[strongSwan] listen interface specification
Piyush Agarwal
agarwalpiyush at gmail.com
Tue May 2 19:13:43 CEST 2017
Noel,
Thank for pointing out my mistake -- my bad I should have read the
ipsec.conf carefully.
Having said that, I have now specified "lo" as the charon.interfaces_use
and I see it is NOT finding an IP address that the lo has for listening on.
charon {
* interfaces_use = "lo"*
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
The charon.log has no interfaces and IP addresses now:
00[KNL] known interfaces and IP addresses:
00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
I was expecting it to listen on 1.100.0.5 given lo has that IP address.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state *UNKNOWN* group
default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet *1.100.0.5*/32 scope global lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
Could one not specify "lo" as the charon.interfaces_use? Could it be
because of the state the interface is in? It is strange that charon didn't
find ANY ip for the loopback (not even 127.0.0.1). Any help for debugging
would be great. Thanks.
On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <agarwalpiyush at gmail.com>
wrote:
> Noel,
> Thank for pointing out my mistake -- my bad I should have read the
> ipsec.conf carefully.
>
> Having said that, I have now specified "lo" as the charon.interfaces_use
> and I see it is NOT finding an IP address that the lo has for listening on.
>
> charon {
> * interfaces_use = "lo"*
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
> }
> }
>
> The charon.log has no interfaces and IP addresses now:
>
> 00[KNL] known interfaces and IP addresses:
> 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
>
> I was expecting it to listen on 1.100.0.5 given lo has that IP address.
>
>
> Could one not specify "lo" as the charon.interfaces_use? Could it be
> because of the state the interface is in? It is strange that charon didn't
> find ANY ip for the loopback (not even 127.0.0.1). Any help for debugging
> would be great. Thanks.
>
>
>
>
>
> On Mon, May 1, 2017 at 8:03 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
> wrote:
>
>> I don't see any loopback addresses listed in the "known interfaces":
>>
>> 8150 00[KNL] known interfaces and IP addresses:
>> 8151 00[KNL] p2p1
>> 8152 00[KNL] 169.x.x.x
>> 8153 00[KNL] fe80:::4ae5
>>
>> where p2p1 interface has an internal 169 IP, not the one I want to listen
>> on. The IP I want to listen on is actually on the lo interface:
>>
>> ip -d addr show lo | grep 104.100.x.x
>> inet 104.100.x.x/32 scope global lo
>>
>> Not that it should matter, but all this is being done inside a ip/mininet
>> network namespace.
>>
>> Thanks.
>> Piyush
>>
>>
>> On Mon, May 1, 2017 at 4:13 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
>> wrote:
>>
>>> Hi,
>>> I am using strongswan 5.1.2 on Ubuntu 14.04 and I need to specify the IP
>>> address on which to listen on. I found some ipsec.conf manpages (
>>> https://linux.die.net/man/5/ipsec.conf) which suggest a config item
>>> "listen", but strongswan 5.1.2 at least doesn't seem to have this option.
>>>
>>> Is there not a way to specify the listen IP address? In my case, this IP
>>> address is actually on the loopback interface. As long as I can specify the
>>> listen interface, I should be fine.
>>>
>>> config setup
>>> * listen=10.100.0.5*
>>>
>>> conn %default
>>> ikelifetime=60m
>>> keylife=20m
>>> rekeymargin=3m
>>> keyingtries=1
>>> keyexchange=ikev2
>>> authby=rsasig
>>>
>>> conn 10.10.10.8
>>> type=transport
>>> left=10.100.0.5
>>> leftcert=left.cert
>>> leftsendcert=always
>>> rightcert=right.cert
>>> right=10.10.10.8
>>> auto=start
>>>
>>> */etc/ipsec.conf:7: unknown keyword 'listen' [10.100.0.5]*
>>> *unable to start strongSwan -- fatal errors in config*
>>>
>>>
>>> --
>>> Piyush Agarwal
>>> Life can only be understood backwards; but it must be lived forwards.
>>>
>>>
>>
>>
>> --
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be lived forwards.
>>
>
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
>
--
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170502/3af5bce0/attachment-0001.html>
More information about the Users
mailing list