[strongSwan] updown script not called

Thomas Rudolph rudt at teleconnect.de
Thu Nov 28 17:14:25 CET 2019


Ther’s no „CHILD SA established“ message in my Up/Down output below.
I think that’s the problem. My wrong assumption was updown is called if IKE SA is established.

Von: Noel Kuntze <noel.kuntze+strongswan-users-ml at thermi.consulting>
Gesendet: Donnerstag, 28. November 2019 18:11
An: Thomas Rudolph <rudt at teleconnect.de>; users at lists.strongswan.org
Betreff: Re: [strongSwan] updown script not called


Add something like `logger foo` below the shebang in the script. You could also use nsenter to get into the namespaces of charon when running under systemd to check if you can execute the file.

On the topic of that: How are you running strongSwan? And what is the output of `swanctl --stats`?

Am 28.11.19 um 17:06 schrieb Thomas Rudolph:
> _updown is original file from recent strongSwan distribution.
> Charon runs as root.
> I only addes one echo to one file in /tmp.
>
>
> But, now I see ... updown is in child section, and I only did Up/Down for IKE-SA, is
>  hat my failure ?
>
> -----Ursprüngliche Nachricht-----
> Von: Users <users-bounces at lists.strongswan.org<mailto:users-bounces at lists.strongswan.org>> Im Auftrag von Christoph Harder
> Gesendet: Donnerstag, 28. November 2019 18:02
> An: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
> Betreff: Re: [strongSwan] updown script not called
>
> Hello Thomas,
>
> you could try it without parameters e.g.
> updown = /usr/local/libexec/ipsec/_updown
>
> The updown script is called by the user that runs strongswan e.g. the user 'ipsec', in case you're trying to log something from within the updown-script it will not log into the console (at least it didn't work for me, but logging to syslog worked).

>
> Best regards,
> Christoph
>
> TELCO TECH GmbH
> Niederlassung Berlin
> Mädewalder Weg 2
> 12621 Berlin
> Tel.: +49 30 565862610
> Web: www.telco-tech.de<http://www.telco-tech.de>
> Amtsgericht Potsdam-Stadt HRB 55 79
> Geschäftsführung:
> Bernd Schulz
> Silke Schirmer
>
> Am 28.11.19 um 16:53 schrieb Thomas Rudolph:
>> It must be something very simple and stupid I'm doing wrong, on several machines all the same, updown-script is not called.

