Hi,
I'm trying to test StrongSwan's behavior in the case when the charon daemon
crashes - hasn't happened yet, but I want to handle things just in case. I'm
just testing with just a single connection so far and only have the policy
installed - no SAs have been setup. When I 'kill -11 charon', the starter
successfully reforks charon but then charon tries to (re-)add the policy and
fails (it still exists) and then it deletes the policy. If I manually do a
'ipsec reload' it seems to get things going again. I've attached logfiles from
starter and charon.
How is this recovery scenario supposed to work? Also, how are any existing SAs
handled?
Thanks for any info,
-mike
Oct 7 17:49:18 switch ipsec_starter[484]: Starting strongSwan 4.4.1 IPsec
[starter]...
Oct 7 17:49:18 switch ipsec_starter[492]: charon (493) started after 20 ms
Oct 7 17:49:19 switch ipsec_starter[492]: configuration 'ikepol0' routed
Oct 7 17:51:27 switch ipsec_starter[492]: charon has died -- restart scheduled
(5sec)
Oct 7 17:51:32 switch ipsec_starter[492]: charon (516) started after 120 ms
Oct 7 17:51:32 switch ipsec_starter[492]: routing configuration 'ikepol0'
failed
Oct 7 17:49:18 switch charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan
4.4.1)
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'aes': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'des': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'sha1': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'sha2': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'md5': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'random': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'x509': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'revocation': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'pubkey': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'pkcs1': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'pgp': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'dnskey': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'pem': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'fips-prf': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'xcbc': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'hmac': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'gmp': loaded successfully
Oct 7 17:49:18 switch charon: 00[KNL] listening on interfaces:
Oct 7 17:49:18 switch charon: 00[KNL] eth0
Oct 7 17:49:18 switch charon: 00[KNL] 10.20.83.95
Oct 7 17:49:18 switch charon: 00[KNL] fd70:c154:c2df:83:2c0:ddff:fe0d:5393
Oct 7 17:49:18 switch charon: 00[KNL] fe80::2c0:ddff:fe0d:5393
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'kernel-netlink': loaded
successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'socket-default': loaded
successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'socket-dynamic': loaded
successfully
Oct 7 17:49:18 switch charon: 00[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'
Oct 7 17:49:18 switch charon: 00[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'
Oct 7 17:49:18 switch charon: 00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
Oct 7 17:49:18 switch charon: 00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
Oct 7 17:49:18 switch charon: 00[CFG] loading crls from
'/usr/local/etc/ipsec.d/crls'
Oct 7 17:49:18 switch charon: 00[CFG] loading secrets from
'/usr/local/etc/ipsec.secrets'
Oct 7 17:49:18 switch charon: 00[CFG] loaded IKE secret for 10.20.83.9
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'stroke': loaded successfully
Oct 7 17:49:18 switch charon: 00[LIB] plugin 'updown': loaded successfully
