<html><head><style>body{font-family:Helvetica,Arial;font-size:13px}</style></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Hi,</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">Also, I’ve noticed a different error message.</div><div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;"><br></div><div id="bloop_customfont" style="font-family: Helvetica, Arial; font-size: 13px; margin: 0px;"><div id="bloop_customfont" style="color: rgb(0, 0, 0); margin: 0px;">root@test-frr-debian-02:/run# ipsec up dmvpn</div><div id="bloop_customfont" style="margin: 0px;"><font color="#ff2600">unable to resolve %any, initiate aborted</font></div><div id="bloop_customfont" style="color: rgb(0, 0, 0); margin: 0px;">tried to checkin and delete nonexisting IKE_SA</div><div id="bloop_customfont" style="color: rgb(0, 0, 0); margin: 0px;">establishing connection 'dmvpn’ failed</div><div id="bloop_customfont" style="color: rgb(0, 0, 0); margin: 0px;"><br></div><div id="bloop_customfont" style="color: rgb(0, 0, 0); margin: 0px;"><br></div><div id="bloop_customfont" style="color: rgb(0, 0, 0); margin: 0px;">This is the output of “ispec statusall”</div><div id="bloop_customfont" style="color: rgb(0, 0, 0); margin: 0px;"><div id="bloop_customfont" style="margin: 0px;">root@test-frr-debian-02:/run# ipsec statusall</div><div id="bloop_customfont" style="margin: 0px;">Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.13.9, x86_64):</div><div id="bloop_customfont" style="margin: 0px;"> uptime: 83 minutes, since Nov 08 03:33:12 2017</div><div id="bloop_customfont" style="margin: 0px;"> malloc: sbrk 2297856, mmap 0, used 304288, free 1993568</div><div id="bloop_customfont" style="margin: 0px;"> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0</div><div id="bloop_customfont" style="margin: 0px;"> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic</div><div id="bloop_customfont" style="margin: 0px;">Listening IP addresses:</div><div id="bloop_customfont" style="margin: 0px;"> 192.168.23.208</div><div id="bloop_customfont" style="margin: 0px;"> 192.168.200.2</div><div id="bloop_customfont" style="margin: 0px;"> 192.168.222.1</div><div id="bloop_customfont" style="margin: 0px;"> 192.168.12.2</div><div id="bloop_customfont" style="margin: 0px;">Connections:</div><div id="bloop_customfont" style="margin: 0px;"> dmvpn: %any...%any IKEv2, dpddelay=15s</div><div id="bloop_customfont" style="margin: 0px;"> dmvpn: local: [test-frr-debian-02] uses pre-shared key authentication</div><div id="bloop_customfont" style="margin: 0px;"> dmvpn: remote: uses pre-shared key authentication</div><div id="bloop_customfont" style="margin: 0px;"> dmvpn: child: dynamic[gre] === dynamic[gre] TRANSPORT, dpdaction=clear</div><div id="bloop_customfont" style="margin: 0px;">Security Associations (0 up, 0 connecting):</div><div id="bloop_customfont" style="margin: 0px;"> none</div><div id="bloop_customfont" style="margin: 0px;"><br></div><div id="bloop_customfont" style="margin: 0px;"><br></div><div id="bloop_customfont" style="margin: 0px;">Here’s my config of ipsec.secrets</div><div id="bloop_customfont" style="margin: 0px;"><div id="bloop_customfont" style="margin: 0px;"># ipsec.secrets - strongSwan IPsec secrets file</div><div id="bloop_customfont" style="margin: 0px;">192.168.200.1 : PSK “XXXXXXXXXXXXXXXX"</div></div><div id="bloop_customfont" style="margin: 0px;"><br></div><div id="bloop_customfont" style="margin: 0px;">Here’s my config of swanctl.conf</div><div id="bloop_customfont" style="margin: 0px;"><br></div><div id="bloop_customfont" style="margin: 0px;"><div id="bloop_customfont" style="margin: 0px;">connections {</div><div id="bloop_customfont" style="margin: 0px;"> dmvpn {</div><div id="bloop_customfont" style="margin: 0px;"> version = 2</div><div id="bloop_customfont" style="margin: 0px;"> pull = no</div><div id="bloop_customfont" style="margin: 0px;"> mobike = no</div><div id="bloop_customfont" style="margin: 0px;"> dpd_delay = 15</div><div id="bloop_customfont" style="margin: 0px;"> dpd_timeout = 30</div><div id="bloop_customfont" style="margin: 0px;"> fragmentation = yes</div><div id="bloop_customfont" style="margin: 0px;"> unique = replace</div><div id="bloop_customfont" style="margin: 0px;"> rekey_time = 4h</div><div id="bloop_customfont" style="margin: 0px;"> reauth_time = 13h</div><div id="bloop_customfont" style="margin: 0px;"> proposals = aes256-sha512-ecp384</div><div id="bloop_customfont" style="margin: 0px;"> local {</div><div id="bloop_customfont" style="margin: 0px;"> auth = psk</div><div id="bloop_customfont" style="margin: 0px;"> id = test-frr-debian-02</div><div id="bloop_customfont" style="margin: 0px;"> }</div><div id="bloop_customfont" style="margin: 0px;"> remote {</div><div id="bloop_customfont" style="margin: 0px;"> auth = psk</div><div id="bloop_customfont" style="margin: 0px;"> }</div><div id="bloop_customfont" style="margin: 0px;"> children {</div><div id="bloop_customfont" style="margin: 0px;"> dmvpn {</div><div id="bloop_customfont" style="margin: 0px;"> esp_proposals = aes256-sha512-ecp384</div><div id="bloop_customfont" style="margin: 