[strongSwan] Failure connecting VICI socket: permission denied

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Nov 8 22:03:33 CET 2017 

Hi Terry,

For a start, the code is here: https://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release
That's not documented, but Timo didn't touch anything in the build system or the configure arguments, so the commands are the same as one would normally build strongSwan.
The debian source is here: https://packages.debian.org/buster/strongswan
You're interested in the archive that provides the "debian" directory. In that directory, look primarily at the "control" file.
Maybe you have to provide an archive that contains the source, if you can't make those files clone from Timo's repo directly.

Kind regards

Noel

On 08.11.2017 21:48, Chengcheng Fu wrote:
> Hi Noel,
> 
> Any chance there is a document describing how Timo builds it?
> 
> Regards,
> 
> Terry
> 
>> On 9 Nov 2017, at 3:37 AM, Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting> wrote:
>>
>> Hello Terry,
>>
>> Of course it aborts. %any is neither an IP address, nor an FQDN.
>>
>> Check the output of `which ipsec` to figure out where your shell gets it from. Make sure it uses only libs that belong to your compiled version. You likely mixed up
>> the files of the package with your self compiled ones. Uninstall the package. nhrp already told you, that the wrong version is in use on your system.
>> Build the software the exact same way Timo does. Otherwise you will fail in one way or another. You do not know enough yourself to do this right without help.
>> The best way for you, and to keep it maintained, is to just get the debian package source files of the package and change it to build from the source that supports nhrp.
>>
>> Kind regards
>>
>> Noel
>>
>>> On 08.11.2017 11:00, Terry Fu wrote:
>>> Hi,
>>>
>>> Also, I’ve noticed a different error message.
>>>
>>> root at test-frr-debian-02:/run# ipsec up dmvpn
>>> unable to resolve %any, initiate aborted
>>> tried to checkin and delete nonexisting IKE_SA
>>> establishing connection 'dmvpn’ failed
>>>
>>>
>>> This is the output of “ispec statusall”
>>> root at test-frr-debian-02:/run# ipsec statusall
>>> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.13.9, x86_64):
>>>   uptime: 83 minutes, since Nov 08 03:33:12 2017
>>>   malloc: sbrk 2297856, mmap 0, used 304288, free 1993568
>>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
>>>   loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
>>> Listening IP addresses:
>>>   192.168.23.208
>>>   192.168.200.2
>>>   192.168.222.1
>>>   192.168.12.2
>>> Connections:
>>>        dmvpn:  %any...%any  IKEv2, dpddelay=15s
>>>        dmvpn:   local:  [test-frr-debian-02] uses pre-shared key authentication
>>>        dmvpn:   remote: uses pre-shared key authentication
>>>        dmvpn:   child:  dynamic[gre] === dynamic[gre] TRANSPORT, dpdaction=clear
>>> Security Associations (0 up, 0 connecting):
>>>   none
>>>
>>>
>>> Here’s my config of ipsec.secrets
>>> # ipsec.secrets - strongSwan IPsec secrets file
>>> 192.168.200.1 : PSK “XXXXXXXXXXXXXXXX"
>>>
>>> Here’s my config of swanctl.conf
>>>
>>> connections {
>>>         dmvpn {
>>>                 version = 2
>>>                 pull = no
>>>                 mobike = no
>>>                 dpd_delay = 15
>>>                 dpd_timeout = 30
>>>                 fragmentation = yes
>>>                 unique = replace
>>>                 rekey_time = 4h
>>>                 reauth_time = 13h
>>>                 proposals = aes256-sha512-ecp384
>>>                 local {
>>>                         auth = psk
>>>                         id = test-frr-debian-02
>>>                 }
>>>                 remote {
>>>                         auth = psk
>>>                 }
>>>                 children {
>>>                         dmvpn {
>>>                                 esp_proposals = aes256-sha512-ecp384
>>>                                 local_ts = dynamic[gre]
>>>                                 remote_ts = dynamic[gre]
>>>                                 inactivity = 90m
>>>                                 rekey_time = 100m
>>>                                 mode = transport
>>>                                 dpd_action = clear
>>>                                 reqid = 1
>>>                         }
>>>                 }
>>>         }
>>> }
>>>
>>>
>>> Regards,
>>>
>>> Terry
>>>
>>>
>>>> On 8 November 2017 at 15:53:55, Terry Fu (terryfcc at icloud.com <mailto:terryfcc at icloud.com>) wrote:
>>>>
>>>> Hi Jafar,
>>>>
>>>> You are right! 
>>>> After I allowed user “frr” to access “charon.vici”, the error message is gone.
>>>>
>>>> Now I’m getting this error message.
>>>>
>>>> 2017/11/08 15:41:45 NHRP: VICI: StrongSwan does not support mandatory events (unpatched?)
>>>>
>>>>
>>>> I installed tteras’ patched version of strongswan.
>>>> However I’m not sure how to tell if it’s properly installed.
>>>>
>>>> I got it from git:   git clone git://git.alpinelinux.org/user/tteras/strongswan
>>>> Then I used the “autogen.sh” script, then “configure", then “make; make install”.
>>>>
>>>> Not sure if I have done anything wrong, or missed anything.
>>>>
>>>> Is there a way to validate that Strongswan is properly patched and installed?
>>>>
>>>> Regards,
>>>>
>>>> Terry
>>>>
>>>>
>>>>
>>>>> On 8 November 2017 at 00:34:52, Jafar Al-Gharaibeh (jafar at atcorp.com <mailto:jafar at atcorp.com>) wrote:
>>>>>
>>>>> Terry,
>>>>>
>>>>>     From the limited information you are giving, my guess is that nhrpd doesn't have permissions to access the VICI socket. nhrpd is probably configured as  part of FRR/Quagga  with permissions to access  /var/run/frr or /var/run/quagga only. Whereas the vici socket, according to
>>>>>
>>>>> https://wiki.strongswan.org/projects/strongswan/wiki/VICI
>>>>>
>>>>> is: unix:///var/run/charon.vici
>>>>>
>>>>> Give nhrpd permissions to access to this file and you should be good to.
>>>>>
>>>>> --Jafar
>>>>>
>>>>>
>>>>>> On 11/7/2017 10:06 AM, Chengcheng Fu wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I’m trying to setup nhrpd with strongswan, and I’m getting this error message.
>>>>>>>
>>>>>>> Failure connecting VICI socket: permission denied
>>>>>>>
>>>>>>>
>>>>>>> I wonder if there is a way to test the VICI socket and see if it’s running properly?
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>>
>>>>>>> Terry
>>>>>>>
>>>>>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171108/eb048315/attachment.sig>

More information about the Users mailing list