Oct 7 17:49:18 switch charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5
random x509 revocation pubkey pkcs1 pgp dnskey pem fips-prf xcbc hmac gmp
kernel-netlink socket-default socket-dynamic stroke updown
Oct 7 17:49:18 switch charon: 00[JOB] spawning 8 worker threads
Oct 7 17:49:18 switch charon: 01[JOB] started worker thread, ID: 1
Oct 7 17:49:18 switch charon: 02[JOB] started worker thread, ID: 2
Oct 7 17:49:18 switch charon: 03[JOB] started worker thread, ID: 3
Oct 7 17:49:18 switch charon: 04[JOB] started worker thread, ID: 4
Oct 7 17:49:18 switch charon: 05[JOB] started worker thread, ID: 5
Oct 7 17:49:19 switch charon: 06[JOB] started worker thread, ID: 6
Oct 7 17:49:19 switch charon: 06[JOB] no events, waiting
Oct 7 17:49:19 switch charon: 07[JOB] started worker thread, ID: 7
Oct 7 17:49:19 switch charon: 08[JOB] started worker thread, ID: 8
Oct 7 17:49:19 switch charon: 02[NET] waiting for data on sockets
Oct 7 17:49:19 switch charon: 03[CFG] received stroke: add connection
'ikepol0'
Oct 7 17:49:19 switch charon: 03[CFG] conn ikepol0
Oct 7 17:49:19 switch charon: 03[CFG] left=10.20.83.95
Oct 7 17:49:19 switch charon: 03[CFG] leftsubnet=(null)
Oct 7 17:49:19 switch charon: 03[CFG] leftsourceip=(null)
Oct 7 17:49:19 switch charon: 03[CFG] leftauth=(null)
Oct 7 17:49:19 switch charon: 03[CFG] leftauth2=(null)
Oct 7 17:49:19 switch charon: 03[CFG] leftid=(null)
Oct 7 17:49:19 switch charon: 03[CFG] leftid2=(null)
Oct 7 17:49:19 switch charon: 03[CFG] leftcert=(null)
Oct 7 17:49:19 switch charon: 03[CFG] leftcert2=(null)
Oct 7 17:49:19 switch charon: 03[CFG] leftca=(null)
Oct 7 17:49:19 switch charon: 03[CFG] leftca2=(null)
Oct 7 17:49:19 switch charon: 03[CFG] leftgroups=(null)
Oct 7 17:49:19 switch charon: 03[CFG] leftupdown=(null)
Oct 7 17:49:19 switch charon: 03[CFG] right=10.20.83.9
Oct 7 17:49:19 switch charon: 03[CFG] rightsubnet=(null)
Oct 7 17:49:19 switch charon: 03[CFG] rightsourceip=(null)
Oct 7 17:49:19 switch charon: 03[CFG] rightauth=(null)
Oct 7 17:49:19 switch charon: 03[CFG] rightauth2=(null)
Oct 7 17:49:19 switch charon: 03[CFG] rightid=(null)
Oct 7 17:49:19 switch charon: 03[CFG] rightid2=(null)
Oct 7 17:49:19 switch charon: 03[CFG] rightcert=(null)
Oct 7 17:49:19 switch charon: 03[CFG] rightcert2=(null)
Oct 7 17:49:19 switch charon: 03[CFG] rightca=(null)
Oct 7 17:49:19 switch charon: 03[CFG] rightca2=(null)
Oct 7 17:49:19 switch charon: 03[CFG] rightgroups=(null)
Oct 7 17:49:19 switch charon: 03[CFG] rightupdown=(null)
Oct 7 17:49:19 switch charon: 03[CFG] eap_identity=(null)
Oct 7 17:49:19 switch charon: 03[CFG]
ike=aes256-3des-sha2_256-sha2_256_96-modp768-modp1536
Oct 7 17:49:19 switch charon: 03[CFG] esp=3des!
Oct 7 17:49:19 switch charon: 03[CFG] mediation=no
Oct 7 17:49:19 switch charon: 03[CFG] mediated_by=(null)
Oct 7 17:49:19 switch charon: 03[CFG] me_peerid=(null)
Oct 7 17:49:19 switch charon: 03[KNL] getting interface name for 10.20.83.9
Oct 7 17:49:19 switch charon: 03[KNL] 10.20.83.9 is not a local address
Oct 7 17:49:19 switch charon: 03[KNL] getting interface name for 10.20.83.95
Oct 7 17:49:19 switch charon: 03[KNL] 10.20.83.95 is on interface eth0
Oct 7 17:49:19 switch charon: 03[CFG] added configuration 'ikepol0'
Oct 7 17:49:19 switch charon: 04[CFG] received stroke: route 'ikepol0'
Oct 7 17:49:19 switch charon: 04[CFG] proposing traffic selectors for us:
Oct 7 17:49:19 switch charon: 04[CFG] 10.20.83.95/32[icmp] (derived from
dynamic[icmp])
Oct 7 17:49:19 switch charon: 04[CFG] proposing traffic selectors for other:
Oct 7 17:49:19 switch charon: 04[CFG] 10.20.83.9/32[icmp] (derived from
dynamic[icmp])
