[strongSwan] updown script not called

Christoph Harder charder at telco-tech.de
Thu Nov 28 17:02:23 CET 2019


Hello Thomas,

you could try it without parameters e.g.
updown = /usr/local/libexec/ipsec/_updown

The updown script is called by the user that runs strongswan e.g. the 
user 'ipsec', in case you're trying to log something from within the 
updown-script it will not log into the console (at least it didn't work 
for me, but logging to syslog worked).

Best regards,
Christoph

TELCO TECH GmbH
Niederlassung Berlin
Mädewalder Weg 2
12621 Berlin
Tel.: +49 30 565862610
Web: www.telco-tech.de
Amtsgericht Potsdam-Stadt HRB 55 79
Geschäftsführung:
Bernd Schulz
Silke Schirmer

Am 28.11.19 um 16:53 schrieb Thomas Rudolph:
> It must be something very simple and stupid I'm doing wrong, on several machines all the same, updown-script is not called.
> 
> Config:
> 
> connections {
> 
>     conn1 {
>        local_addrs  = 200.10.10.2
>        remote_addrs = 200.10.10.1
>        local {
>           auth = psk
>           id = 200.10.10.2
>        }
>        remote {
>           auth = psk
>           id = 200.10.10.1
>        }
>        children {
>           child1 {
>              local_ts  = 192.168.0.0/24
>              remote_ts = 192.168.2.0/24
>              updown = /usr/local/libexec/ipsec/_updown iptables
>              esp_proposals = aes256gcm16-sha512
>           }
>        }
>        version = 2
>        mobike = no
>        proposals = aes128-aescmac-prfsha1-modp2048
>     }
> }
> 
> secrets {
>     ike1 {
>        ida = 200.10.10.2
>        idb = 200.10.10.1
>        secret = .....
>     }
> }
> 
> Up/Down sequence
> 
> root at strongswan:/home/rudt/projects/vpn-server# swanctl -i --ike conn1
> [IKE] initiating IKE_SA conn1[16] to 200.10.10.1
> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> [NET] sending packet: from 200.10.10.2[500] to 200.10.10.1[500] (462 bytes)
> [NET] received packet: from 200.10.10.1[500] to 200.10.10.2[500] (470 bytes)
> [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
> [CFG] selected proposal: IKE:AES_CBC_128/AES_CMAC_96/PRF_HMAC_SHA1/MODP_2048
> [IKE] authentication of '200.10.10.2' (myself) with pre-shared key
> [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
> [NET] sending packet: from 200.10.10.2[500] to 200.10.10.1[500] (156 bytes)
> [NET] received packet: from 200.10.10.1[500] to 200.10.10.2[500] (124 bytes)
> [ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(FAIL_CP_REQ) ]
> [IKE] authentication of '200.10.10.1' with pre-shared key successful
> [IKE] IKE_SA conn1[16] established between 200.10.10.2[200.10.10.2]...200.10.10.1[200.10.10.1]
> [IKE] scheduling rekeying in 13670s
> [IKE] maximum IKE_SA lifetime 15110s
> initiate completed successfully
> root at strongswan:/home/rudt/projects/vpn-server# swanctl -t --ike conn1
> [IKE] deleting IKE_SA conn1[16] between 200.10.10.2[200.10.10.2]...200.10.10.1[200.10.10.1]
> [IKE] sending DELETE for IKE_SA conn1[16]
> [ENC] generating INFORMATIONAL request 2 [ D ]
> [NET] sending packet: from 200.10.10.2[500] to 200.10.10.1[500] (76 bytes)
> [NET] received packet: from 200.10.10.1[500] to 200.10.10.2[500] (76 bytes)
> [ENC] parsed INFORMATIONAL response 2 [ ]
> [IKE] IKE_SA deleted
> terminate completed successfully
> root at strongswan:/home/rudt/projects/vpn-server#
> 
> 
> and no updown-script called.
> 
> Can someone please enlighten me ..
> 
> 
> -----Ursprüngliche Nachricht-----
> Von: Users <users-bounces at lists.strongswan.org> Im Auftrag von Thomas Rudolph
> Gesendet: Donnerstag, 28. November 2019 17:14
> An: users at lists.strongswan.org
> Betreff: Re: [strongSwan] updown script not called
> 
> Hello Christoph,
> 
> it is an absolute path.
> 
> -----Ursprüngliche Nachricht-----
> Von: Users <users-bounces at lists.strongswan.org> Im Auftrag von Christoph Harder
> Gesendet: Donnerstag, 28. November 2019 17:06
> An: users at lists.strongswan.org
> Betreff: Re: [strongSwan] updown script not called
> 
> Hello Thomas,
> 
> to which value did you set the updown variable / which path did you use?
> Is it a relative path or an absolute path to the updown script?