>>
>> Config:
>>
>> connections {
>>
>>     conn1 {
>>        local_addrs  = 200.10.10.2
>>        remote_addrs = 200.10.10.1
>>        local {
>>           auth = psk
>>           id = 200.10.10.2
>>        }
>>        remote {
>>           auth = psk
>>           id = 200.10.10.1
>>        }
>>        children {
>>           child1 {
>>              local_ts  = 192.168.0.0/24
>>              remote_ts = 192.168.2.0/24
>>              updown = /usr/local/libexec/ipsec/_updown iptables
>>              esp_proposals = aes256gcm16-sha512
>>           }
>>        }
>>        version = 2
>>        mobike = no
>>        proposals = aes128-aescmac-prfsha1-modp2048
>>     }
>> }
>>
>> secrets {
>>     ike1 {
>>        ida = 200.10.10.2
>>        idb = 200.10.10.1
>>        secret = .....
>>     }
>> }
>>
>> Up/Down sequence
>>
>> root at strongswan:/home/rudt/projects/vpn-server# swanctl -i --ike conn1
>> [IKE] initiating IKE_SA conn1[16] to 200.10.10.1 [ENC] generating
>> IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
>> N(HASH_ALG) N(REDIR_SUP) ] [NET] sending packet: from 200.10.10.2[500]
>> to 200.10.10.1[500] (462 bytes) [NET] received packet: from
>> 200.10.10.1[500] to 200.10.10.2[500] (470 bytes) [ENC] parsed
>> IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
>> N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected
>> proposal: IKE:AES_CBC_128/AES_CMAC_96/PRF_HMAC_SHA1/MODP_2048
>> [IKE] authentication of '200.10.10.2' (myself) with pre-shared key
>> [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH
>> N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet:
>> from 200.10.10.2[500] to 200.10.10.1[500] (156 bytes) [NET] received
>> packet: from 200.10.10.1[500] to 200.10.10.2[500] (124 bytes) [ENC]
>> parsed IKE_AUTH response 1 [ IDr AUTH N(FAIL_CP_REQ) ] [IKE]
>> authentication of '200.10.10.1' with pre-shared key successful [IKE]
>> IKE_SA conn1[16] established between
>> 200.10.10.2[200.10.10.2]...200.10.10.1[200.10.10.1]
>> [IKE] scheduling rekeying in 13670s
>> [IKE] maximum IKE_SA lifetime 15110s
>> initiate completed successfully
>> root at strongswan:/home/rudt/projects/vpn-server# swanctl -t --ike conn1
>> [IKE] deleting IKE_SA conn1[16] between
>> 200.10.10.2[200.10.10.2]...200.10.10.1[200.10.10.1]
>> [IKE] sending DELETE for IKE_SA conn1[16] [ENC] generating
>> INFORMATIONAL request 2 [ D ] [NET] sending packet: from
>> 200.10.10.2[500] to 200.10.10.1[500] (76 bytes) [NET] received packet:
>> from 200.10.10.1[500] to 200.10.10.2[500] (76 bytes) [ENC] parsed
>> INFORMATIONAL response 2 [ ] [IKE] IKE_SA deleted terminate completed
>> successfully root at strongswan:/home/rudt/projects/vpn-server#
>>
>>
>> and no updown-script called.
>>
>> Can someone please enlighten me ..
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Users <users-bounces at lists.strongswan.org<mailto:users-bounces at lists.strongswan.org>> Im Auftrag von Thomas
>> Rudolph
>> Gesendet: Donnerstag, 28. November 2019 17:14
>> An: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
>> Betreff: Re: [strongSwan] updown script not called
>>
>> Hello Christoph,
>>
>> it is an absolute path.
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Users <users-bounces at lists.strongswan.org<mailto:users-bounces at lists.strongswan.org>> Im Auftrag von
>> Christoph Harder
>> Gesendet: Donnerstag, 28. November 2019 17:06
>> An: users at lists.strongswan.org<mailto:users at lists.strongswan.org>
>> Betreff: Re: [strongSwan] updown script not called
>>
>> Hello Thomas,
>>
>> to which value did you set the updown variable / which path did you use?
>> Is it a relative path or an absolute path to the updown script?
>>
>> Best regards,
>> Christoph Harder
>>
>> TELCO TECH GmbH
>> Niederlassung Berlin
>> Mädewalder Weg 2
>> 12621 Berlin
>> Tel.: +49 30 565862610
>> Web: www.telco-tech.de<http://www.telco-tech.de>
>> Amtsgericht Potsdam-Stadt HRB 55 79
>> Geschäftsführung:
>> Bernd Schulz
>> Silke Schirmer
>>
>> Am 28.11.19 um 16:02 schrieb Thomas Rudolph:
>>> Hi,
>>>
>>> please help, I try to use custom updown script in swanctl.conf child
>>> section.
>>>
>>> I only replaced original _updown with path to own script.
>>>
>>>    * Updown plugin is loaded
>>>    * CHILDSA comes up/down successful
>>>    * Script is executable and from everyone accessible
>>>
>>> Regards,
>>>
>>> Thomas
>>>
>>> . --
>>> Thomas Rudolph
>>> Teleconnect GmbH
>>> Am Lehmberg 54, 01157 Dresden, Germany
>>>
>>> Phone: +49 351 4236 214 (Main: - 210)
>>> E-Mail/Skype: rudt at teleconnect.de<mailto:rudt at teleconnect.de> <mailto:rudt at teleconnect.de>
>>>
>>>
>>>
>>>    Watch our current video!
>>> <https://www.youtube.com/watch?v=YtFrOo9rzSU>
>>>
>>>    Teleconnect <https://www.teleconnect.de>  Twitter
>>> <https://twitter.com/Teleconnect_>  Linkedin
>>> <https://www.linkedin.com/company/teleconnect-gmbh/>
>>>
>>> USt.-IdNr. (VAT ID): DE140301522
>>> Registergericht (Commercial registry): Dresden, HRB 1040
>>> Geschäftsführer (Managing Director): Dr. Gerald Nürnberger
>>> ---------------------------------------------------------------------
>>> -
>>> -- Der Inhalt dieser Mail enthält möglicherweise vertrauliche
>>> Informationen und ist ausschließlich für den bezeichneten Adressaten
>>> bestimmt. Wenn Sie nicht der richtige Adressat sind, teilen Sie dem
>>> Absender bitte den Erhalt der Mail mit und löschen Sie die Mail.
>>> The content of this mail may contain confidential information and is
>>> intended solely for the designated addressee. If you are not the
>>> intended addressee, then please inform the sender about the receipt
>>> of this mail and delete the mail.
>> .
>> --
>> Thomas Rudolph
>> Teleconnect GmbH
>> Am Lehmberg 54, 01157 Dresden, Germany
>>
>> Phone:          +49 351 4236 214 (Main: - 210)
>> E-Mail/Skype:           rudt at teleconnect.de<mailto:rudt at teleconnect.de>
>>
>>
>>   Watch our current video!
>> <https://www.youtube.com/watch?v=YtFrOo9rzSU>
>>
>>   Teleconnect <https://www.teleconnect.de>   Twitter <https://twitter.com/Teleconnect_>   Linkedin <https://www.linkedin.com/company/teleconnect-gmbh/>

