[strongSwan] charon: [15]CFG trap not found, unable to acquire reqid 0

Tobias Brunner tobias at strongswan.org
Tue Mar 13 15:14:09 CET 2012

Hi Vilhelm,

> config setup
>   crlcheckinterval=180
>   strictcrlpolicy=no
>   plutostart=no
>   charondebug="asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4"
> conn %default
>   auth=esp
>   authby=psk
>   esp=aes128ctr-aesxcbc!
>   ikelifetime=60m
>   keylife=20m
>   keyingtries=1
>   rekeymargin=3m
>   keyexchange=ikev2
>   ike=aes128ctr-aesxcbc-ecp192!
>   type=transport

Your config file looks incomplete.  You have to specify at least one
conn section (other than %default) with the auto keyword (auto can be
specified in %default, though).  Where auto=route might be what you
want, as charon will then install policies in the kernel's SPD and an SA
will automatically be negotiated upon matching traffic.  You also need
to specify right and optionally left (the endpoints of the IKE_SA) in
that conn section.  If you only want specific traffic to be tunneled use
the left|rightsubnet and left|rightprotoport keywords (see the example
at [1]).

Also if you want to configure the policies in the kernel yourself make
sure you use a reqid > 0 and then specify reqid=<reqid> and
installpolicy=no in the respective conn section.


[1] http://www.strongswan.org/uml/testresults/ikev2/protoport-route/

More information about the Users mailing list