Oct 7 17:49:19 switch charon: 04[KNL] adding policy 10.20.83.95/32[icmp] ===
10.20.83.9/32[icmp] out
Oct 7 17:49:19 switch charon: 04[KNL] adding policy 10.20.83.9/32[icmp] ===
10.20.83.95/32[icmp] in
Oct 7 17:51:27 switch charon: 00[DMN] thread 0 received 11
Oct 7 17:51:27 switch charon: 00[DMN] killing ourself, received critical
signal
Oct 7 17:51:32 switch charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan
4.4.1)
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'aes': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'des': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'sha1': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'sha2': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'md5': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'random': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'x509': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'revocation': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'pubkey': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'pkcs1': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'pgp': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'dnskey': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'pem': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'fips-prf': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'xcbc': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'hmac': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'gmp': loaded successfully
Oct 7 17:51:32 switch charon: 00[KNL] listening on interfaces:
Oct 7 17:51:32 switch charon: 00[KNL] eth0
Oct 7 17:51:32 switch charon: 00[KNL] 10.20.83.95
Oct 7 17:51:32 switch charon: 00[KNL] fd70:c154:c2df:83:2c0:ddff:fe0d:5393
Oct 7 17:51:32 switch charon: 00[KNL] fe80::2c0:ddff:fe0d:5393
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'kernel-netlink': loaded
successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'socket-default': loaded
successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'socket-dynamic': loaded
successfully
Oct 7 17:51:32 switch charon: 00[CFG] loading ca certificates from
'/usr/local/etc/ipsec.d/cacerts'
Oct 7 17:51:32 switch charon: 00[CFG] loading aa certificates from
'/usr/local/etc/ipsec.d/aacerts'
Oct 7 17:51:32 switch charon: 00[CFG] loading ocsp signer certificates from
'/usr/local/etc/ipsec.d/ocspcerts'
Oct 7 17:51:32 switch charon: 00[CFG] loading attribute certificates from
'/usr/local/etc/ipsec.d/acerts'
Oct 7 17:51:32 switch charon: 00[CFG] loading crls from
'/usr/local/etc/ipsec.d/crls'
Oct 7 17:51:32 switch charon: 00[CFG] loading secrets from
'/usr/local/etc/ipsec.secrets'
Oct 7 17:51:32 switch charon: 00[CFG] loaded IKE secret for 10.20.83.9
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'stroke': loaded successfully
Oct 7 17:51:32 switch charon: 00[LIB] plugin 'updown': loaded successfully
Oct 7 17:51:32 switch charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5
random x509 revocation pubkey pkcs1 pgp dnskey pem fips-prf xcbc hmac gmp
kernel-netlink socket-default socket-dynamic stroke updown
Oct 7 17:51:32 switch charon: 00[JOB] spawning 8 worker threads
Oct 7 17:51:32 switch charon: 01[JOB] started worker thread, ID: 1
Oct 7 17:51:32 switch charon: 01[JOB] no events, waiting
Oct 7 17:51:32 switch charon: 03[JOB] started worker thread, ID: 3
Oct 7 17:51:32 switch charon: 04[JOB] started worker thread, ID: 4
Oct 7 17:51:32 switch charon: 05[JOB] started worker thread, ID: 5
Oct 7 17:51:32 switch charon: 06[JOB] started worker thread, ID: 6
Oct 7 17:51:32 switch charon: 06[NET] waiting for data on sockets
