[strongSwan] Failure to connect on boot

Bas van Dijk v.dijk.bas at gmail.com
Tue Jan 10 14:51:28 CET 2017 

Dear all,


With the following config running on NixOS, strongswan fails to start (or
route) on boot:


config setup


conn workstationVpn

  auto=route # Also tried with auto=start

  closeaction=restart

  dpdaction=restart

  keyexchange=ikev2

  leftauth=pubkey

  leftcert=/nix/store/xxx-certificate.der

  leftfirewall=yes

  leftid=foo at bar.com

  leftsourceip=%config4

  right=gateway.bar.com

  rightfirewall=yes

  rightid=gateway.bar.com

  rightsubnet=0.0.0.0/0

ca fooCert

  auto=add

  cacert=/nix/store/yyy-CACertificate.der


IPSec statusall gives the following:


Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.4.39, x86_64):
  uptime: 7 minutes, since Jan 10 14:01:34 2017
  malloc: sbrk 2686976, mmap 266240, used 425584, free 2261392
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon unbound pkcs11 aesni aes des rc2 sha2 sha1 md5
rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey dnscert pem af-alg fips-prf gmp xcbc cmac
hmac attr kernel-netlink resolve socket-default connmark forecast farp
stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2
eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2
xauth-generic xauth-eap dhcp
Listening IP addresses:
  192.168.42.223 # wlan local IP
  192.168.42.199 # eth0 local IP
Connections:
workstationVpn:  %any...gateway.bar.com  IKEv2, dpddelay=30s
workstationVpn:   local:  [foo at bar.com] uses public key authentication
workstationVpn:    cert:  "C=NL, O=Bar, L=Baz, S=Quux, CN=foo at bar.com"
workstationVpn:   remote: [gateway.bar.com] uses public key authentication
workstationVpn:   child:  dynamic === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (0 up, 0 connecting):
  none



Even with all logging options set to 3, the journal doesn't seem to mention
anything about even trying to route or start the connection.


After a clean boot, the following lists shows some commands and their
effects:


systemctl restart strongswan - Both restarts strongswan and actually starts
the connection without errors or problems.

ipsec up workstationVpn - Starts the connection, without any errors or
problems.

ipsec reload - Starts the connection, but somehow *all* packages appear to
be routed through the VPN connection, rather than those in the subnets that
the server advertises. This persists until either rebooting or stopping
(not restarting) strongswan.


I've also found that adding a "sleep 60" before strongswan starts resolves
the problem. The connection starts properly when waiting 60 seconds.


Setting the charonstart to "yes" explicitly has no noticeable effect.


How do I get strongswan to connect automatically without sleeping 60
seconds or doing it manually in a systemd timer?


Regards,


Bas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170110/d4220d74/attachment.html>

More information about the Users mailing list