<div dir="ltr">Ok, I had missed setting the lo up (when charon ran lo was DOWN, not UNKNOWN). So now I make sure "ifconfig lo up" is issued before charon runs. And I do see charon.log mention:<div><br></div><div><div>00[KNL] known interfaces and IP addresses:</div><div>00[KNL] lo</div><div>00[KNL] 127.0.0.1</div><div>00[KNL] <b>1.100.0.5</b></div><div>00[KNL] ::1 </div></div><div><br></div><div>But ipsec statusall still reports no listening IP addresses:</div><div><br></div><div><div>Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-72-generic, x86_64):</div><div> uptime: 4 minutes, since May 02 10:22:32 2017</div><div> malloc: sbrk 2568192, mmap 0, used 331120, free 2237072</div><div> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0</div><div> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock</div><div><b>Listening IP addresses:</b></div><div>Connections:</div><div>Security Associations (0 up, 0 connecting):</div><div> none</div></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <span dir="ltr"><<a href="mailto:agarwalpiyush@gmail.com" target="_blank">agarwalpiyush@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><span class=""><div><span style="color:rgb(0,0,0);font-size:12.8px">Noel,</span><div style="color:rgb(0,0,0);font-size:12.8px">Thank for pointing out my mistake -- my bad I should have read the ipsec.conf carefully. </div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div><div style="color:rgb(0,0,0);font-size:12.8px">Having said that, I have now specified "lo" as the charon.interfaces_use and I see it is NOT finding an IP address that the lo has for listening on. </div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div><div style="color:rgb(0,0,0);font-size:12.8px"><div>charon {</div><div><b> interfaces_use = "lo"</b></div><div> load_modular = yes</div><div> plugins {</div><div> include <span class="m_-6278055267055435601gmail-il">strongswan</span>.d/charon/*.<wbr>conf</div><div> }</div><div>}</div></div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div><div style="color:rgb(0,0,0);font-size:12.8px">The charon.log has no interfaces and IP addresses now:</div><span class="m_-6278055267055435601gmail-im" style="font-size:12.8px"><div><br></div><div>00[KNL] known interfaces and IP addresses:</div></span><div style="color:rgb(0,0,0);font-size:12.8px">00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA</div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div><div style="color:rgb(0,0,0);font-size:12.8px">I was expecting it to listen on 1.100.0.5 given lo has that IP address.</div><div style="color:rgb(0,0,0);font-size:12.8px"><br></div></div></span><div>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state <b>UNKNOWN</b> group default qlen 1</div><div> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</div><div> inet <a href="http://127.0.0.1/8" target="_blank">127.0.0.1/8</a> scope host lo</div><div> valid_lft forever preferred_lft forever</div><div> inet <b>1.100.0.5</b>/32 scope global lo</div><div> valid_lft forever preferred_lft forever</div><div> inet6 ::1/128 scope host </div><div> valid_lft forever preferred_lft forever</div></div><span class=""><div><br></div><div><div><div style="color:rgb(0,0,0);font-size:12.8px">Could one not specify "lo" as the charon.interfaces_use? Could it be because of the state the interface is in? It is strange that charon didn't find ANY ip for the loopback (not even 127.0.0.1). Any help for debugging would be great. Thanks.</div></div></div><div><br></div></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <span dir="ltr"><<a href="mailto:agarwalpiyush@gmail.com" target="_blank">agarwalpiyush@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Noel,<div>Thank for pointing out my mistake -- my bad I should have read the ipsec.conf carefully. </div><div><br></div><div>Having said that, I have now specified "lo" as the charon.interfaces_use and I see it is NOT finding an IP address that the lo has for listening on. </div><div><br></div><div><div>charon {</div><div><b> interfaces_use = "lo"</b></div><div> load_modular = yes</div><div> plugins {</div><div> include strongswan.d/charon/*.conf</div><div> }</div><div>}</div></div><div><br></div><div>The charon.log has no interfaces and IP addresses now:</div><span><div><br></div><div><div>00[KNL] known interfaces and IP addresses:</div></div></span><div><div>00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA</div></div><div><br></div><div>I was expecting it to listen on 1.100.0.5 given lo has that IP address.</div><div><br></div><div><br></div><div>Could one not specify "lo" as the charon.interfaces_use? Could it be because of the state the interface is in? It is strange that charon didn't find ANY ip for the loopback (not even 127.0.0.1). Any help for debugging would be great. Thanks.