[strongSwan] Failure to connect on boot

Bas van Dijk v.dijk.bas at gmail.com
Sat Jan 14 10:35:23 CET 2017

I managed to get charon-systemd to build on NixOS and created a PR to add
it to nixpkgs:


Next up is writing a NixOS module that actually uses these new tools.

As explained in the commit it would be nice if swanctl could have a command
line option for specifying the configuration file/directory. In NixOS we
want to use /etc as little as possible and put most files in the immutable
nix store instead. But then we do need to tell swanctl to look for its
configuration directory in the nix store.

On 13 January 2017 at 21:49, Bas van Dijk <v.dijk.bas at gmail.com> wrote:

> Thanks Noel.
> The NixOS StrongSwan module [1] is based on ipsec. I tried for a few hours
> to get StrongSwan to compile with --enable-systemd --enable-swanctl but
> failed so far. The problem was that libsystemd couldn't be found by
> configure even when I added it as a dependency to Nix's StrongSwan package
> [2].
> I currently have a systemd timer that calls "ipsec up ..." at 1 minute
> after boot. Hacky for sure but it works for now.
> Hopefully I have some time this weekend to figure out how to get
> StrongSwan to compile with --enable-systemd --enable-swanctl on NixOS.
> Cheers,
> Bas
> [1] https://github.com/NixOS/nixpkgs/blob/master/nixos/
> modules/services/networking/strongswan.nix
> [2] https://github.com/NixOS/nixpkgs/blob/master/pkgs/
> tools/networking/strongswan/default.nix
> On 10 January 2017 at 22:16, Noel Kuntze <noel at familie-kuntze.de> wrote:
>> On 10.01.2017 14:51, Bas van Dijk wrote:
>> > With the following config running on NixOS, strongswan fails to start
>> (or route) on boot:
>> > I've also found that adding a "sleep 60" before strongswan starts
>> resolves the problem. The connection starts properly when waiting 60
>> seconds.
>> >
>> >
>> > Setting the charonstart to "yes" explicitly has no noticeable effect.
>> Of course, that's deprecated since 5.0.0.
>> >
>> >
>> > How do I get strongswan to connect automatically without sleeping 60
>> seconds or doing it manually in a systemd timer?
>> >
>> >
>> That is because systemd starts ipsec stroke when charon isn't ready yet,
>> so charon has no idea about the conns when your
>> systemd unit tells it to initiate the conn. The whole problem appears
>> because ipsec stroke is an asynchronous API.
>> Use VICI/swanctl. That's a synchronous API and the configuration format
>> is much better. There's also charon-systemd that has
>> a nicer behaviour when used with systemd. If you want to use it, you
>> should use a swanctl (for which you need to rewrite your configuration
>> in swanctl.conf style). That's what I use on all my hosts as well.
>> --
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170114/035ffb4d/attachment-0001.html>

More information about the Users mailing list