[strongSwan] NixOS test

Thu Aug 31 09:14:33 CEST 2017

I also included the log of a successful test run:

https://gist.github.com/basvandijk/a2de93d8c93ce925838c1dbf2ee1d925#file-strongswan-swanctl-test-success-log

On 31 August 2017 at 09:09, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
> I noticed that my test succeeds most of the time but I just observed a
> test run where carol keeps trying to ping alice but fails each time.
> The following line from the test log[1] seems suspect:
>
> carol# [ 4.538963] charon-systemd[716]: received NO_PROPOSAL_CHOSEN notify error
>
> I haven't looked into this error yet but I suspect it's a concurrency
> issue. Note that all machines start up at the same time[2]. I think if
> I first start moon, wait for the strongswan-swanctl.service to start
> and then start carol it always succeeds. But I rather not introduce
> that sequentialism and I suspect that strongSwan should be able to
> handle not fully booted gateways and that I just forgot to configure
> some option somewhere.
>
> Any ideas why the test sometimes fails?
>
> [1] https://gist.github.com/basvandijk/a2de93d8c93ce925838c1dbf2ee1d925
> [2] https://github.com/LumiGuide/nixpkgs/blob/b1bab8cff348ac743ecc6734f1852a16db41a9a2/nixos/tests/strongswan-swanctl.nix#L151
>
> On 30 August 2017 at 11:52, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
>> The test now succeeds[1].
>>
>> Thanks for your help.
>>
>> Bas
>>
>> [1] https://groups.google.com/d/msg/nix-devel/X-0T97MLR7I/cGUCWjXQAAAJ
>>
>> On 30 August 2017 at 02:57, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
>>> On 30 August 2017 at 02:29, Noel Kuntze
>>> <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>>> Two things:
>>>> - Please don't pipe stuff from the web into bash, it just asks for trouble and especially don't advertise or advise people to do it.
>>>
>>> Hi Noel, good point. This should probably be removed from nixos.org/nix.
>>>
>>>> - Try enforcing UDP encapsulation. If the FW rules actually change something, then currently only IKE is allowed, but there's no NAT, so ESP is used as transport protocol.
>>>
>>> Something similar was suggested[1] on the nix-devel mailinglist. I
>>> will see how to get that to work.
>>>
>>> Bas
>>>
>>> [1] https://groups.google.com/forum/#!msg/nix-devel/X-0T97MLR7I/jbPQucPOAAAJ
>>>
>>>> Kind regards
>>>>
>>>> Noel
>>>>
>>>> On 30.08.2017 02:18, Bas van Dijk wrote:
>>>>> I've created a PR for the NixOS Linux distribution that adds a module
>>>>> for strongswan-swanctl:
>>>>>
>>>>>   https://github.com/NixOS/nixpkgs/pull/27958
>>>>>
>>>>> Although the new module works on our company VPN I would also like to
>>>>> add a NixOS test to ensure it keeps working. I've mimicked one of the
>>>>> swanctl tests from the strongswan project:
>>>>>
>>>>>   https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-test/nixos/tests/strongswan-swanctl.nix
>>>>>
>>>>> Although SAs get established successfully between gateway moon and
>>>>> roadwarrior carol I can't seem to ping alice from carol. Since I'm no
>>>>> networking expert I'm probably missing something obvious. It would be
>>>>> great if somebody could give me a tip or point me in the right
>>>>> direction.
>>>>>
>>>>> To run the test for yourself you don't need to install NixOS, you only
>>>>> need the Nix package manager (which is easy to uninstall later on;
>>>>> just rm -r /nix):
>>>>>
>>>>>   $ curl https://nixos.org/nix/install | sh
>>>>>
>>>>> Then clone my nixpkgs fork and checkout the right branch:
>>>>>
>>>>>   $ git clone https://github.com/LumiGuide/nixpkgs.git
>>>>>   $ cd nixpkgs
>>>>>   $ git checkout strongswan-swanctl-test
>>>>>
>>>>> Look in nixos/tests/strongswan-swanctl.nix to see how to run the test
>>>>> but the following should get you started:
>>>>>
>>>>>   $ nix-build nixos/tests/strongswan-swanctl.nix
>>>>>
>>>>> Note that I also asked this question on the nix-devel mailinglist:
>>>>>
>>>>>   https://groups.google.com/forum/#!topic/nix-devel/X-0T97MLR7I
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Bas
>>>>