<div dir="ltr">I managed to get charon-systemd to build on NixOS and created a PR to add it to nixpkgs:<div><br></div><div> <a href="https://github.com/NixOS/nixpkgs/pull/21872">https://github.com/NixOS/nixpkgs/pull/21872</a><br></div><div><br></div><div>Next up is writing a NixOS module that actually uses these new tools.</div><div><br></div><div>As explained in the commit it would be nice if swanctl could have a command line option for specifying the configuration file/directory. In NixOS we want to use /etc as little as possible and put most files in the immutable nix store instead. But then we do need to tell swanctl to look for its configuration directory in the nix store.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 13 January 2017 at 21:49, Bas van Dijk <span dir="ltr"><<a href="mailto:v.dijk.bas@gmail.com" target="_blank">v.dijk.bas@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Noel.<div><br></div><div>The NixOS StrongSwan module [1] is based on ipsec. I tried for a few hours to get StrongSwan to compile with --enable-systemd --enable-swanctl but failed so far. The problem was that libsystemd couldn't be found by configure even when I added it as a dependency to Nix's StrongSwan package [2]. </div><div><br></div><div>I currently have a systemd timer that calls "ipsec up ..." at 1 minute after boot. Hacky for sure but it works for now. </div><div><br></div><div>Hopefully I have some time this weekend to figure out how to get StrongSwan to compile with --enable-systemd --enable-swanctl on NixOS.</div><div><br></div><div>Cheers,</div><div><br></div><div>Bas</div><div><br></div><div>[1] <a href="https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/strongswan.nix" target="_blank">https://github.com/NixOS/<wbr>nixpkgs/blob/master/nixos/<wbr>modules/services/networking/<wbr>strongswan.nix</a></div><div>[2] <a href="https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/networking/strongswan/default.nix" target="_blank">https://github.com/NixOS/<wbr>nixpkgs/blob/master/pkgs/<wbr>tools/networking/strongswan/<wbr>default.nix</a></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 10 January 2017 at 22:16, Noel Kuntze <span dir="ltr"><<a href="mailto:noel@familie-kuntze.de" target="_blank">noel@familie-kuntze.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On 10.01.2017 14:51, Bas van Dijk wrote:<br>
> With the following config running on NixOS, strongswan fails to start (or route) on boot:<br>
</span><span>> I've also found that adding a "sleep 60" before strongswan starts resolves the problem. The connection starts properly when waiting 60 seconds.<br>
><br>
><br>
> Setting the charonstart to "yes" explicitly has no noticeable effect.<br>
</span>Of course, that's deprecated since 5.0.0.<br>
<span>><br>
><br>
> How do I get strongswan to connect automatically without sleeping 60 seconds or doing it manually in a systemd timer?<br>
><br>
><br>
<br>
</span>That is because systemd starts ipsec stroke when charon isn't ready yet, so charon has no idea about the conns when your<br>
systemd unit tells it to initiate the conn. The whole problem appears because ipsec stroke is an asynchronous API.<br>
<br>
Use VICI/swanctl. That's a synchronous API and the configuration format is much better. There's also charon-systemd that has<br>
a nicer behaviour when used with systemd. If you want to use it, you should use a swanctl (for which you need to rewrite your configuration<br>
in swanctl.conf style). That's what I use on all my hosts as well.<br>
<span class="m_3645241316176542277HOEnZb"><font color="#888888"><br>
<br>
--<br>
<br>
Mit freundlichen Grüßen/Kind Regards,<br>
Noel Kuntze<br>
<br>
GPG Key ID: 0x63EC6658<br>
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658<br>
<br>
<br>
</font></span></blockquote></div><br></div>
</div></div></blockquote></div><br></div>