[strongSwan] charon unmet dependency on native android build

Nathan Bahr nbahr at atcorp.com
Fri May 26 19:28:44 CEST 2017

Just another update. I decided to try including all the conf files directly

include strongswan.d/charon/nonce.conf
include ....

And that worked, where doing includes with wildcard (include 
/strongswan.d/charon/*.conf) does not work.
Still no indication on why it fails when I look at the logs. I added the 
flag --debug-cfg 4 and didn't get any extra logging that indicated any 

On 05/26/2017 10:43 AM, Nathan Bahr wrote:
> Thanks Tobias,
> So I changed my strongswan.conf file so that charon.load_moduler = no 
> and left everything else the same and the charon daemon was finally 
> able to start up!
> After that I decided to consolidate all the configuration into the 
> strongswan.conf file and re-enabled load_modular and it continued to 
> work so it definitely seems that including conf files is the problem.
> For now this will work for me so I will continue with testing it out 
> and making sure everything works.
> There is one issue that popped up now that charon was able to start 
> successfully.
> I get these netlink errors.
> 00[LIB]       loading feature CUSTOM:kernel-ipsec in plugin 
> 'kernel-netlink'
> 00[KNL] sending XFRM_MSG_GETSPDINFO 201: => 20 bytes @ 0xbeba6580
> 00[KNL]    0: 14 00 00 00 25 00 01 00 C9 00 00 00 C1 1E 00 00 
> ....%...........
> 00[KNL]   16: 00 00 00 00 ....
> 00[KNL] netlink write error: Invalid argument
> 00[KNL] sending XFRM_MSG_GETSPDINFO 202: => 20 bytes @ 0xbeba6580
> 00[KNL]    0: 14 00 00 00 25 00 01 00 CA 00 00 00 C1 1E 00 00 
> ....%...........
> 00[KNL]   16: 00 00 00 00 ....
> 00[KNL] netlink write error: Invalid argument
> My kernel should have all the right modules enabled, and all the other 
> netlink messaging that I see in the log is fine.
> It doesn't stop charon from starting though so for now I will push 
> forward and see if I can establish a connection but any insight into 
> why including conf files is failing would be appreciated because it 
> does make it easier to configure connections.
> One last thing, cross compiling strongswan for android was actually a 
> lot easier than I expected, but besides adding the -llog flag for 
> android logging, there was only one other hack I had to make in order 
> for the build to be correct. On my target device, sh is located at 
> /system/bin/sh, but in the ipsec script, the makefile is hardcoded to 
> replace @IPSEC_SHELL@ with /bin/sh, so I just updated the makefile 
> with the correct path for my environment. Being able to set that via a 
> configure flag though would probably be useful.
> Thanks again for the help!
> On 05/26/2017 03:10 AM, Tobias Brunner wrote:
>> Hi Nathan,
>>> The output I get is (I get the same log output if I do ipsec start
>>> instead of executing charon directly):
>>> root at kltetmo:/ # charon
>>> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 3.4.0, 
>>> armv7l)
>>> 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet
>>> dependency: NONCE_GEN
>>> 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon'
>>> has unmet dependency: HASHER:HASH_SHA1
>>> 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 
>>> 'charon'
>>> has unmet dependency: HASHER:HASH_SHA1
>>> 00[LIB] failed to load 3 critical plugin features
>>> 00[DMN] initialization failed - aborting charon
>> You could try to increase the log level for the LIB and perhaps CFG
>> subsystems [1].
>>> (By the way, I had to add the -llog flag to LDFLAGS because
>>> --enable-android-log didn't do it for me automatically, not sure if 
>>> that
>>> is an issue or I have something set up wrong.)
>> I've pushed a fix for that to master.
>>> I am using the same conf files that were generated from the make
>>> install, so strongswan.conf has load_modular = yes and includes all the
>>> plugin conf files. Each plugin conf file has load = yes.
>> This could be the problem, perhaps resolving the plugin list fails (e.g.
>> because including the files fails), which would also explain this:
>>> All the other executables seem to load ok, just running with --help to
>>> test loading libraries. For example this is the output of pki:
>> This tool uses a hard-coded plugin list determined at compile-time.
>> With the default config charon (and some of its charon-* derivatives) is
>> the only program that uses the modular configuration.  So you could also
>> try to disable charon.load_modular in strongswan.conf so charon's
>> hard-coded default plugin list is used.
>> Regards,
>> Tobias
>> [1]https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration 

Nathan Bahr
Architecture Technology Corp.
952-829-5864 x174

More information about the Users mailing list