[strongSwan] charon unmet dependency on native android build

Fri May 26 17:43:35 CEST 2017

Thanks Tobias,

So I changed my strongswan.conf file so that charon.load_moduler = no 
and left everything else the same and the charon daemon was finally able 
to start up!

After that I decided to consolidate all the configuration into the 
strongswan.conf file and re-enabled load_modular and it continued to 
work so it definitely seems that including conf files is the problem.

For now this will work for me so I will continue with testing it out and 
making sure everything works.
There is one issue that popped up now that charon was able to start 
successfully.
I get these netlink errors.

00[LIB]       loading feature CUSTOM:kernel-ipsec in plugin 'kernel-netlink'
00[KNL] sending XFRM_MSG_GETSPDINFO 201: => 20 bytes @ 0xbeba6580
00[KNL]    0: 14 00 00 00 25 00 01 00 C9 00 00 00 C1 1E 00 00 
....%...........
00[KNL]   16: 00 00 00 00                                      ....
00[KNL] netlink write error: Invalid argument
00[KNL] sending XFRM_MSG_GETSPDINFO 202: => 20 bytes @ 0xbeba6580
00[KNL]    0: 14 00 00 00 25 00 01 00 CA 00 00 00 C1 1E 00 00 
....%...........
00[KNL]   16: 00 00 00 00                                      ....
00[KNL] netlink write error: Invalid argument

My kernel should have all the right modules enabled, and all the other 
netlink messaging that I see in the log is fine.
It doesn't stop charon from starting though so for now I will push 
forward and see if I can establish a connection but any insight into why 
including conf files is failing would be appreciated because it does 
make it easier to configure connections.

One last thing, cross compiling strongswan for android was actually a 
lot easier than I expected, but besides adding the -llog flag for 
android logging, there was only one other hack I had to make in order 
for the build to be correct. On my target device, sh is located at 
/system/bin/sh, but in the ipsec script, the makefile is hardcoded to 
replace @IPSEC_SHELL@ with /bin/sh, so I just updated the makefile with 
the correct path for my environment. Being able to set that via a 
configure flag though would probably be useful.

Thanks again for the help!

On 05/26/2017 03:10 AM, Tobias Brunner wrote:
> Hi Nathan,
>
>> The output I get is (I get the same log output if I do ipsec start
>> instead of executing charon directly):
>>
>> root at kltetmo:/ # charon
>> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 3.4.0, armv7l)
>> 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
>> dependency: NONCE_GEN
>> 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon'
>> has unmet dependency: HASHER:HASH_SHA1
>> 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon'
>> has unmet dependency: HASHER:HASH_SHA1
>> 00[LIB] failed to load 3 critical plugin features
>> 00[DMN] initialization failed - aborting charon
> You could try to increase the log level for the LIB and perhaps CFG
> subsystems [1].
>
>> (By the way, I had to add the -llog flag to LDFLAGS because
>> --enable-android-log didn't do it for me automatically, not sure if that
>> is an issue or I have something set up wrong.)
> I've pushed a fix for that to master.
>
>> I am using the same conf files that were generated from the make
>> install, so strongswan.conf has load_modular = yes and includes all the
>> plugin conf files. Each plugin conf file has load = yes.
> This could be the problem, perhaps resolving the plugin list fails (e.g.
> because including the files fails), which would also explain this:
>
>> All the other executables seem to load ok, just running with --help to
>> test loading libraries. For example this is the output of pki:
> This tool uses a hard-coded plugin list determined at compile-time.
> With the default config charon (and some of its charon-* derivatives) is
> the only program that uses the modular configuration.  So you could also
> try to disable charon.load_modular in strongswan.conf so charon's
> hard-coded default plugin list is used.
>
> Regards,
> Tobias
>
> [1]https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
>

-- 
Nathan Bahr
Architecture Technology Corp.
952-829-5864 x174