[strongSwan] listen interface specification

Piyush Agarwal agarwalpiyush at gmail.com
Wed May 3 19:20:02 CEST 2017


Hi Andreas,
Actually both "lo" and lo had the same result: no IP is displayed below
"Listening IP addresses".
However, my IKE and IPsec SAs from the initiator (to this responder
machine) were established. I suppose I am unblocked then.

Thanks.
Piyush

On Tue, May 2, 2017 at 11:00 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hi Piyush,
>
> have you tried
>
>   interfaces_use = lo
>
> without the double quotes?
>
> Regards
>
> Andreas
>
> On 02.05.2017 19:27, Piyush Agarwal wrote:
>
>> Ok, I had missed setting the lo up (when charon ran lo was DOWN, not
>> UNKNOWN). So now I make sure "ifconfig lo up" is issued before charon
>> runs. And I do see charon.log mention:
>>
>> 00[KNL] known interfaces and IP addresses:
>> 00[KNL]   lo
>> 00[KNL]     127.0.0.1
>> 00[KNL] *1.100.0.5*
>> 00[KNL]     ::1
>>
>> But ipsec statusall still reports no listening IP addresses:
>>
>> Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-72-generic,
>> x86_64):
>>    uptime: 4 minutes, since May 02 10:22:32 2017
>>    malloc: sbrk 2568192, mmap 0, used 331120, free 2237072
>>    worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 0
>>    loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand
>> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
>> openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve
>> socket-default stroke updown eap-identity addrblock
>> *Listening IP addresses:*
>> Connections:
>> Security Associations (0 up, 0 connecting):
>>    none
>>
>>
>>
>> On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <agarwalpiyush at gmail.com
>> <mailto:agarwalpiyush at gmail.com>> wrote:
>>
>>     Noel,
>>     Thank for pointing out my mistake -- my bad I should have read the
>>     ipsec.conf carefully.
>>
>>     Having said that, I have now specified "lo" as the
>>     charon.interfaces_use and I see it is NOT finding an IP address that
>>     the lo has for listening on.
>>
>>     charon {
>>     *        interfaces_use = "lo"*
>>              load_modular = yes
>>              plugins {
>>                      include strongswan.d/charon/*.conf
>>              }
>>     }
>>
>>     The charon.log has no interfaces and IP addresses now:
>>
>>     00[KNL] known interfaces and IP addresses:
>>     00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency:
>>     PUBKEY:DSA
>>
>>     I was expecting it to listen on 1.100.0.5 given lo has that IP
>> address.
>>
>>     1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state
>>     *UNKNOWN* group default qlen 1
>>          link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>>          inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo
>>             valid_lft forever preferred_lft forever
>>          inet *1.100.0.5*/32 scope global lo
>>             valid_lft forever preferred_lft forever
>>          inet6 ::1/128 scope host
>>             valid_lft forever preferred_lft forever
>>
>>     Could one not specify "lo" as the charon.interfaces_use? Could it be
>>     because of the state the interface is in? It is strange that charon
>>     didn't find ANY ip for the loopback (not even 127.0.0.1). Any help
>>     for debugging would be great. Thanks.
>>
>>
>>     On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal
>>     <agarwalpiyush at gmail.com <mailto:agarwalpiyush at gmail.com>> wrote:
>>
>>         Noel,
>>         Thank for pointing out my mistake -- my bad I should have read
>>         the ipsec.conf carefully.
>>
>>         Having said that, I have now specified "lo" as the
>>         charon.interfaces_use and I see it is NOT finding an IP address
>>         that the lo has for listening on.
>>
>>         charon {
>>         *        interfaces_use = "lo"*
>>                  load_modular = yes
>>                  plugins {
>>                          include strongswan.d/charon/*.conf
>>                  }
>>         }
>>
>>         The charon.log has no interfaces and IP addresses now:
>>
>>         00[KNL] known interfaces and IP addresses:
>>         00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency:
