts the connection without errors or problems. </p><p style="margin-top:0px;margin-bottom:0px"><span style="font-family:"courier new",monospace">ipsec up workstationVpn</span> - Starts the connection, without any errors or problems.</p><p style="margin-top:0px;margin-bottom:0px"><span style="font-family:"courier new",monospace">ipsec reload</span> - Starts the connection, but somehow <i>all</i> packages appear to be routed through the VPN connection, rather than those in the subnets that the server advertises. This persists until either rebooting or stopping (not restarting) strongswan.</p><p style="margin-top:0px;margin-bottom:0px"><br></p></blockquote>I've also found that adding a "<span style="font-family:"courier new",monospace">sleep 60</span>" before strongswan starts resolves the problem. The connection starts properly when waiting 60 seconds.<p style="margin-top:0px;margin-bottom:0px"></p><p style="margin-top:0px;margin-bottom:0px"><br></p><p style="margin-top:0px;margin-bottom:0px">Setting the <span style="font-family:"courier new",monospace">charonstart</span> to "yes" explicitly has no noticeable effect.</p><p style="margin-top:0px;margin-bottom:0px"><br></p><p style="margin-top:0px;margin-bottom:0px">How do I get strongswan to connect automatically without sleeping 60 seconds or doing it manually in a systemd timer?</p><p style="margin-top:0px;margin-bottom:0px"><br></p><p style="margin-top:0px;margin-bottom:0px">Regards,</p><p style="margin-top:0px;margin-bottom:0px"><br></p><p style="margin-top:0px;margin-bottom:0px">Bas</p></div></div>