[strongSwan] Failure to connect on boot
Bas van Dijk
v.dijk.bas at gmail.com
Fri Jan 13 21:49:23 CET 2017
Thanks Noel.
The NixOS StrongSwan module [1] is based on ipsec. I tried for a few hours
to get StrongSwan to compile with --enable-systemd --enable-swanctl but
failed so far. The problem was that libsystemd couldn't be found by
configure even when I added it as a dependency to Nix's StrongSwan package
[2].
I currently have a systemd timer that calls "ipsec up ..." at 1 minute
after boot. Hacky for sure but it works for now.
Hopefully I have some time this weekend to figure out how to get StrongSwan
to compile with --enable-systemd --enable-swanctl on NixOS.
Cheers,
Bas
[1]
https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/strongswan.nix
[2]
https://github.com/NixOS/nixpkgs/blob/master/pkgs/tools/networking/strongswan/default.nix
On 10 January 2017 at 22:16, Noel Kuntze <noel at familie-kuntze.de> wrote:
> On 10.01.2017 14:51, Bas van Dijk wrote:
> > With the following config running on NixOS, strongswan fails to start
> (or route) on boot:
> > I've also found that adding a "sleep 60" before strongswan starts
> resolves the problem. The connection starts properly when waiting 60
> seconds.
> >
> >
> > Setting the charonstart to "yes" explicitly has no noticeable effect.
> Of course, that's deprecated since 5.0.0.
> >
> >
> > How do I get strongswan to connect automatically without sleeping 60
> seconds or doing it manually in a systemd timer?
> >
> >
>
> That is because systemd starts ipsec stroke when charon isn't ready yet,
> so charon has no idea about the conns when your
> systemd unit tells it to initiate the conn. The whole problem appears
> because ipsec stroke is an asynchronous API.
>
> Use VICI/swanctl. That's a synchronous API and the configuration format is
> much better. There's also charon-systemd that has
> a nicer behaviour when used with systemd. If you want to use it, you
> should use a swanctl (for which you need to rewrite your configuration
> in swanctl.conf style). That's what I use on all my hosts as well.
>
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170113/b8d39610/attachment.html>
More information about the Users
mailing list