>>         PUBKEY:DSA
>>
>>         I was expecting it to listen on 1.100.0.5 given lo has that IP
>>         address.
>>
>>
>>         Could one not specify "lo" as the charon.interfaces_use? Could
>>         it be because of the state the interface is in? It is strange
>>         that charon didn't find ANY ip for the loopback (not even
>>         127.0.0.1). Any help for debugging would be great. Thanks.
>>
>>
>>
>>
>>
>>         On Mon, May 1, 2017 at 8:03 PM, Piyush Agarwal
>>         <agarwalpiyush at gmail.com <mailto:agarwalpiyush at gmail.com>> wrote:
>>
>>             I don't see any loopback addresses listed in the "known
>>             interfaces":
>>
>>             8150 00[KNL] known interfaces and IP addresses:
>>             8151 00[KNL]   p2p1
>>             8152 00[KNL]     169.x.x.x
>>             8153 00[KNL]     fe80:::4ae5
>>
>>             where p2p1 interface has an internal 169 IP, not the one I
>>             want to listen on. The IP I want to listen on is actually on
>>             the lo interface:
>>
>>             ip -d addr show lo | grep 104.100.x.x
>>                  inet 104.100.x.x/32 scope global lo
>>
>>             Not that it should matter, but all this is being done inside
>>             a ip/mininet network namespace.
>>
>>             Thanks.
>>             Piyush
>>
>>
>>             On Mon, May 1, 2017 at 4:13 PM, Piyush Agarwal
>>             <agarwalpiyush at gmail.com <mailto:agarwalpiyush at gmail.com>>
>>             wrote:
>>
>>                 Hi,
>>                 I am using strongswan 5.1.2 on Ubuntu 14.04 and I need
>>                 to specify the IP address on which to listen on. I found
>>                 some ipsec.conf manpages
>>                 (https://linux.die.net/man/5/ipsec.conf
>>                 <https://linux.die.net/man/5/ipsec.conf>) which suggest
>>                 a config item "listen", but strongswan 5.1.2 at least
>>                 doesn't seem to have this option.
>>
>>                 Is there not a way to specify the listen IP address? In
>>                 my case, this IP address is actually on the loopback
>>                 interface. As long as I can specify the listen
>>                 interface, I should be fine.
>>
>>                 config setup
>>                 *    listen=10.100.0.5*
>>
>>                 conn %default
>>                      ikelifetime=60m
>>                      keylife=20m
>>                      rekeymargin=3m
>>                      keyingtries=1
>>                      keyexchange=ikev2
>>                      authby=rsasig
>>
>>                 conn 10.10.10.8
>>                      type=transport
>>                      left=10.100.0.5
>>                      leftcert=left.cert
>>                      leftsendcert=always
>>                      rightcert=right.cert
>>                      right=10.10.10.8
>>                      auto=start
>>
>>                 */etc/ipsec.conf:7: unknown keyword 'listen' [10.100.0.5]*
>>                 *unable to start strongSwan -- fatal errors in config*
>>
>>
>>                 --
>>                 Piyush Agarwal
>>                 Life can only be understood backwards; but it must be
>>                 lived forwards.
>>
>>
>>
>>
>>             --
>>             Piyush Agarwal
>>             Life can only be understood backwards; but it must be lived
>>             forwards.
>>
>>
>>
>>
>>         --
>>         Piyush Agarwal
>>         Life can only be understood backwards; but it must be lived
>>         forwards.
>>
>>
>>
>>
>>     --
>>     Piyush Agarwal
>>     Life can only be understood backwards; but it must be lived forwards.
>>
>>
>>
>>
>> --
>> Piyush Agarwal
>> Life can only be understood backwards; but it must be lived forwards.
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Open Source VPN Solution!          www.strongswan.org
> Institute for Networked Solutions
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[INS-HSR]==
>
>


-- 
Piyush Agarwal
Life can only be understood backwards; but it must be lived forwards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170503/af0eaeb7/attachment.html>


More information about the Users mailing list