<div dir="ltr">Hi Andreas,<div>Actually both "lo" and lo had the same result: no IP is displayed below "Listening IP addresses".</div><div>However, my IKE and IPsec SAs from the initiator (to this responder machine) were established. I suppose I am unblocked then.</div><div><br></div><div>Thanks.</div><div>Piyush</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, May 2, 2017 at 11:00 AM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Piyush,<br>
<br>
have you tried<br>
<br>
interfaces_use = lo<br>
<br>
without the double quotes?<br>
<br>
Regards<br>
<br>
Andreas<span class=""><br>
<br>
On 02.05.2017 19:27, Piyush Agarwal wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
Ok, I had missed setting the lo up (when charon ran lo was DOWN, not<br>
UNKNOWN). So now I make sure "ifconfig lo up" is issued before charon<br>
runs. And I do see charon.log mention:<br>
<br>
00[KNL] known interfaces and IP addresses:<br>
00[KNL] lo<br>
00[KNL] 127.0.0.1<br></span>
00[KNL] *1.100.0.5*<span class=""><br>
00[KNL] ::1<br>
<br>
But ipsec statusall still reports no listening IP addresses:<br>
<br>
Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-72-generic,<br>
x86_64):<br>
uptime: 4 minutes, since May 02 10:22:32 2017<br>
malloc: sbrk 2568192, mmap 0, used 331120, free 2237072<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,<br>
scheduled: 0<br>
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand<br>
random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem<br>
openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve<br>
socket-default stroke updown eap-identity addrblock<br></span>
*Listening IP addresses:*<span class=""><br>
Connections:<br>
Security Associations (0 up, 0 connecting):<br>
none<br>
<br>
<br>
<br>
On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <<a href="mailto:agarwalpiyush@gmail.com" target="_blank">agarwalpiyush@gmail.com</a><br></span><span class="">
<mailto:<a href="mailto:agarwalpiyush@gmail.com" target="_blank">agarwalpiyush@gmail.co<wbr>m</a>>> wrote:<br>
<br>
Noel,<br>
Thank for pointing out my mistake -- my bad I should have read the<br>
ipsec.conf carefully.<br>
<br>
Having said that, I have now specified "lo" as the<br>
charon.interfaces_use and I see it is NOT finding an IP address that<br>
the lo has for listening on.<br>
<br>
charon {<br></span>
* interfaces_use = "lo"*<span class=""><br>
load_modular = yes<br>
plugins {<br>
include strongswan.d/charon/*.conf<br>
}<br>
}<br>
<br>
The charon.log has no interfaces and IP addresses now:<br>
<br>
00[KNL] known interfaces and IP addresses:<br>
00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency:<br>
PUBKEY:DSA<br>
<br>
I was expecting it to listen on 1.100.0.5 given lo has that IP address.<br>
<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state<br></span>
*UNKNOWN* group default qlen 1<span class=""><br>
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br></span>
inet <a href="http://127.0.0.1/8" rel="noreferrer" target="_blank">127.0.0.1/8</a> <<a href="http://127.0.0.1/8" rel="noreferrer" target="_blank">http://127.0.0.1/8</a>> scope host lo<br>
valid_lft forever preferred_lft forever<br>
inet *1.100.0.5*/32 scope global lo<span class=""><br>
valid_lft forever preferred_lft forever<br>
inet6 ::1/128 scope host<br>
valid_lft forever preferred_lft forever<br>
<br>
Could one not specify "lo" as the charon.interfaces_use? Could it be<br>
because of the state the interface is in? It is strange that charon<br>
didn't find ANY ip for the loopback (not even 127.0.0.1). Any help<br>
for debugging would be great. Thanks.<br>
<br>
<br>
On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal<br></span><span class="">
<<a href="mailto:agarwalpiyush@gmail.com" target="_blank">agarwalpiyush@gmail.com</a> <mailto:<a href="mailto:agarwalpiyush@gmail.com" target="_blank">agarwalpiyush@gmail.co<wbr>m</a>>> wrote:<br>
<br>
Noel,<br>
Thank for pointing out my mistake -- my bad I should have read<br>
the ipsec.conf carefully.<br>
<br>
Having said that, I have now specified "lo" as the<br>
charon.interfaces_use and I see it is NOT finding an IP address<br>
that the lo has for listening on.<br>
<br>
charon {<br></span>
* interfaces_use = "lo"*<span class=""><br>
load_modular = yes<br>
plugins {<br>
include strongswan.d/charon/*.conf<br>
}<br>
}<br>
<br>
The charon.log has no interfaces and IP addresses now:<br>
<br>
00[KNL] known interfaces and IP addresses:<br>
00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency:<br>
PUBKEY:DSA<br>
<br>
