[strongSwan] help with ext-auth plugin

Andreas Steffen andreas.steffen at strongswan.org
Sat Aug 4 13:10:21 CEST 2018

Hello Amit,

your log says:

00[CFG] no script for ext-auth script defined, disabled

The ex-auth plugin description


or man strongswan.conf

  charon.plugins.ext-auth.script []
     Command to pass to the system shell for peer authorization.
     Authorization is considered successful if the command executes
     normally with an exit code of zero. For all other exit codes
     IKE_SA authorization is rejected.

    The  following environment variables get passed to the script:
       IKE_UNIQUE_ID: The IKE_SA numerical unique identifier.
       IKE_NAME: The peer configuration connection name.
       IKE_LOCAL_HOST: Local IKE IP address.
       IKE_REMOTE_HOST: Remote IKE IP address.
       IKE_LOCAL_ID: Local IKE  identity.
       IKE_REMOTE_ID:  Remote  IKE  identity.
       IKE_REMOTE_EAP_ID: Remote EAP or XAuth identity, if used.

Thus you have to define an authentication script in strongswan.conf:

charon {
   plugins {
      ext-auth {
         script = <path to authentication script>



On 02.08.2018 18:55, Amit Priyadarshi wrote:
> Hello Strongswan experts,
> I am a strongswan-rookie and need some experts advice here.
> I am trying to configure strongswan to use external auth script.
> i followed below steps.
> root at ampriyad-Inspiron-3558:/home/ampriyad/strongswan/strongswan-5.6.3#
> ./configure --enable-ext-auth
> then i went ahead and did a 
> make followed by 
> make install.
> When i lauched ipsec i got below run logs
> Note that the plug in "ext-auth" did not gt loaded.
> root at ampriyad-Inspiron-3558:/home/ampriyad/strongswan/strongswan-5.6.3#
> ipsec start --debug-all --nofork
> Starting strongSwan 5.6.3 IPsec [starter]...
> Loading config setup
> found netkey IPsec stack
> Attempting to start charon...
> 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux
> 4.15.0-29-generic, x86_64)
> 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from
> '/usr/local/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
> 00[CFG] no script for ext-auth script defined, disabled
> 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
> dnskey sshkey pem fips-prf gmp curve25519 xcbc cmac hmac attr
> kernel-netlink resolve socket-default stroke vici updown xauth-generic
> counters
> 00[JOB] spawning 16 worker threads
> Please guide me on what did i miss?
> -- 
> Regards,
> Amit Priyadarshi

Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Networked Solutions
HSR University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2945 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180804/75187c6c/attachment.bin>

More information about the Users mailing list