[strongSwan] strongSwan, swanctl and systemd

Noel Kuntze noel at familie-kuntze.de
Sat Jul 12 21:06:42 CEST 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello list,

I'm currently trying to get away from ipsec starter, because I'm using systemd and thus far, wasn't quite successful in doing this.

The issue I stumbled upon was that strongSwan doesn't quite give systemd any indication on when it's ready for swanctl/vici,
 if charon is invoked directly by running "/usr/lib/strongswan/charon".
This is what swanctl says, when I run charon directly:

Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: connecting to 'unix:///var/run/charon.vici' failed: No such file or directory
Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: Error: connecting to 'default' URI failed: No such file or directory
Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: strongSwan 5.2.0 swanctl
Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: usage:
Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: swanctl --load-creds [--raw|--pretty]
Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --help            (-h)  show usage information
Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --clear           (-c)  clear previously loaded credentials
Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --noprompt        (-n)  do not prompt for passwords
Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --raw             (-r)  dump raw response message
Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --pretty          (-P)  dump raw response message in pretty print
Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --debug           (-v)  set debug level, default: 1
Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --options         (-+)  read command line options from file
Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --uri             (-u)  service URI to connect to
Jul 12 20:45:43 thermi-pc.thermi colord[1011]: Using mapping database file /var/lib/colord/mapping.db
Jul 12 20:45:43 thermi-pc.thermi systemd[1]: strongswan-prepare.service: main process exited, code=exited, status=2/INVALIDARGUMENT

Before that, strongSwan is started:

Jul 12 20:45:40 thermi-pc.thermi systemd[1]: Starting strongSwan IPsec daemon...
Jul 12 20:45:40 thermi-pc.thermi systemd[1]: Started strongSwan IPsec daemon.

Three seconds don't seem to be enough for strongSwan to get ready, so without adding any manual delays (ExecStart=/usr/bin/sleep 5s),
I can't get it to work.

The only solution I found for this is by running "/usr/bin/ipsec start" followed by another service, which loads creds, pools and conns with swanctl.
The solution for this is to insert an "sd_notify()" after strongSwan forked all the worker threads.
By doing that, people can use Type=notify, which makes strongSwan wait for an sd_notify() from the daemon before starting services that depend on it.
I already tried to use "Type=forking" with "ExecStart=/usr/lib/strongswan/charon", but that didn't work either.

My current" systemd.service" files look like this (Those work and you're allowed to use them):

#strongswan.service
[Unit]
Description=strongSwan IPsec daemon
After=syslog.target

[Service]
Type=forking
ExecStart=/usr/bin/ipsec start
PIDFile=/var/run/charon.pid
StandardOutput=syslog

[Install]
WantedBy=multi-user.target

#strongswan-prepare.service
[Unit]
Description=Load configuration with swanctl
After=strongswan.service
Requires=strongswan.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/swanctl --load-creds
ExecStart=/usr/bin/swanctl --load-pools
ExecStart=/usr/bin/swanctl --load-conns
ExecReload=/usr/bin/swanctl --load-creds
ExecReload=/usr/bin/swanctl --load-pools
ExecReload=/usr/bin/swanctl --load-conns

[Install]
WantedBy=multi-user.target

#strongswan-server.service
#This initiates an IPsec connection to another host, when strongSwan is ready.
[Unit]
Description=Initiate connection to the server
Requires=strongswan-prepare.service network-online.target
After=strongswan-prepare.service network-online.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/swanctl --initiate --child alpha
ExecStop=/usr/bin/swanctl --terminate --child alpha
StandardOutput=syslog
[Install]
WantedBy=multi-user.target

Regards,
Noel Kuntze

- -- 
GPG Key id: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJTwYdCAAoJEDg5KY9j7GZYTtsP/1Ae4cmamVO53dx6cJiG2Qcq
ZVn+yWgQeqzdLHaTdG3sCmDQlw/dbASTKaNGf6YusLMAnVGGkPPWsX9TsViF1eo7
lmKi4Rhhvqm9hr70Zd5JCR1FhwZygrgSwsKUCuYQqRBH4JXyUsjXPvC2c6M7BCQs
EypLy94AiZzW2ralC+XdLXH1KHoKc+IDoWf1orZl3Yo0uKpFfWt5VW4gxSlT1btQ
ohuhtgLlYHwo911r/bUNMZZ/PexIhA/nLM7PyyDgs2YLGJpgYoEsVMtQptOHMUkt
SaprIS4RnyfoVOTp+/aD92Z977fVBGrxIvpiSbC/6VRqvR5U42nJIcPutrCA/6Cz
ql6jDIu6eiHluWnFOga+SkvySbiajy75WYLZye4EEES3Cw3LmQ6kweGysnUQSRdJ
DYeSR6GMMNsKF981BI7gIUO/FrhBsEPsWsSJ5Tk7mDc1TrT8Ofcc3mqp94G1S7aV
eNo1VsGdQLnDaTkR5vBt9cHICQe/cca5wWkSSTQLVhmpiokQnbLrE+RoFQtkO4BN
+gz9Nc33oQOxpVwhBBXnGppI2BbXX56QwhA/neapjXoiabmKMh+KMmP5lo/KYj5/
xMw8m2Jjpj9CeeqdCtCwJvS4lsRjdhl0twW4m89iV83CQbteuDu7Dk/gI4OgKf2M
DAKWH5qWN/8JG6Nork8y
=o98F
-----END PGP SIGNATURE-----

More information about the Users mailing list