[strongSwan] Routing between two remote sites

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Jan 27 17:52:21 CET 2022


Hello,

> I am using Centos 8.5 with the strongswan binaries provided on the "EPEL" repository. I do not know who built or supplied them or what options they were built with. My kernel version is 5.16.2-1.el8.elrepo.x86_64

I see. That is fine. So it should be recent enough.

> Based on your comments here, last evening I downloaded the source code from the strongswan site and attempted to build it myself using the default configuration generated by the ./configure script. The binaries seemed to build successfully and when I used my configuration files I did get connection "successful" messages, but I could not ping any systems on the Central network from East (or vice versa) so obviously something was still not working in my own build. Building my own binaries is a bit out of my depth as simply looking at all the ./configure feature options, I wouldn't know which ones to turn on and off to get where I need to be.


I'm sorry to say this but that was unnecessary because you can disable the plugins in the configuration. You do not need to recompile anything.

Kind regards
Noel

Am 27.01.22 um 14:36 schrieb VTwin Farriers:
> Thanks for the reply
> 
>> Please provide me with the full debug information as shown on the HelpRequests
>> [1] page on the wiki.
> 
> I can do this later today when I can go back and spend more time on this, at the moment I have to take care of other priorities.
> 
> 
>> Additionally, what distribution is that on either side, what virtualization, 
>> and what kernel?
> 
> I am using Centos 8.5 with the strongswan binaries provided on the "EPEL" repository. I do not know who built or supplied them or what options they were built with. My kernel version is 5.16.2-1.el8.elrepo.x86_64
> 
> 
>> I suspect there are more problems lurking around the corner than just that.
>> This particular problem only occurs if you are trying to use kernel-libipsec,
>> or XFRM is not working or doesn't have any of the requiored features compiled
>> in.
> [...]
>> That particular error message implies it's kernel-libipsec, which you are not
>> supposed to use on sites at all, but only on clients without a working or usable
>> XFRM implementation (e.g. Android).
> [...]
>> This particular error message implies it's a problem with the IPsec backend
>> used.
> 
> Based on your comments here, last evening I downloaded the source code from the strongswan site and attempted to build it myself using the default configuration generated by the ./configure script. The binaries seemed to build successfully and when I used my configuration files I did get connection "successful" messages, but I could not ping any systems on the Central network from East (or vice versa) so obviously something was still not working in my own build. Building my own binaries is a bit out of my depth as simply looking at all the ./configure feature options, I wouldn't know which ones to turn on and off to get where I need to be.
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20220127/c861a8d1/attachment-0001.sig>


More information about the Users mailing list