[strongSwan] charon: [15]CFG trap not found, unable to acquire reqid 0

Vilhelm Jutvik ville at sics.se
Tue Mar 20 20:14:51 CET 2012

Dear Tobias,

thank you very much. I thought that charon was signalled by the IPsec
stack's SPD when a new SA was to be negotiated, not that it itself set
the policy.

Your solution didn't work right away though. I found that "ipsec
start" only started the starter process and nothing more. It was not
until I removed the charondebug option of the config section (as seen
below) that it started. It works though if you limit the debugging
level and / or the number of debugging options. I've reproduced this
several times just to be sure. Why is this?

The problem line was (in full):
charondebug="asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3"
It works if you change it so (e.g.) charondebug="ike 3"

My strongswan version is 4.5.2 as included in Ubuntu 11.10

Vilhelm Jutvik
MS Thesis Student at SICS

2012/3/13 Tobias Brunner <tobias at strongswan.org>:
> Hi Vilhelm,
>> config setup
>>   crlcheckinterval=180
>>   strictcrlpolicy=no
>>   plutostart=no
>>   charondebug="asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4"
>> conn %default
>>   auth=esp
>>   authby=psk
>>   esp=aes128ctr-aesxcbc!
>>   ikelifetime=60m
>>   keylife=20m
>>   keyingtries=1
>>   rekeymargin=3m
>>   keyexchange=ikev2
>>   ike=aes128ctr-aesxcbc-ecp192!
>>   type=transport
> Your config file looks incomplete.  You have to specify at least one
> conn section (other than %default) with the auto keyword (auto can be
> specified in %default, though).  Where auto=route might be what you
> want, as charon will then install policies in the kernel's SPD and an SA
> will automatically be negotiated upon matching traffic.  You also need
> to specify right and optionally left (the endpoints of the IKE_SA) in
> that conn section.  If you only want specific traffic to be tunneled use
> the left|rightsubnet and left|rightprotoport keywords (see the example
> at [1]).
> Also if you want to configure the policies in the kernel yourself make
> sure you use a reqid > 0 and then specify reqid=<reqid> and
> installpolicy=no in the respective conn section.
> Regards,
> Tobias
> [1] http://www.strongswan.org/uml/testresults/ikev2/protoport-route/

More information about the Users mailing list