[strongSwan] listen interface specification
Piyush Agarwal
agarwalpiyush at gmail.com
Wed May 3 19:20:02 CEST 2017
Hi Andreas,
Actually both "lo" and lo had the same result: no IP is displayed below
"Listening IP addresses".
However, my IKE and IPsec SAs from the initiator (to this responder
machine) were established. I suppose I am unblocked then.
Thanks.
Piyush
On Tue, May 2, 2017 at 11:00 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hi Piyush,
>
> have you tried
>
> interfaces_use = lo
>
> without the double quotes?
>
> Regards
>
> Andreas
>
> On 02.05.2017 19:27, Piyush Agarwal wrote:
>
>> Ok, I had missed setting the lo up (when charon ran lo was DOWN, not
>> UNKNOWN). So now I make sure "ifconfig lo up" is issued before charon
>> runs. And I do see charon.log mention:
>>
>> 00[KNL] known interfaces and IP addresses:
>> 00[KNL] lo
>> 00[KNL] 127.0.0.1
>> 00[KNL] *1.100.0.5*
>> 00[KNL] ::1
>>
>> But ipsec statusall still reports no listening IP addresses:
>>
>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-72-generic,
>> x86_64):
>> uptime: 4 minutes, since May 02 10:22:32 2017
>> malloc: sbrk 2568192, mmap 0, used 331120, free 2237072
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 0
>> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand
>> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
>> openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
>> socket-default stroke updown eap-identity addrblock
>> *Listening IP addresses:*
>> Connections:
>> Security Associations (0 up, 0 connecting):
>> none
>>
>>
>>
>> On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <agarwalpiyush at gmail.com
>> <mailto:agarwalpiyush at gmail.com>> wrote:
>>
>> Noel,
>> Thank for pointing out my mistake -- my bad I should have read the
>> ipsec.conf carefully.
>>
>> Having said that, I have now specified "lo" as the
>> charon.interfaces_use and I see it is NOT finding an IP address that
>> the lo has for listening on.
>>
>> charon {
>> * interfaces_use = "lo"*
>> load_modular = yes
>> plugins {
>> include strongswan.d/charon/*.conf
>> }
>> }
>>
>> The charon.log has no interfaces and IP addresses now:
>>
>> 00[KNL] known interfaces and IP addresses:
>> 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency:
>> PUBKEY:DSA
>>
>> I was expecting it to listen on 1.100.0.5 given lo has that IP
>> address.
>>
>> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
>> *UNKNOWN* group default qlen 1
>> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>> inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
>> valid_lft forever preferred_lft forever
>> inet *1.100.0.5*/32 scope global lo
>> valid_lft forever preferred_lft forever
>> inet6 ::1/128 scope host
>> valid_lft forever preferred_lft forever
>>
>> Could one not specify "lo" as the charon.interfaces_use? Could it be
>> because of the state the interface is in? It is strange that charon
>> didn't find ANY ip for the loopback (not even 127.0.0.1). Any help
>> for debugging would be great. Thanks.
>>
>>
>> On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal
>> <agarwalpiyush at gmail.com <mailto:agarwalpiyush at gmail.com>> wrote:
>>
>> Noel,
>> Thank for pointing out my mistake -- my bad I should have read
>> the ipsec.conf carefully.
>>
>> Having said that, I have now specified "lo" as the
>> charon.interfaces_use and I see it is NOT finding an IP address
>> that the lo has for listening on.
>>
>> charon {
>> * interfaces_use = "lo"*
>> load_modular = yes
>> plugins {
>> include strongswan.d/charon/*.conf
>> }
>> }
>>
>> The charon.log has no interfaces and IP addresses now:
>>
>> 00[KNL] known interfaces and IP addresses:
>> 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency:
>> PUBKEY:DSA
>>
>> I was expecting it to listen on 1.100.0.5 given lo has that IP
>> address.
>>
>>
>> Could one not specify "lo" as the charon.interfaces_use? Could
>> it be because of the state the interface is in? It is strange
>> that charon didn't find ANY ip for the loopback (not even
>> 127.0.0.1). Any help for debugging would be great. Thanks.
>>
>>
>>
>>
>>
>> On Mon, May 1, 2017 at 8:03 PM, Piyush Agarwal
>> <agarwalpiyush at gmail.com <mailto:agarwalpiyush at gmail.com>> wrote:
>>
>> I don't see any loopback addresses listed in the "known
>> interfaces":
>>
>> 8150 00[KNL] known interfaces and IP addresses:
>> 8151 00[KNL] p2p1
>> 8152 00[KNL] 169.x.x.x
>> 8153 00[KNL] fe80:::4ae5
>>
>> where p2p1 interface has an internal 169 IP, not the one I
>> want to listen on. The IP I want to listen on is actually on
>> the lo interface:
>>
>> ip -d addr show lo | grep 104.100.x.x
>> inet 104.100.x.x/32 scope global lo
>>
>> Not that it should matter, but all this is being done inside
>> a ip/mininet network namespace.
>>
>> Thanks.
>> Piyush
>>
>>
>> On Mon, May 1, 2017 at 4:13 PM, Piyush Agarwal
>> <agarwalpiyush at gmail.com <mailto:agarwalpiyush at gmail.com>>
>> wrote:
>>
>> Hi,
>> I am using strongswan 5.1.2 on Ubuntu 14.04 and I need
>> to specify the IP address on which to listen on. I found
>> some ipsec.conf manpages
>> (https://linux.die.net/man/5/ipsec.conf
>> <https://linux.die.net/man/5/ipsec.conf>) which suggest
>> a config item "listen", but strongswan 5.1.2 at least
>> doesn't seem to have this option.
>>
>> Is there not a way to specify the listen IP address? In
>> my case, this IP address is actually on the loopback
>> interface. As long as I can specify the listen
>> interface, I should be fine.
>>
>> config setup
>> * listen=10.100.0.5*
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> keyexchange=ikev2
>> authby=rsasig
>>
>> conn 10.10.10.8
>> type=transport
>> left=10.100.0.5
>> leftcert=left.cert
>> leftsendcert=always
>> rightcert=right.cert
>> right=10.10.10.8
>> auto=start
>>
>> */etc/ipsec.conf:7: unknown keyword 'listen' [10.100.0.5]*
>> *unable to start strongSwan -- fatal errors in config*
>>
>>
>> --
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be
>> lived forwards.
>>
>>
>>
>>
>> --
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be lived
>> forwards.
>>
>>
>>
>>
>> --
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be lived
>> forwards.
>>
>>
>>
>>
>> --
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be lived forwards.
>>
>>
>>
>>
>> --
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be lived forwards.
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution! www.strongswan.org
> Institute for Networked Solutions
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[INS-HSR]==
>
>
--
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170503/af0eaeb7/attachment.html>
More information about the Users
mailing list