[strongSwan] listen interface specification
Andreas Steffen
andreas.steffen at strongswan.org
Tue May 2 20:00:27 CEST 2017
Hi Piyush,
have you tried
interfaces_use = lo
without the double quotes?
Regards
Andreas
On 02.05.2017 19:27, Piyush Agarwal wrote:
> Ok, I had missed setting the lo up (when charon ran lo was DOWN, not
> UNKNOWN). So now I make sure "ifconfig lo up" is issued before charon
> runs. And I do see charon.log mention:
>
> 00[KNL] known interfaces and IP addresses:
> 00[KNL] lo
> 00[KNL] 127.0.0.1
> 00[KNL] *1.100.0.5*
> 00[KNL] ::1
>
> But ipsec statusall still reports no listening IP addresses:
>
> Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-72-generic,
> x86_64):
> uptime: 4 minutes, since May 02 10:22:32 2017
> malloc: sbrk 2568192, mmap 0, used 331120, free 2237072
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand
> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
> openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
> socket-default stroke updown eap-identity addrblock
> *Listening IP addresses:*
> Connections:
> Security Associations (0 up, 0 connecting):
> none
>
>
>
> On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <agarwalpiyush at gmail.com
> <mailto:agarwalpiyush at gmail.com>> wrote:
>
> Noel,
> Thank for pointing out my mistake -- my bad I should have read the
> ipsec.conf carefully.
>
> Having said that, I have now specified "lo" as the
> charon.interfaces_use and I see it is NOT finding an IP address that
> the lo has for listening on.
>
> charon {
> * interfaces_use = "lo"*
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
> }
> }
>
> The charon.log has no interfaces and IP addresses now:
>
> 00[KNL] known interfaces and IP addresses:
> 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency:
> PUBKEY:DSA
>
> I was expecting it to listen on 1.100.0.5 given lo has that IP address.
>
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
> *UNKNOWN* group default qlen 1
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
> inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
> valid_lft forever preferred_lft forever
> inet *1.100.0.5*/32 scope global lo
> valid_lft forever preferred_lft forever
> inet6 ::1/128 scope host
> valid_lft forever preferred_lft forever
>
> Could one not specify "lo" as the charon.interfaces_use? Could it be
> because of the state the interface is in? It is strange that charon
> didn't find ANY ip for the loopback (not even 127.0.0.1). Any help
> for debugging would be great. Thanks.
>
>
> On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal
> <agarwalpiyush at gmail.com <mailto:agarwalpiyush at gmail.com>> wrote:
>
> Noel,
> Thank for pointing out my mistake -- my bad I should have read
> the ipsec.conf carefully.
>
> Having said that, I have now specified "lo" as the
> charon.interfaces_use and I see it is NOT finding an IP address
> that the lo has for listening on.
>
> charon {
> * interfaces_use = "lo"*
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
> }
> }
>
> The charon.log has no interfaces and IP addresses now:
>
> 00[KNL] known interfaces and IP addresses:
> 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency:
> PUBKEY:DSA
>
> I was expecting it to listen on 1.100.0.5 given lo has that IP
> address.
>
>
> Could one not specify "lo" as the charon.interfaces_use? Could
> it be because of the state the interface is in? It is strange
> that charon didn't find ANY ip for the loopback (not even
> 127.0.0.1). Any help for debugging would be great. Thanks.
>
>
>
>
>
> On Mon, May 1, 2017 at 8:03 PM, Piyush Agarwal
> <agarwalpiyush at gmail.com <mailto:agarwalpiyush at gmail.com>> wrote:
>
> I don't see any loopback addresses listed in the "known
> interfaces":
>
> 8150 00[KNL] known interfaces and IP addresses:
> 8151 00[KNL] p2p1
> 8152 00[KNL] 169.x.x.x
> 8153 00[KNL] fe80:::4ae5
>
> where p2p1 interface has an internal 169 IP, not the one I
> want to listen on. The IP I want to listen on is actually on
> the lo interface:
>
> ip -d addr show lo | grep 104.100.x.x
> inet 104.100.x.x/32 scope global lo
>
> Not that it should matter, but all this is being done inside
> a ip/mininet network namespace.
>
> Thanks.
> Piyush
>
>
> On Mon, May 1, 2017 at 4:13 PM, Piyush Agarwal
> <agarwalpiyush at gmail.com <mailto:agarwalpiyush at gmail.com>>
> wrote:
>
> Hi,
> I am using strongswan 5.1.2 on Ubuntu 14.04 and I need
> to specify the IP address on which to listen on. I found
> some ipsec.conf manpages
> (https://linux.die.net/man/5/ipsec.conf
> <https://linux.die.net/man/5/ipsec.conf>) which suggest
> a config item "listen", but strongswan 5.1.2 at least
> doesn't seem to have this option.
>
> Is there not a way to specify the listen IP address? In
> my case, this IP address is actually on the loopback
> interface. As long as I can specify the listen
> interface, I should be fine.
>
> config setup
> * listen=10.100.0.5*
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> keyexchange=ikev2
> authby=rsasig
>
> conn 10.10.10.8
> type=transport
> left=10.100.0.5
> leftcert=left.cert
> leftsendcert=always
> rightcert=right.cert
> right=10.10.10.8
> auto=start
>
> */etc/ipsec.conf:7: unknown keyword 'listen' [10.100.0.5]*
> *unable to start strongSwan -- fatal errors in config*
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be
> lived forwards.
>
>
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived
> forwards.
>
>
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived
> forwards.
>
>
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
>
>
>
>
> --
> Piyush Agarwal
> Life can only be understood backwards; but it must be lived forwards.
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution! www.strongswan.org
Institute for Networked Solutions
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[INS-HSR]==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3859 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170502/ddcbedf8/attachment-0001.bin>
More information about the Users
mailing list