> 
> Best regards,
> Christoph Harder
> 
> TELCO TECH GmbH
> Niederlassung Berlin
> Mädewalder Weg 2
> 12621 Berlin
> Tel.: +49 30 565862610
> Web: www.telco-tech.de
> Amtsgericht Potsdam-Stadt HRB 55 79
> Geschäftsführung:
> Bernd Schulz
> Silke Schirmer
> 
> Am 28.11.19 um 16:02 schrieb Thomas Rudolph:
>> Hi,
>>
>> please help, I try to use custom updown script in swanctl.conf child
>> section.
>>
>> I only replaced original _updown with path to own script.
>>
>>    * Updown plugin is loaded
>>    * CHILDSA comes up/down successful
>>    * Script is executable and from everyone accessible
>>
>> Regards,
>>
>> Thomas
>>
>> . --
>> Thomas Rudolph
>> Teleconnect GmbH
>> Am Lehmberg 54, 01157 Dresden, Germany
>>
>> Phone: +49 351 4236 214 (Main: - 210)
>> E-Mail/Skype: rudt at teleconnect.de <mailto:rudt at teleconnect.de>
>>
>>
>>
>>    Watch our current video!
>> <https://www.youtube.com/watch?v=YtFrOo9rzSU>
>>
>>    Teleconnect <https://www.teleconnect.de>  Twitter
>> <https://twitter.com/Teleconnect_>  Linkedin
>> <https://www.linkedin.com/company/teleconnect-gmbh/>
>>
>> USt.-IdNr. (VAT ID): DE140301522
>> Registergericht (Commercial registry): Dresden, HRB 1040
>> Geschäftsführer (Managing Director): Dr. Gerald Nürnberger
>> ----------------------------------------------------------------------
>> -- Der Inhalt dieser Mail enthält möglicherweise vertrauliche
>> Informationen und ist ausschließlich für den bezeichneten Adressaten
>> bestimmt. Wenn Sie nicht der richtige Adressat sind, teilen Sie dem
>> Absender bitte den Erhalt der Mail mit und löschen Sie die Mail.
>> The content of this mail may contain confidential information and is
>> intended solely for the designated addressee. If you are not the
>> intended addressee, then please inform the sender about the receipt of
>> this mail and delete the mail.
> .
> --
> Thomas Rudolph
> Teleconnect GmbH
> Am Lehmberg 54, 01157 Dresden, Germany
> 
> Phone:          +49 351 4236 214 (Main: - 210)
> E-Mail/Skype:           rudt at teleconnect.de<mailto:rudt at teleconnect.de>
> 
> 
>   Watch our current video! <https://www.youtube.com/watch?v=YtFrOo9rzSU>
> 
>   Teleconnect <https://www.teleconnect.de>   Twitter <https://twitter.com/Teleconnect_>   Linkedin <https://www.linkedin.com/company/teleconnect-gmbh/>
> 
> USt.-IdNr. (VAT ID): DE140301522
> Registergericht (Commercial registry): Dresden, HRB 1040 Geschäftsführer (Managing Director): Dr. Gerald Nürnberger ________________________________ Der Inhalt dieser Mail enthält möglicherweise vertrauliche Informationen und ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der richtige Adressat sind, teilen Sie dem Absender bitte den Erhalt der Mail mit und löschen Sie die Mail.
> The content of this mail may contain confidential information and is intended solely for the designated addressee. If you are not the intended addressee, then please inform the sender about the receipt of this mail and delete the mail.
> .
> --
> Thomas Rudolph
> Teleconnect GmbH
> Am Lehmberg 54, 01157 Dresden, Germany
> 
> Phone:          +49 351 4236 214 (Main: - 210)
> E-Mail/Skype:           rudt at teleconnect.de<mailto:rudt at teleconnect.de>
> 
> 
>   Watch our current video! <https://www.youtube.com/watch?v=YtFrOo9rzSU>
> 
>   Teleconnect <https://www.teleconnect.de>   Twitter <https://twitter.com/Teleconnect_>   Linkedin <https://www.linkedin.com/company/teleconnect-gmbh/>
> 
> USt.-IdNr. (VAT ID): DE140301522
> Registergericht (Commercial registry): Dresden, HRB 1040
> Geschäftsführer (Managing Director): Dr. Gerald Nürnberger
> ________________________________
> Der Inhalt dieser Mail enthält möglicherweise vertrauliche Informationen und ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der richtige Adressat sind, teilen Sie dem Absender bitte den Erhalt der Mail mit und löschen Sie die Mail.
> The content of this mail may contain confidential information and is intended solely for the designated addressee. If you are not the intended addressee, then please inform the sender about the receipt of this mail and delete the mail.
> 


More information about the Users mailing list