Oct 7 17:51:32 switch charon: 07[JOB] started worker thread, ID: 7
Oct 7 17:51:32 switch charon: 07[CFG] received stroke: add connection
'ikepol0'
Oct 7 17:51:32 switch charon: 07[CFG] conn ikepol0
Oct 7 17:51:32 switch charon: 07[CFG] left=10.20.83.95
Oct 7 17:51:32 switch charon: 07[CFG] leftsubnet=(null)
Oct 7 17:51:32 switch charon: 07[CFG] leftsourceip=(null)
Oct 7 17:51:32 switch charon: 07[CFG] leftauth=(null)
Oct 7 17:51:32 switch charon: 07[CFG] leftauth2=(null)
Oct 7 17:51:32 switch charon: 07[CFG] leftid=(null)
Oct 7 17:51:32 switch charon: 07[CFG] leftid2=(null)
Oct 7 17:51:32 switch charon: 02[JOB] started worker thread, ID: 2
Oct 7 17:51:32 switch charon: 07[CFG] leftcert=(null)
Oct 7 17:51:32 switch charon: 07[CFG] leftcert2=(null)
Oct 7 17:51:32 switch charon: 07[CFG] leftca=(null)
Oct 7 17:51:32 switch charon: 07[CFG] leftca2=(null)
Oct 7 17:51:32 switch charon: 07[CFG] leftgroups=(null)
Oct 7 17:51:32 switch charon: 07[CFG] leftupdown=(null)
Oct 7 17:51:32 switch charon: 07[CFG] right=10.20.83.9
Oct 7 17:51:32 switch charon: 07[CFG] rightsubnet=(null)
Oct 7 17:51:32 switch charon: 07[CFG] rightsourceip=(null)
Oct 7 17:51:32 switch charon: 07[CFG] rightauth=(null)
Oct 7 17:51:32 switch charon: 07[CFG] rightauth2=(null)
Oct 7 17:51:32 switch charon: 07[CFG] rightid=(null)
Oct 7 17:51:32 switch charon: 07[CFG] rightid2=(null)
Oct 7 17:51:32 switch charon: 07[CFG] rightcert=(null)
Oct 7 17:51:32 switch charon: 07[CFG] rightcert2=(null)
Oct 7 17:51:32 switch charon: 07[CFG] rightca=(null)
Oct 7 17:51:32 switch charon: 07[CFG] rightca2=(null)
Oct 7 17:51:32 switch charon: 07[CFG] rightgroups=(null)
Oct 7 17:51:32 switch charon: 07[CFG] rightupdown=(null)
Oct 7 17:51:32 switch charon: 07[CFG] eap_identity=(null)
Oct 7 17:51:32 switch charon: 07[CFG]
ike=aes256-3des-sha2_256-sha2_256_96-modp768-modp1536
Oct 7 17:51:32 switch charon: 07[CFG] esp=3des!
Oct 7 17:51:32 switch charon: 07[CFG] mediation=no
Oct 7 17:51:32 switch charon: 08[JOB] started worker thread, ID: 8
Oct 7 17:51:32 switch charon: 07[CFG] mediated_by=(null)
Oct 7 17:51:32 switch charon: 07[CFG] me_peerid=(null)
Oct 7 17:51:32 switch charon: 07[KNL] getting interface name for 10.20.83.9
Oct 7 17:51:32 switch charon: 07[KNL] 10.20.83.9 is not a local address
Oct 7 17:51:32 switch charon: 07[KNL] getting interface name for 10.20.83.95
Oct 7 17:51:32 switch charon: 07[KNL] 10.20.83.95 is on interface eth0
Oct 7 17:51:32 switch charon: 07[CFG] added configuration 'ikepol0'
Oct 7 17:51:32 switch charon: 02[CFG] received stroke: route 'ikepol0'
Oct 7 17:51:32 switch charon: 02[CFG] proposing traffic selectors for us:
Oct 7 17:51:32 switch charon: 02[CFG] 10.20.83.95/32[icmp] (derived from
dynamic[icmp])
Oct 7 17:51:32 switch charon: 02[CFG] proposing traffic selectors for other:
Oct 7 17:51:32 switch charon: 02[CFG] 10.20.83.9/32[icmp] (derived from
dynamic[icmp])
Oct 7 17:51:32 switch charon: 02[KNL] adding policy 10.20.83.95/32[icmp] ===
10.20.83.9/32[icmp] out
Oct 7 17:51:32 switch charon: 02[KNL] unable to add policy
10.20.83.95/32[icmp] === 10.20.83.9/32[icmp] out
Oct 7 17:51:32 switch charon: 02[KNL] adding policy 10.20.83.9/32[icmp] ===
10.20.83.95/32[icmp] in
Oct 7 17:51:32 switch charon: 02[KNL] unable to add policy 10.20.83.9/32[icmp]
=== 10.20.83.95/32[icmp] in
Oct 7 17:51:32 switch charon: 02[KNL] deleting policy 10.20.83.95/32[icmp] ===
10.20.83.9/32[icmp] out
Oct 7 17:51:32 switch charon: 02[KNL] deleting policy 10.20.83.9/32[icmp] ===
10.20.83.95/32[icmp] in
Oct 7 17:51:32 switch charon: 02[CFG] installing trap failed
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
