[strongSwan] Failure connecting VICI socket: permission denied
terryfcc at icloud.com
Wed Nov 8 11:00:02 CET 2017
Also, I’ve noticed a different error message.
root at test-frr-debian-02:/run# ipsec up dmvpn
unable to resolve %any, initiate aborted
tried to checkin and delete nonexisting IKE_SA
establishing connection 'dmvpn’ failed
This is the output of “ispec statusall”
root at test-frr-debian-02:/run# ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.13.9, x86_64):
uptime: 83 minutes, since Nov 08 03:33:12 2017
malloc: sbrk 2297856, mmap 0, used 304288, free 1993568
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
Listening IP addresses:
dmvpn: %any...%any IKEv2, dpddelay=15s
dmvpn: local: [test-frr-debian-02] uses pre-shared key authentication
dmvpn: remote: uses pre-shared key authentication
dmvpn: child: dynamic[gre] === dynamic[gre] TRANSPORT, dpdaction=clear
Security Associations (0 up, 0 connecting):
Here’s my config of ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file
192.168.200.1 : PSK “XXXXXXXXXXXXXXXX"
Here’s my config of swanctl.conf
version = 2
pull = no
mobike = no
dpd_delay = 15
dpd_timeout = 30
fragmentation = yes
unique = replace
rekey_time = 4h
reauth_time = 13h
proposals = aes256-sha512-ecp384
auth = psk
id = test-frr-debian-02
auth = psk
esp_proposals = aes256-sha512-ecp384
local_ts = dynamic[gre]
remote_ts = dynamic[gre]
inactivity = 90m
rekey_time = 100m
mode = transport
dpd_action = clear
reqid = 1
On 8 November 2017 at 15:53:55, Terry Fu (terryfcc at icloud.com) wrote:
You are right!
After I allowed user “frr” to access “charon.vici”, the error message is gone.
Now I’m getting this error message.
2017/11/08 15:41:45 NHRP: VICI: StrongSwan does not support mandatory events (unpatched?)
I installed tteras’ patched version of strongswan.
However I’m not sure how to tell if it’s properly installed.
I got it from git: git clone git://git.alpinelinux.org/user/tteras/strongswan
Then I used the “autogen.sh” script, then “configure", then “make; make install”.
Not sure if I have done anything wrong, or missed anything.
Is there a way to validate that Strongswan is properly patched and installed?
On 8 November 2017 at 00:34:52, Jafar Al-Gharaibeh (jafar at atcorp.com) wrote:
From the limited information you are giving, my guess is that nhrpd doesn't have permissions to access the VICI socket. nhrpd is probably configured as part of FRR/Quagga with permissions to access /var/run/frr or /var/run/quagga only. Whereas the vici socket, according to
Give nhrpd permissions to access to this file and you should be good to.
On 11/7/2017 10:06 AM, Chengcheng Fu wrote:
I’m trying to setup nhrpd with strongswan, and I’m getting this error message.
Failure connecting VICI socket: permission denied
I wonder if there is a way to test the VICI socket and see if it’s running properly?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users