0px;"> local_ts = dynamic[gre]</div><div id="bloop_customfont" style="margin: 0px;"> remote_ts = dynamic[gre]</div><div id="bloop_customfont" style="margin: 0px;"> inactivity = 90m</div><div id="bloop_customfont" style="margin: 0px;"> rekey_time = 100m</div><div id="bloop_customfont" style="margin: 0px;"> mode = transport</div><div id="bloop_customfont" style="margin: 0px;"> dpd_action = clear</div><div id="bloop_customfont" style="margin: 0px;"> reqid = 1</div><div id="bloop_customfont" style="margin: 0px;"> }</div><div id="bloop_customfont" style="margin: 0px;"> }</div><div id="bloop_customfont" style="margin: 0px;"> }</div><div id="bloop_customfont" style="margin: 0px;">}</div></div></div></div> <div><br></div><div><br></div>Regards,<div><br></div><div>Terry<br> <div id="bloop_sign_1510134932956698880" class="bloop_sign"><div style="font-family:helvetica,arial;font-size:13px"><br></div></div> <br><p class="airmail_on">On 8 November 2017 at 15:53:55, Terry Fu (<a href="mailto:terryfcc@icloud.com">terryfcc@icloud.com</a>) wrote:</p> <blockquote type="cite" class="clean_bq"><span><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div></div><div>
<title></title>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
Hi Jafar,</div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
<br></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
You are right! </div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
After I allowed user “frr” to access “charon.vici”, the error
message is gone.</div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
<br></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
Now I’m getting this error message.</div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
<br></div>
<div id="bloop_customfont" style="font-family:Helvetica,Arial;font-size:13px; color: rgba(0,0,0,1.0); margin: 0px; line-height: auto;">
2017/11/08 15:41:45 NHRP: VICI: StrongSwan does not support
mandatory events (unpatched?)</div>
<div><br></div>
<div><br></div>
<div>I installed tteras’ patched version of strongswan.</div>
<div>However I’m not sure how to tell if it’s properly
installed.</div>
<div><br></div>
<div>I got it from git: git clone <a href="git://git.alpinelinux.org/user/tteras/strongswan">git://git.alpinelinux.org/user/tteras/strongswan</a></div>
<div>Then I used the “autogen.sh” script, then “configure", then
“make; make install”.</div>
<div><br></div>
<div>Not sure if I have done anything wrong, or missed
anything.</div>
<div><br></div>
<div>Is there a way to validate that Strongswan is properly patched
and installed?</div>
<div><br></div>
<div>Regards,</div>
<div><br></div>
<div>Terry</div>
<br>
<div id="bloop_sign_1510127286474391040" class="bloop_sign">
<div style="font-family:helvetica,arial;font-size:13px">
<br></div>
</div>
<br>
<p class="airmail_on">On 8 November 2017 at 00:34:52, Jafar
Al-Gharaibeh (<a href="mailto:jafar@atcorp.com">jafar@atcorp.com</a>) wrote:</p>
<blockquote type="cite" class="clean_bq">
<div text="#000000" bgcolor="#FFFFFF">
<div><span>Terry,<br>
<br>
From the limited information you are giving, my
guess is that nhrpd doesn't have permissions to access the VICI
socket. nhrpd is probably configured as part of
FRR/Quagga with permissions to access /var/run/frr or
/var/run/quagga only. Whereas the vici socket, according to<br>
<br>
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/VICI">https://wiki.strongswan.org/projects/strongswan/wiki/VICI</a><br>
<br>
is: <span style="color: rgb(54, 0, 12); font-family: Verdana, sans-serif; font-size: 12.6px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;">
unix:///var/run/charon.vici</span><br>
<br>
Give nhrpd permissions to access to this file and you should be
good to.<br>
<br>
--Jafar<br>
<br>
<br></span>
<div class="moz-cite-prefix">On 11/7/2017 10:06 AM, Chengcheng Fu
wrote:<br></div>
<blockquote type="cite" cite="mid:5047C700-A9CF-44A9-9ACD-4733344FDD15@icloud.com">
<div><br></div>
<blockquote type="cite">
<div>Hi,
<div><br></div>
<div>I’m trying to setup nhrpd with strongswan, and I’m getting
this error message.</div>
<div><br></div>
<div>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;">
<span style="font-size: 12pt;">Failure connecting VICI socket:
permission denied</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;">
<span style="font-size: 12pt;"><br></span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;">
<span style="font-size: 12pt;">I wonder if there is a way to test
the VICI socket and see if it’s running properly?</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;">
<span style="font-size: 12pt;"><br></span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;">
<span style="font-size: 12pt;">Regards,</span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;">
<span style="font-size: 12pt;"><br></span></p>
<p style="margin: 0px; font-stretch: normal; font-size: 12px; line-height: normal; font-family: Helvetica;">
<span style="font-size: 12pt;">Terry</span></p>
</div>
</div>
</blockquote>
</blockquote>
<br></div>
</div>
</blockquote>
</div></div></span></blockquote></div></body></html>