[strongSwan] listen interface specification

Piyush Agarwal agarwalpiyush at gmail.com
Tue May 2 19:13:09 CEST 2017 

Noel,
Thank for pointing out my mistake -- my bad I should have read the
ipsec.conf carefully.

Having said that, I have now specified "lo" as the charon.interfaces_use
and I see it is NOT finding an IP address that the lo has for listening on.

charon {
*        interfaces_use = "lo"*
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

The charon.log has no interfaces and IP addresses now:

00[KNL] known interfaces and IP addresses:
00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA

I was expecting it to listen on 1.100.0.5 given lo has that IP address.


Could one not specify "lo" as the charon.interfaces_use? Could it be
because of the state the interface is in? It is strange that charon didn't
find ANY ip for the loopback (not even 127.0.0.1). Any help for debugging
would be great. Thanks.





On Mon, May 1, 2017 at 8:03 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
wrote:

> I don't see any loopback addresses listed in the "known interfaces":
>
> 8150 00[KNL] known interfaces and IP addresses:
> 8151 00[KNL]   p2p1
> 8152 00[KNL]     169.x.x.x
> 8153 00[KNL]     fe80:::4ae5
>
> where p2p1 interface has an internal 169 IP, not the one I want to listen
> on. The IP I want to listen on is actually on the lo interface:
>
> ip -d addr show lo | grep 104.100.x.x
>     inet 104.100.x.x/32 scope global lo
>
> Not that it should matter, but all this is being done inside a ip/mininet
> network namespace.
>
> Thanks.
> Piyush
>
>
> On Mon, May 1, 2017 at 4:13 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
> wrote:
>
>> Hi,
>> I am using strongswan 5.1.2 on Ubuntu 14.04 and I need to specify the IP
>> address on which to listen on. I found some ipsec.conf manpages (
>> https://linux.die.net/man/5/ipsec.conf) which suggest a config item
>> "listen", but strongswan 5.1.2 at least doesn't seem to have this option.
>>
>> Is there not a way to specify the listen IP address? In my case, this IP
>> address is actually on the loopback interface. As long as I can specify the
>> listen interface, I should be fine.
>>
>> config setup
>> *    listen=10.100.0.5*
>>
>> conn %default
>>     ikelifetime=60m
>>     keylife=20m
>>     rekeymargin=3m
>>     keyingtries=1
>>     keyexchange=ikev2
>>     authby=rsasig
>>
>> conn 10.10.10.8
>>     type=transport
>>     left=10.100.0.5
>>     leftcert=left.cert
>>     leftsendcert=always
>>     rightcert=right.cert
>>     right=10.10.10.8
>>     auto=start
>>
>> */etc/ipsec.conf:7: unknown keyword 'listen' [10.100.0.5]*
>> *unable to start strongSwan -- fatal errors in config*
>>
>>
>> --
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be lived forwards.
>>
>>
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
>



-- 
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170502/87721911/attachment.html>

More information about the Users mailing list