[strongSwan] listen interface specification

Piyush Agarwal agarwalpiyush at gmail.com
Tue May 2 19:27:31 CEST 2017


Ok, I had missed setting the lo up (when charon ran lo was DOWN, not
UNKNOWN). So now I make sure "ifconfig lo up" is issued before charon runs.
And I do see charon.log mention:

00[KNL] known interfaces and IP addresses:
00[KNL]   lo
00[KNL]     127.0.0.1
00[KNL]     *1.100.0.5*
00[KNL]     ::1

But ipsec statusall still reports no listening IP addresses:

Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-72-generic,
x86_64):
  uptime: 4 minutes, since May 02 10:22:32 2017
  malloc: sbrk 2568192, mmap 0, used 331120, free 2237072
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand
random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
socket-default stroke updown eap-identity addrblock
*Listening IP addresses:*
Connections:
Security Associations (0 up, 0 connecting):
  none



On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <agarwalpiyush at gmail.com>
wrote:

> Noel,
> Thank for pointing out my mistake -- my bad I should have read the
> ipsec.conf carefully.
>
> Having said that, I have now specified "lo" as the charon.interfaces_use
> and I see it is NOT finding an IP address that the lo has for listening on.
>
> charon {
> *        interfaces_use = "lo"*
>         load_modular = yes
>         plugins {
>                 include strongswan.d/charon/*.conf
>         }
> }
>
> The charon.log has no interfaces and IP addresses now:
>
> 00[KNL] known interfaces and IP addresses:
> 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA
>
> I was expecting it to listen on 1.100.0.5 given lo has that IP address.
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state *UNKNOWN* group
> default qlen 1
>     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>     inet 127.0.0.1/8 scope host lo
>        valid_lft forever preferred_lft forever
>     inet *1.100.0.5*/32 scope global lo
>        valid_lft forever preferred_lft forever
>     inet6 ::1/128 scope host
>        valid_lft forever preferred_lft forever
>
> Could one not specify "lo" as the charon.interfaces_use? Could it be
> because of the state the interface is in? It is strange that charon didn't
> find ANY ip for the loopback (not even 127.0.0.1). Any help for debugging
> would be great. Thanks.
>
>
> On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <agarwalpiyush at gmail.com>
> wrote:
>
>> Noel,
>> Thank for pointing out my mistake -- my bad I should have read the
>> ipsec.conf carefully.
>>
>> Having said that, I have now specified "lo" as the charon.interfaces_use
>> and I see it is NOT finding an IP address that the lo has for listening on.
>>
>> charon {
>> *        interfaces_use = "lo"*
>>         load_modular = yes
>>         plugins {
>>                 include strongswan.d/charon/*.conf
>>         }
>> }
>>
>> The charon.log has no interfaces and IP addresses now:
>>
>> 00[KNL] known interfaces and IP addresses:
>> 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency:
>> PUBKEY:DSA
>>
>> I was expecting it to listen on 1.100.0.5 given lo has that IP address.
>>
>>
>> Could one not specify "lo" as the charon.interfaces_use? Could it be
>> because of the state the interface is in? It is strange that charon didn't
>> find ANY ip for the loopback (not even 127.0.0.1). Any help for debugging
>> would be great. Thanks.
>>
>>
>>
>>
>>
>> On Mon, May 1, 2017 at 8:03 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
>> wrote:
>>
>>> I don't see any loopback addresses listed in the "known interfaces":
>>>
>>> 8150 00[KNL] known interfaces and IP addresses:
>>> 8151 00[KNL]   p2p1
>>> 8152 00[KNL]     169.x.x.x
>>> 8153 00[KNL]     fe80:::4ae5
>>>
>>> where p2p1 interface has an internal 169 IP, not the one I want to
>>> listen on. The IP I want to listen on is actually on the lo interface:
>>>
>>> ip -d addr show lo | grep 104.100.x.x
>>>     inet 104.100.x.x/32 scope global lo
>>>
>>> Not that it should matter, but all this is being done inside a
>>> ip/mininet network namespace.
>>>
>>> Thanks.
>>> Piyush
>>>
>>>
>>> On Mon, May 1, 2017 at 4:13 PM, Piyush Agarwal <agarwalpiyush at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>> I am using strongswan 5.1.2 on Ubuntu 14.04 and I need to specify the
>>>> IP address on which to listen on. I found some ipsec.conf manpages (
>>>> https://linux.die.net/man/5/ipsec.conf) which suggest a config item
>>>> "listen", but strongswan 5.1.2 at least doesn't seem to have this option.
>>>>
>>>> Is there not a way to specify the listen IP address? In my case, this
>>>> IP address is actually on the loopback interface. As long as I can specify
>>>> the listen interface, I should be fine.
>>>>
>>>> config setup
>>>> *    listen=10.100.0.5*
>>>>
>>>> conn %default
>>>>     ikelifetime=60m
>>>>     keylife=20m
>>>>     rekeymargin=3m
>>>>     keyingtries=1
>>>>     keyexchange=ikev2
>>>>     authby=rsasig
>>>>
>>>> conn 10.10.10.8
>>>>     type=transport
>>>>     left=10.100.0.5
>>>>     leftcert=left.cert
>>>>     leftsendcert=always
>>>>     rightcert=right.cert
>>>>     right=10.10.10.8
>>>>     auto=start
>>>>
>>>> */etc/ipsec.conf:7: unknown keyword 'listen' [10.100.0.5]*
>>>> *unable to start strongSwan -- fatal errors in config*
>>>>
>>>>
>>>> --
>>>> Piyush Agarwal
>>>> Life can only be understood backwards; but it must be lived forwards.
>>>>
>>>>
>>>
>>>
>>> --
>>> Piyush Agarwal
>>> Life can only be understood backwards; but it must be lived forwards.
>>>
>>
>>
>>
>> --
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be lived forwards.
>>
>
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
>



-- 
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170502/db8ea89a/attachment.html>


More information about the Users mailing list