[strongSwan] Failure connecting VICI socket: permission denied

Terry Fu terryfcc at icloud.com
Wed Nov 8 11:00:02 CET 2017


Also, I’ve noticed a different error message.

root at test-frr-debian-02:/run# ipsec up dmvpn
unable to resolve %any, initiate aborted
tried to checkin and delete nonexisting IKE_SA
establishing connection 'dmvpn’ failed

This is the output of “ispec statusall”
root at test-frr-debian-02:/run# ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.13.9, x86_64):
  uptime: 83 minutes, since Nov 08 03:33:12 2017
  malloc: sbrk 2297856, mmap 0, used 304288, free 1993568
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
Listening IP addresses:
       dmvpn:  %any...%any  IKEv2, dpddelay=15s
       dmvpn:   local:  [test-frr-debian-02] uses pre-shared key authentication
       dmvpn:   remote: uses pre-shared key authentication
       dmvpn:   child:  dynamic[gre] === dynamic[gre] TRANSPORT, dpdaction=clear
Security Associations (0 up, 0 connecting):

Here’s my config of ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file : PSK “XXXXXXXXXXXXXXXX"

Here’s my config of swanctl.conf

connections {
        dmvpn {
                version = 2
                pull = no
                mobike = no
                dpd_delay = 15
                dpd_timeout = 30
                fragmentation = yes
                unique = replace
                rekey_time = 4h
                reauth_time = 13h
                proposals = aes256-sha512-ecp384
                local {
                        auth = psk
                        id = test-frr-debian-02
                remote {
                        auth = psk
                children {
                        dmvpn {
                                esp_proposals = aes256-sha512-ecp384
                                local_ts = dynamic[gre]
                                remote_ts = dynamic[gre]
                                inactivity = 90m
                                rekey_time = 100m
                                mode = transport
                                dpd_action = clear
                                reqid = 1



On 8 November 2017 at 15:53:55, Terry Fu (terryfcc at icloud.com) wrote:

Hi Jafar,

You are right! 
After I allowed user “frr” to access “charon.vici”, the error message is gone.

Now I’m getting this error message.

2017/11/08 15:41:45 NHRP: VICI: StrongSwan does not support mandatory events (unpatched?)

I installed tteras’ patched version of strongswan.
However I’m not sure how to tell if it’s properly installed.

I got it from git:   git clone git://git.alpinelinux.org/user/tteras/strongswan
Then I used the “autogen.sh” script, then “configure", then “make; make install”.

Not sure if I have done anything wrong, or missed anything.

Is there a way to validate that Strongswan is properly patched and installed?



On 8 November 2017 at 00:34:52, Jafar Al-Gharaibeh (jafar at atcorp.com) wrote:


    From the limited information you are giving, my guess is that nhrpd doesn't have permissions to access the VICI socket. nhrpd is probably configured as  part of FRR/Quagga  with permissions to access  /var/run/frr or /var/run/quagga only. Whereas the vici socket, according to


is: unix:///var/run/charon.vici

Give nhrpd permissions to access to this file and you should be good to.


On 11/7/2017 10:06 AM, Chengcheng Fu wrote:


I’m trying to setup nhrpd with strongswan, and I’m getting this error message.

Failure connecting VICI socket: permission denied

I wonder if there is a way to test the VICI socket and see if it’s running properly?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171108/04edff41/attachment.html>

More information about the Users mailing list