I was expecting it to listen on 1.100.0.5 given lo has that IP<br>
address.<br>
<br>
<br>
Could one not specify "lo" as the charon.interfaces_use? Could<br>
it be because of the state the interface is in? It is strange<br>
that charon didn't find ANY ip for the loopback (not even<br>
127.0.0.1). Any help for debugging would be great. Thanks.<br>
<br>
<br>
<br>
<br>
<br>
On Mon, May 1, 2017 at 8:03 PM, Piyush Agarwal<br></span><span class="">
<<a href="mailto:agarwalpiyush@gmail.com" target="_blank">agarwalpiyush@gmail.com</a> <mailto:<a href="mailto:agarwalpiyush@gmail.com" target="_blank">agarwalpiyush@gmail.co<wbr>m</a>>> wrote:<br>
<br>
I don't see any loopback addresses listed in the "known<br>
interfaces":<br>
<br>
8150 00[KNL] known interfaces and IP addresses:<br>
8151 00[KNL] p2p1<br>
8152 00[KNL] 169.x.x.x<br>
8153 00[KNL] fe80:::4ae5<br>
<br>
where p2p1 interface has an internal 169 IP, not the one I<br>
want to listen on. The IP I want to listen on is actually on<br>
the lo interface:<br>
<br>
ip -d addr show lo | grep 104.100.x.x<br>
inet 104.100.x.x/32 scope global lo<br>
<br>
Not that it should matter, but all this is being done inside<br>
a ip/mininet network namespace.<br>
<br>
Thanks.<br>
Piyush<br>
<br>
<br>
On Mon, May 1, 2017 at 4:13 PM, Piyush Agarwal<br></span>
<<a href="mailto:agarwalpiyush@gmail.com" target="_blank">agarwalpiyush@gmail.com</a> <mailto:<a href="mailto:agarwalpiyush@gmail.com" target="_blank">agarwalpiyush@gmail.co<wbr>m</a>>><span class=""><br>
wrote:<br>
<br>
Hi,<br>
I am using strongswan 5.1.2 on Ubuntu 14.04 and I need<br>
to specify the IP address on which to listen on. I found<br>
some ipsec.conf manpages<br>
(<a href="https://linux.die.net/man/5/ipsec.conf" rel="noreferrer" target="_blank">https://linux.die.net/man/5/i<wbr>psec.conf</a><br></span>
<<a href="https://linux.die.net/man/5/ipsec.conf" rel="noreferrer" target="_blank">https://linux.die.net/man/5/i<wbr>psec.conf</a>>) which suggest<span class=""><br>
a config item "listen", but strongswan 5.1.2 at least<br>
doesn't seem to have this option.<br>
<br>
Is there not a way to specify the listen IP address? In<br>
my case, this IP address is actually on the loopback<br>
interface. As long as I can specify the listen<br>
interface, I should be fine.<br>
<br>
config setup<br></span>
* listen=10.100.0.5*<span class=""><br>
<br>
conn %default<br>
ikelifetime=60m<br>
keylife=20m<br>
rekeymargin=3m<br>
keyingtries=1<br>
keyexchange=ikev2<br>
authby=rsasig<br>
<br>
conn 10.10.10.8<br>
type=transport<br>
left=10.100.0.5<br>
leftcert=left.cert<br>
leftsendcert=always<br>
rightcert=right.cert<br>
right=10.10.10.8<br>
auto=start<br>
<br></span>
*/etc/ipsec.conf:7: unknown keyword 'listen' [10.100.0.5]*<br>
*unable to start strongSwan -- fatal errors in config*<span class=""><br>
<br>
<br>
--<br>
Piyush Agarwal<br>
Life can only be understood backwards; but it must be<br>
lived forwards.<br>
<br>
<br>
<br>
<br>
--<br>
Piyush Agarwal<br>
Life can only be understood backwards; but it must be lived<br>
forwards.<br>
<br>
<br>
<br>
<br>
--<br>
Piyush Agarwal<br>
Life can only be understood backwards; but it must be lived<br>
forwards.<br>
<br>
<br>
<br>
<br>
--<br>
Piyush Agarwal<br>
Life can only be understood backwards; but it must be lived forwards.<br>
<br>
<br>
<br>
<br>
--<br>
Piyush Agarwal<br>
Life can only be understood backwards; but it must be lived forwards.<br>
<br>
<br></span>
______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org" target="_blank">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/m<wbr>ailman/listinfo/users</a><br>
<br><span class="HOEnZb"><font color="#888888">
</font></span></blockquote><span class="HOEnZb"><font color="#888888">
<br>
-- <br>
==============================<wbr>==============================<wbr>==========<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.<wbr>org</a><br>
strongSwan - the Open Source VPN Solution! <a href="http://www.strongswan.org" rel="noreferrer" target="_blank">www.strongswan.org</a><br>
Institute for Networked Solutions<br>
University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>
==============================<wbr>=============================[<wbr>INS-HSR]==<br>
<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><span style="font-size:12.8px">Piyush Agarwal</span><br></div><div><span style="color:rgb(17,17,17)"><font face="arial, helvetica, sans-serif" size="2">Life can only be understood backwards; but it must be lived forwards.</font></span><br></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>