</div><div><div><br></div><div><br></div><div><br></div></div><div><br></div></div><div class="m_-6278055267055435601HOEnZb"><div class="m_-6278055267055435601h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 1, 2017 at 8:03 PM, Piyush Agarwal <span dir="ltr"><<a href="mailto:agarwalpiyush@gmail.com" target="_blank">agarwalpiyush@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">I don't see any loopback addresses listed in the "known interfaces":<div><br></div><div><div>8150 00[KNL] known interfaces and IP addresses:</div><div>8151 00[KNL] p2p1</div><div>8152 00[KNL] 169.x.x.x</div><div>8153 00[KNL] fe80:::4ae5</div></div><div><br></div><div>where p2p1 interface has an internal 169 IP, not the one I want to listen on. The IP I want to listen on is actually on the lo interface:</div><div><br></div><div><div>ip -d addr show lo | grep 104.100.x.x</div><div> inet 104.100.x.x/32 scope global lo</div></div><div><br></div><div>Not that it should matter, but all this is being done inside a ip/mininet network namespace.</div><div><br></div><div>Thanks.</div><span class="m_-6278055267055435601m_7781483707759789938HOEnZb"><font color="#888888"><div>Piyush</div><div><br></div></font></span></div><div class="m_-6278055267055435601m_7781483707759789938HOEnZb"><div class="m_-6278055267055435601m_7781483707759789938h5"><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 1, 2017 at 4:13 PM, Piyush Agarwal <span dir="ltr"><<a href="mailto:agarwalpiyush@gmail.com" target="_blank">agarwalpiyush@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div>I am using strongswan 5.1.2 on Ubuntu 14.04 and I need to specify the IP address on which to listen on. I found some ipsec.conf manpages (<a href="https://linux.die.net/man/5/ipsec.conf" target="_blank">https://linux.die.net/man/5/i<wbr>psec.conf</a>) which suggest a config item "listen", but strongswan 5.1.2 at least doesn't seem to have this option.</div><div><br></div><div>Is there not a way to specify the listen IP address? In my case, this IP address is actually on the loopback interface. As long as I can specify the listen interface, I should be fine.</div><div><br></div><div><div>config setup</div><div><b> listen=10.100.0.5</b></div><div><br></div><div>conn %default</div><div> ikelifetime=60m</div><div> keylife=20m</div><div> rekeymargin=3m</div><div> keyingtries=1</div><div> keyexchange=ikev2</div><div> authby=rsasig</div><div><br></div><div>conn 10.10.10.8</div><div> type=transport</div><div> left=10.100.0.5</div><div> leftcert=left.cert</div><div> leftsendcert=always</div><div> rightcert=right.cert</div><div> right=10.10.10.8</div><div> auto=start</div><div><div><br></div><div><b>/etc/ipsec.conf:7: unknown keyword 'listen' [10.100.0.5]</b></div><div><b>unable to start strongSwan -- fatal errors in config</b></div></div><span class="m_-6278055267055435601m_7781483707759789938m_7206293050027980181HOEnZb"><font color="#888888"><div><br></div><div><br></div>-- <br><div class="m_-6278055267055435601m_7781483707759789938m_7206293050027980181m_-9102770207496988716gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><span style="font-size:12.8px">Piyush Agarwal</span><br></div><div><span style="color:rgb(17,17,17)"><font face="arial, helvetica, sans-serif" size="2">Life can only be understood backwards; but it must be lived forwards.</font></span><br></div><div><span style="color:rgb(17,17,17)"><font face="arial, helvetica, sans-serif" size="2"><br></font></span></div></div></div></div></div></div></div></div></div></div></div></div></div>
</font></span></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_-6278055267055435601m_7781483707759789938m_7206293050027980181gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><span style="font-size:12.8px">Piyush Agarwal</span><br></div><div><span style="color:rgb(17,17,17)"><font face="arial, helvetica, sans-serif" size="2">Life can only be understood backwards; but it must be lived forwards.</font></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_-6278055267055435601m_7781483707759789938gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><span style="font-size:12.8px">Piyush Agarwal</span><br></div><div><span style="color:rgb(17,17,17)"><font face="arial, helvetica, sans-serif" size="2">Life can only be understood backwards; but it must be lived forwards.</font></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_-6278055267055435601gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><span style="font-size:12.8px">Piyush Agarwal</span><br></div><div><span style="color:rgb(17,17,17)"><font face="arial, helvetica, sans-serif" size="2">Life can only be understood backwards; but it must be lived forwards.</font></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><span style="font-size:12.8px">Piyush Agarwal</span><br></div><div><span style="color:rgb(17,17,17)"><font face="arial, helvetica, sans-serif" size="2">Life can only be understood backwards; but it must be lived forwards.</font></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>