<div dir="ltr">Thanks Noel.<div><br></div><div>The NixOS StrongSwan module [1] is based on ipsec. I tried for a few hours to get StrongSwan to compile with --enable-systemd --enable-swanctl but failed so far. The problem was that libsystemd couldn't be found by configure even when I added it as a dependency to Nix's StrongSwan package [2]. </div><div><br></div><div>I currently have a systemd timer that calls "ipsec up ..." at 1 minute after boot. Hacky for sure but it works for now. </div><div><br></div><div>Hopefully I have some time this weekend to figure out how to get StrongSwan to compile with --enable-systemd --enable-swanctl on NixOS.</div><div><br></div><div>Cheers,</div><div><br></div><div>Bas</div><div><br></div><div>[1] <a href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/strongswan.nix">https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/strongswan.nix</a></div><div>[2] <a href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/networking/strongswan/default.nix">https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/networking/strongswan/default.nix</a></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 10 January 2017 at 22:16, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 10.01.2017 14:51, Bas van Dijk wrote:<br>
> With the following config running on NixOS, strongswan fails to start (or route) on boot:<br>
</span><span class="">> I've also found that adding a "sleep 60" before strongswan starts resolves the problem. The connection starts properly when waiting 60 seconds.<br>
><br>
><br>
> Setting the charonstart to "yes" explicitly has no noticeable effect.<br>
</span>Of course, that's deprecated since 5.0.0.<br>
<span class="">><br>
><br>
> How do I get strongswan to connect automatically without sleeping 60 seconds or doing it manually in a systemd timer?<br>
><br>
><br>
<br>
</span>That is because systemd starts ipsec stroke when charon isn't ready yet, so charon has no idea about the conns when your<br>
systemd unit tells it to initiate the conn. The whole problem appears because ipsec stroke is an asynchronous API.<br>
<br>
Use VICI/swanctl. That's a synchronous API and the configuration format is much better. There's also charon-systemd that has<br>
a nicer behaviour when used with systemd. If you want to use it, you should use a swanctl (for which you need to rewrite your configuration<br>
in swanctl.conf style). That's what I use on all my hosts as well.<br>
<span class="HOEnZb"><font color="#888888"><br>
<br>
--<br>
<br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
<br>
</font></span></blockquote></div><br></div>