On Sun, 30 Jul 2017 17:26:33 +0000 "M87tech [Jon]" <m87t...@gmail.com> wrote:
> It's your version compiled from source, I assume that is the correct > patched one? > > git clone -b tteras-release > git://git.alpinelinux.org/user/tteras/strongswan Ok. > ./configure --enable-systemd --enable-swanctl --with-systemd > systemunitdir=/etc/systemd/system/multi-user.target.wants > --prefix=/usr --sysconfdir=/etc I have also explicit --enable-vici seems it's nowadays enabled by default. > Unsure why there are no TX counters on GRE1 which is a bad sign. This is by design. No traffic is routed to GRE interface until the IKE layer and NHRP registration is complete. > And yeah can't se anything related to ipsec happening, nothing in > "ipsec status" and no 500 or 4500 udp packets, just BGP tries to peer > but sourcing from ETH0 and not GRE1 which is weird. Do you have any strongSwan logs? > Could it be anything to do with NFLOG and the iptables rules? No. NFLOG is needed only for sending NHRP Traffic Indication message from a hub. If there's a problem with this the only result is that spoke-spoke shortcuts will not establish. > Does this require any special kernel module that I may not have > access to in LXD? No. > Jul 30 18:56:01 hub2-nhrp charon[1959]: 00[LIB] loaded plugins: > charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation > constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem > fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resol > Jul 30 18:56:01 hub2-nhrp charon[1959]: 00[JOB] spawning 16 worker > threads Jul 30 18:56:01 hub2-nhrp ipsec[1722]: charon (1959) started > after 600 ms Jul 30 18:56:01 hub2-nhrp ipsec_starter[1722]: charon > (1959) started after 600 ms > root@hub2-nhrp:/home/jon# ipsec status > Security Associations (0 up, 0 connecting): > none Perhaps the swanctl configurations are not loaded? In Alpine this is done automatically by the init.d script, but this might differ on Ubuntu. What does the following say: swanctl --list-conns swanctl --list-creds You may need to do: swanctl --reload-settings swanctl --load-all if it those are not part of the systemd init scripts. There might be also a permission issue that strongSwan is unable to read it's configuration file. Timo ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ opennhrp-devel mailing list opennhrp-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
