[strongSwan] Failure to connect on boot

Noel Kuntze noel at familie-kuntze.de
Tue Jan 10 22:16:12 CET 2017

On 10.01.2017 14:51, Bas van Dijk wrote:
> With the following config running on NixOS, strongswan fails to start (or route) on boot:
> I've also found that adding a "sleep 60" before strongswan starts resolves the problem. The connection starts properly when waiting 60 seconds.
> Setting the charonstart to "yes" explicitly has no noticeable effect.
Of course, that's deprecated since 5.0.0.
> How do I get strongswan to connect automatically without sleeping 60 seconds or doing it manually in a systemd timer?

That is because systemd starts ipsec stroke when charon isn't ready yet, so charon has no idea about the conns when your
systemd unit tells it to initiate the conn. The whole problem appears because ipsec stroke is an asynchronous API.

Use VICI/swanctl. That's a synchronous API and the configuration format is much better. There's also charon-systemd that has
a nicer behaviour when used with systemd. If you want to use it, you should use a swanctl (for which you need to rewrite your configuration
in swanctl.conf style). That's what I use on all my hosts as well.


Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170110/f091a6bc/attachment.sig>

More information about the Users mailing list