[strongSwan] Scripting VPN up/down on Mac OS X?

Martin Willi martin at strongswan.org
Tue Nov 4 16:59:41 CET 2014

Hi Dan,

> I’m using the Mac OS X widget to connect to a VPN, version 5.2.1 (1).

> Sometimes, the VPN goes down.  The tail of the log from such an event
> is included at the bottom of this e-mail.

> generating CREATE_CHILD_SA request 451 [ SA No KE ]
> sending packet: from[56570] to x.x.x.x[4500] (1116 bytes)
> retransmit 1 of request with message ID 451
> [...]
> giving up after 5 retransmits
> rekeying IKE_SA failed, peer not responding

Looks like your gateway gets unreachable or does not respond to the
IKE_SA rekeying attempt. Most likely a connectivity problem of that

> Assuming that sometimes the VPN will go down for whatever reason, is
> there a way to get at the strongSwan components from bash?

The OS X GUI talks to the backend daemon over an XPC protocol; but an
external application can not access that private channel. There is
currently no interface that could be used.

Probably it would make sense to handle these things in the daemon
itself, by a DPD restart action and optionally a more aggressive DPD
checking. Alternatively we could intercept that event in the GUI, and
let the user decide what to do.

Having a "scripting-interface" is certainly not that trivial. One could
build upon vici [1] (and the new Ruby bindings?) for that, but you can't
control the GUI or the configurations provided by it using that
interface. Also note that the daemon provided by the OS X App does not
have vici enabled.



More information about the Users mailing list