[strongSwan] charon: [15]CFG trap not found, unable to acquire reqid 0

gowrishankar gowrishankar.m at linux.vnet.ibm.com
Wed Mar 21 04:08:04 CET 2012

Hi Tobias,

On Wednesday 21 March 2012 12:44 AM, Vilhelm Jutvik wrote:
> Dear Tobias,
> thank you very much. I thought that charon was signalled by the IPsec
> stack's SPD when a new SA was to be negotiated, not that it itself set
> the policy.
> Your solution didn't work right away though. I found that "ipsec
> start" only started the starter process and nothing more. It was not
> until I removed the charondebug option of the config section (as seen
> below) that it started. It works though if you limit the debugging
> level and / or the number of debugging options. I've reproduced this
> several times just to be sure. Why is this?
I have observed the same problem recently and posted a patch in
issue tracker. Can you please have a check.


Gowri Shankar

> The problem line was (in full):
> charondebug="asn 3,knl 3,mgr 3,ike 3,chd 3,net 3,enc 3"
> It works if you change it so (e.g.) charondebug="ike 3"
> My strongswan version is 4.5.2 as included in Ubuntu 11.10
> Sincerely,
> Vilhelm Jutvik
> MS Thesis Student at SICS
> 2012/3/13 Tobias Brunner<tobias at strongswan.org>:
>> Hi Vilhelm,
>>> config setup
>>>    crlcheckinterval=180
>>>    strictcrlpolicy=no
>>>    plutostart=no
>>>    charondebug="asn 4, knl 4,mgr 4,ike 4,chd 4,net 4,enc 4"
>>> conn %default
>>>    auth=esp
>>>    authby=psk
>>>    esp=aes128ctr-aesxcbc!
>>>    ikelifetime=60m
>>>    keylife=20m
>>>    keyingtries=1
>>>    rekeymargin=3m
>>>    keyexchange=ikev2
>>>    ike=aes128ctr-aesxcbc-ecp192!
>>>    type=transport
>> Your config file looks incomplete.  You have to specify at least one
>> conn section (other than %default) with the auto keyword (auto can be
>> specified in %default, though).  Where auto=route might be what you
>> want, as charon will then install policies in the kernel's SPD and an SA
>> will automatically be negotiated upon matching traffic.  You also need
>> to specify right and optionally left (the endpoints of the IKE_SA) in
>> that conn section.  If you only want specific traffic to be tunneled use
>> the left|rightsubnet and left|rightprotoport keywords (see the example
>> at [1]).
>> Also if you want to configure the policies in the kernel yourself make
>> sure you use a reqid>  0 and then specify reqid=<reqid>  and
>> installpolicy=no in the respective conn section.
>> Regards,
>> Tobias
>> [1] http://www.strongswan.org/uml/testresults/ikev2/protoport-route/
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list