[strongSwan] vici/python interface errors

Volodymyr Litovka doka.ua at gmx.com
Mon Dec 2 11:26:39 CET 2019 

Dear friends,

I'm trying to manage connections over Vici socket using Python API and
getting an error when terminating SAS. I'm doing according to
https://www.strongswan.org/apidoc/md_src_libcharon_plugins_vici_README.html
(part terminate()) which says, that connection can be terminated by
using either (?):
1) configuration name of CHILD_SA
2) configuration name of IKE_SA
3) reqid of CHILD_SA
4) unique id of IKE_SA

The sample code try to terminate connection using unique id of IKE_SA:

v = vici.Session()

for s in v.list_sas():
     conn = s.get('ikev2-eap-mschapv2', None)    # This is connection name in swanctl.conf
     if conn:
         rem_id = conn['remote-id'].decode()
         uniq_id = int(conn['uniqueid'].decode())	# Same error regardless of byte, string or integer interpretation
         print(f"Connection {rem_id} has an ID {uniq_id}")
         if rem_id == 'doka':
             print('Terminating')
             t = v.terminate({
                 'ike-id': uniq_id,
                 'timeout': -1
             })
             for c in t:
                 pass
             exit(0)

The result of execution is:

Connection doka has an ID 379
Terminating
Exception ignored in: <generator object Session.streamed_request at 0x7fccd4d5c6d0>
Traceback (most recent call last):
   File "/home/doka/PyDev/lib/python3.6/site-packages/vici/session.py", line 128, in streamed_request
     response=Packet.CMD_RESPONSE
vici.exception.SessionException: Unexpected response type 5, expected '1' (CMD_RESPONSE)
Traceback (most recent call last):
   File "./vit.py", line 22, in <module>
     for c in t:
   File "/home/doka/PyDev/lib/python3.6/site-packages/vici/session.py", line 103, in streamed_request
     self._register_unregister(event_stream_type, True)
   File "/home/doka/PyDev/lib/python3.6/site-packages/vici/session.py", line 49, in _register_unregister
     confirm=Packet.EVENT_CONFIRM,
vici.exception.SessionException: Unexpected response type 1, expected '5' (EVENT_CONFIRM)

so, just calling generator, returned by terminate() ("for c in t"), lead
to the error. On the other hand, calling swanctl with same parameters
results in success termination of connection:

# swanctl --terminate --ike-id 379 --debug --pretty
[IKE] deleting IKE_SA ikev2-eap-mschapv2[379] between x.x.x.x[my.swan.host]...y.y.y.y[doka]
[IKE] sending DELETE for IKE_SA ikev2-eap-mschapv2[379]
[ENC] generating INFORMATIONAL request 0 [ D ]
[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[4500] (80 bytes)
[NET] received packet: from y.y.y.y[4500] to x.x.x.x[4500] (80 bytes)
[ENC] parsed INFORMATIONAL response 0 [ ]
[IKE] IKE_SA deleted


So, the question is - what I'm doing wrong and how to do in order to get
the desired result?

Environment: Ubuntu 18.04, Strongswan 5.6.2 (latest available from
Ubuntu repo), vici==5.8.0 (but same error appears when using
vici=5.5.3), Python 3.6

Thank you.

--
Volodymyr Litovka
   "Vision without Execution is Hallucination." -- Thomas Edison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191202/aa11cbd2/attachment.html>

More information about the Users mailing list