[strongSwan] NixOS test

Bas van Dijk v.dijk.bas at gmail.com
Thu Aug 31 19:31:10 CEST 2017

I've now changed the testScript[1] to first start moon, wait for the
strongswan-swanctl service to start and then start carol. Using this
setup it's almost guaranteed that moon has loaded the connection
before carol initiates the connection.

In the process of debugging this I did discover the option:
charon.retry_initiate_interval "Interval in seconds to use when
retrying to initiate an IKE_SA (e.g. if
DNS resolution failed)". Would it make sense to extend the behavior of
this option to also retry an IKE_SA if a previous attempt failed *for
any reason* (so not just on DNS failures)? If it works like that it
will solve my problem because carol will just retry initiating the
connection after it gets the NO_PROP message. It will make initiation
more automatic and robust.


[1] https://github.com/LumiGuide/nixpkgs/blob/c16b7285fe9cc379227a255f955b38c6830a7b24/nixos/tests/strongswan-swanctl.nix#L150

On 31 August 2017 at 11:04, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
> Ok after studying this part of the log a bit further:
> https://gist.github.com/basvandijk/a2de93d8c93ce925838c1dbf2ee1d925#file-strongswan-swanctl-test-failure-log-L1428:L1459
> I see that the following is going on:
> 1. moon has started charon-systemd but hasn't loaded the connection yet
> 2. carol sends a IKE_SA_INIT request to moon
> 3. since moon hasn't loaded the connection yet it can't find an IKE
> config for and sends a NO_PROP response back
> to carol
> 4. moon loads the connection
> 5. carol warns about the "received NO_PROPOSAL_CHOSEN notify error"
> 6. pings from carol to alice fail continuously because the VPN is not
> established
> Is there a way for carol to keep trying to establish a connection
> until it succeeds?
> Bas
> On 31 August 2017 at 09:14, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
>> I also included the log of a successful test run:
>> https://gist.github.com/basvandijk/a2de93d8c93ce925838c1dbf2ee1d925#file-strongswan-swanctl-test-success-log
>> On 31 August 2017 at 09:09, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
>>> I noticed that my test succeeds most of the time but I just observed a
>>> test run where carol keeps trying to ping alice but fails each time.
>>> The following line from the test log[1] seems suspect:
>>> carol# [ 4.538963] charon-systemd[716]: received NO_PROPOSAL_CHOSEN notify error
>>> I haven't looked into this error yet but I suspect it's a concurrency
>>> issue. Note that all machines start up at the same time[2]. I think if
>>> I first start moon, wait for the strongswan-swanctl.service to start
>>> and then start carol it always succeeds. But I rather not introduce
>>> that sequentialism and I suspect that strongSwan should be able to
>>> handle not fully booted gateways and that I just forgot to configure
>>> some option somewhere.
>>> Any ideas why the test sometimes fails?
>>> [1] https://gist.github.com/basvandijk/a2de93d8c93ce925838c1dbf2ee1d925
>>> [2] https://github.com/LumiGuide/nixpkgs/blob/b1bab8cff348ac743ecc6734f1852a16db41a9a2/nixos/tests/strongswan-swanctl.nix#L151
>>> On 30 August 2017 at 11:52, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
>>>> The test now succeeds[1].
>>>> Thanks for your help.
>>>> Bas
>>>> [1] https://groups.google.com/d/msg/nix-devel/X-0T97MLR7I/cGUCWjXQAAAJ
>>>> On 30 August 2017 at 02:57, Bas van Dijk <v.dijk.bas at gmail.com> wrote:
>>>>> On 30 August 2017 at 02:29, Noel Kuntze
>>>>> <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>>>>> Two things:
>>>>>> - Please don't pipe stuff from the web into bash, it just asks for trouble and especially don't advertise or advise people to do it.
>>>>> Hi Noel, good point. This should probably be removed from nixos.org/nix.
>>>>>> - Try enforcing UDP encapsulation. If the FW rules actually change something, then currently only IKE is allowed, but there's no NAT, so ESP is used as transport protocol.
>>>>> Something similar was suggested[1] on the nix-devel mailinglist. I
>>>>> will see how to get that to work.
>>>>> Bas
>>>>> [1] https://groups.google.com/forum/#!msg/nix-devel/X-0T97MLR7I/jbPQucPOAAAJ
>>>>>> Kind regards
>>>>>> Noel
>>>>>> On 30.08.2017 02:18, Bas van Dijk wrote:
>>>>>>> I've created a PR for the NixOS Linux distribution that adds a module
>>>>>>> for strongswan-swanctl:
>>>>>>>   https://github.com/NixOS/nixpkgs/pull/27958
>>>>>>> Although the new module works on our company VPN I would also like to
>>>>>>> add a NixOS test to ensure it keeps working. I've mimicked one of the
>>>>>>> swanctl tests from the strongswan project:
>>>>>>>   https://github.com/LumiGuide/nixpkgs/blob/strongswan-swanctl-test/nixos/tests/strongswan-swanctl.nix
>>>>>>> Although SAs get established successfully between gateway moon and
>>>>>>> roadwarrior carol I can't seem to ping alice from carol. Since I'm no
>>>>>>> networking expert I'm probably missing something obvious. It would be
>>>>>>> great if somebody could give me a tip or point me in the right
>>>>>>> direction.
>>>>>>> To run the test for yourself you don't need to install NixOS, you only
>>>>>>> need the Nix package manager (which is easy to uninstall later on;
>>>>>>> just rm -r /nix):
>>>>>>>   $ curl https://nixos.org/nix/install | sh
>>>>>>> Then clone my nixpkgs fork and checkout the right branch:
>>>>>>>   $ git clone https://github.com/LumiGuide/nixpkgs.git
>>>>>>>   $ cd nixpkgs
>>>>>>>   $ git checkout strongswan-swanctl-test
>>>>>>> Look in nixos/tests/strongswan-swanctl.nix to see how to run the test
>>>>>>> but the following should get you started:
>>>>>>>   $ nix-build nixos/tests/strongswan-swanctl.nix
>>>>>>> Note that I also asked this question on the nix-devel mailinglist:
>>>>>>>   https://groups.google.com/forum/#!topic/nix-devel/X-0T97MLR7I
>>>>>>> Cheers,
>>>>>>> Bas

More information about the Users mailing list