>>
>> USt.-IdNr. (VAT ID): DE140301522
>> Registergericht (Commercial registry): Dresden, HRB 1040 Geschäftsführer (Managing Director): Dr. Gerald Nürnberger ________________________________ Der Inhalt dieser Mail enthält möglicherweise vertrauliche Informationen und ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der richtige Adressat sind, teilen Sie dem Absender bitte den Erhalt der Mail mit und löschen Sie die Mail.

>> The content of this mail may contain confidential information and is intended solely for the designated addressee. If you are not the intended addressee, then please inform the sender about the receipt of this mail and delete the mail.

>> .
>> --
>> Thomas Rudolph
>> Teleconnect GmbH
>> Am Lehmberg 54, 01157 Dresden, Germany
>>
>> Phone:          +49 351 4236 214 (Main: - 210)
>> E-Mail/Skype:           rudt at teleconnect.de<mailto:rudt at teleconnect.de>
>>
>>
>>   Watch our current video!
>> <https://www.youtube.com/watch?v=YtFrOo9rzSU>
>>
>>   Teleconnect <https://www.teleconnect.de>   Twitter <https://twitter.com/Teleconnect_>   Linkedin <https://www.linkedin.com/company/teleconnect-gmbh/>

>>
>> USt.-IdNr. (VAT ID): DE140301522
>> Registergericht (Commercial registry): Dresden, HRB 1040
>> Geschäftsführer (Managing Director): Dr. Gerald Nürnberger
>> ________________________________ Der Inhalt dieser Mail enthält
>> möglicherweise vertrauliche Informationen und ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der richtige Adressat sind, teilen Sie dem Absender bitte den Erhalt der Mail mit und löschen Sie die Mail.

>> The content of this mail may contain confidential information and is intended solely for the designated addressee. If you are not the intended addressee, then please inform the sender about the receipt of this mail and delete the mail.

>>
> .
> --
> Thomas Rudolph
> Teleconnect GmbH
> Am Lehmberg 54, 01157 Dresden, Germany
>
> Phone:          +49 351 4236 214 (Main: - 210)
> E-Mail/Skype:           rudt at teleconnect.de<mailto:rudt at teleconnect.de>
>
>
>  Watch our current video! <https://www.youtube.com/watch?v=YtFrOo9rzSU>
>
>  Teleconnect <https://www.teleconnect.de>   Twitter <https://twitter.com/Teleconnect_>   Linkedin <https://www.linkedin.com/company/teleconnect-gmbh/>

>
> USt.-IdNr. (VAT ID): DE140301522
> Registergericht (Commercial registry): Dresden, HRB 1040
> Geschäftsführer (Managing Director): Dr. Gerald Nürnberger
> ________________________________
> Der Inhalt dieser Mail enthält möglicherweise vertrauliche Informationen und ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der richtige Adressat sind, teilen Sie dem Absender bitte den Erhalt der Mail mit und löschen Sie die Mail.

> The content of this mail may contain confidential information and is intended solely for the designated addressee. If you are not the intended addressee, then please inform the sender about the receipt of this mail and delete the mail.

>

. --
Thomas Rudolph
Teleconnect GmbH
Am Lehmberg 54, 01157 Dresden, Germany

Phone:          +49 351 4236 214 (Main: - 210)
E-Mail/Skype:           rudt at teleconnect.de<mailto:rudt at teleconnect.de>


 Watch our current video! <https://www.youtube.com/watch?v=YtFrOo9rzSU>

 Teleconnect <https://www.teleconnect.de>   Twitter <https://twitter.com/Teleconnect_>   Linkedin <https://www.linkedin.com/company/teleconnect-gmbh/>

USt.-IdNr. (VAT ID): DE140301522
Registergericht (Commercial registry): Dresden, HRB 1040
Geschäftsführer (Managing Director): Dr. Gerald Nürnberger
________________________________
Der Inhalt dieser Mail enthält möglicherweise vertrauliche Informationen und ist ausschließlich für den bezeichneten Adressaten bestimmt. Wenn Sie nicht der richtige Adressat sind, teilen Sie dem Absender bitte den Erhalt der Mail mit und löschen Sie die Mail.
The content of this mail may contain confidential information and is intended solely for the designated addressee. If you are not the intended addressee, then please inform the sender about the receipt of this mail and delete the mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20191128/697930a0/attachment-0001.html>


More information about the Users mailing list