I wonder now if its something to do with the PSK / secret as it just said
it was ignoring the unsupported secret when I did the reload.
root@hub2-nhrp:/home/jon# cat /var/log/auth.log | grep charon
Jul 30 18:27:28 hub2-nhrp ipsec_starter[6263]: charon (6299) started after
20 ms
Jul 30 18:31:07 hub2-nhrp ipsec_starter[1450]: charon (1616) started after
1140 ms
Jul 30 18:33:04 hub2-nhrp ipsec_starter[1512]: charon (1675) started after
500 ms
Jul 30 18:38:12 hub2-nhrp ipsec_starter[1566]: charon (1753) started after
1340 ms
Jul 30 18:56:01 hub2-nhrp ipsec_starter[1722]: charon (1959) started after
600 ms
Jul 30 19:09:34 hub2-nhrp ipsec_starter[1685]: charon (1887) started after
420 ms
Jul 30 20:35:20 hub2-nhrp ipsec_starter[1720]: charon (1905) started after
1420 ms
Jul 31 11:05:10 hub2-nhrp ipsec_starter[1696]: charon (1876) started after
460 ms
root@hub2-nhrp:/home/jon# service strongswan status
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/lib/systemd/system/strongswan.service; enabled; vendor
preset: enabled)
Active: active (running) since Mon 2017-07-31 11:05:08 BST; 2min 54s ago
Main PID: 1696 (starter)
Tasks: 18 (limit: 4915)
Memory: 7.4M
CPU: 28ms
CGroup: /system.slice/strongswan.service
├─1696 /usr/libexec/ipsec/starter --daemon charon --nofork
└─1876 /usr/libexec/ipsec/charon
Jul 31 11:05:10 hub2-nhrp charon[1876]: 00[CFG] loading ca certificates
from '/etc/ipsec.d/cacerts'
Jul 31 11:05:10 hub2-nhrp charon[1876]: 00[CFG] loading aa certificates
from '/etc/ipsec.d/aacerts'
Jul 31 11:05:10 hub2-nhrp charon[1876]: 00[CFG] loading ocsp signer
certificates from '/etc/ipsec.d/ocspcerts'
Jul 31 11:05:10 hub2-nhrp charon[1876]: 00[CFG] loading attribute
certificates from '/etc/ipsec.d/acerts'
Jul 31 11:05:10 hub2-nhrp charon[1876]: 00[CFG] loading crls from
'/etc/ipsec.d/crls'
Jul 31 11:05:10 hub2-nhrp charon[1876]: 00[CFG] loading secrets from
'/etc/ipsec.secrets'
Jul 31 11:05:10 hub2-nhrp charon[1876]: 00[LIB] loaded plugins: charon aes
des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1
pkcs7 pkc
Jul 31 11:05:10 hub2-nhrp charon[1876]: 00[JOB] spawning 16 worker threads
Jul 31 11:05:10 hub2-nhrp ipsec[1696]: charon (1876) started after 460 ms
Jul 31 11:05:10 hub2-nhrp ipsec_starter[1696]: charon (1876) started after
460 ms
root@hub2-nhrp:/home/jon# ipsec status
Security Associations (0 up, 0 connecting):
none
root@hub2-nhrp:/home/jon# swanctl --list-conns
root@hub2-nhrp:/home/jon# swanctl --list-creds
swanctl: unrecognized option '--list-creds'
Error: invalid operation
strongSwan 5.5.3 swanctl
loaded plugins: aes des rc2 sha2 sha1 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf
gmp curve25519 xcbc cmac hmac
usage:
swanctl --initiate (-i) initiate a connection
swanctl --terminate (-t) terminate a connection
swanctl --rekey (-R) rekey an SA
swanctl --redirect (-d) redirect an IKE_SA
swanctl --uninstall (-u) uninstall a trap or shunt policy
swanctl --install (-p) install a trap or shunt policy
swanctl --list-sas (-l) list currently active IKE_SAs
swanctl --monitor-sa (-m) monitor for IKE_SA and CHILD_SA changes
swanctl --list-pols (-P) list currently installed policies
swanctl --list-authorities (-B) list loaded authority configurations
swanctl --list-conns (-L) list loaded configurations
swanctl --list-certs (-x) list stored certificates
swanctl --list-pools (-A) list loaded pool configurations
swanctl --list-algs (-g) show loaded algorithms
swanctl --flush-certs (-f) flush cached certificates
swanctl --load-all (-q) load credentials, authorities, pools and
connections
swanctl --load-authorities (-b) (re-)load authority configuration
swanctl --load-conns (-c) (re-)load connection configuration
swanctl --load-creds (-s) (re-)load credentials
swanctl --load-pools (-a) (re-)load pool configuration
swanctl --log (-T) trace logging output
swanctl --version (-v) show version information
swanctl --stats (-S) show daemon stats information
swanctl --reload-settings (-r) reload daemon strongswan.conf
swanctl --help (-h) show usage information
root@hub2-nhrp:/home/jon# swanctl --reload-settings
*root@hub2-nhrp:/home/jon# swanctl --load-all*
*ignoring unsupported secret 'dmvpn-secret'*
*no authorities found, 0 unloaded*
*no pools found, 0 unloaded*
*loaded connection 'dmvpn'*
*successfully loaded 1 connections, 0 unloaded*
On Mon, 31 Jul 2017 at 11:03 M87tech [Jon] <m87t...@gmail.com> wrote:
> Hi
>
> Vici is enabled by default on the later versions.
>
> I don't think there is anything in the charon logs from memory but will
> check.
>
> Also will check the swanctl commands.
>
> Regards,
> Jon.
>
> On Mon, 31 Jul 2017 at 08:28 Timo Teras <timo.te...@iki.fi> wrote:
>
>> On Sun, 30 Jul 2017 17:26:33 +0000
>> "M87tech [Jon]" <m87t...@gmail.com> wrote:
>>
>> > It's your version compiled from source, I assume that is the correct
>> > patched one?
>> >
>> > git clone -b tteras-release
>> > git://git.alpinelinux.org/user/tteras/strongswan
>>
>> Ok.
>>
>> > ./configure --enable-systemd --enable-swanctl --with-systemd
>> > systemunitdir=/etc/systemd/system/multi-user.target.wants
>> > --prefix=/usr --sysconfdir=/etc
>>
>> I have also explicit --enable-vici seems it's nowadays enabled by
>> default.
>>
>> > Unsure why there are no TX counters on GRE1 which is a bad sign.
>>
>> This is by design. No traffic is routed to GRE interface until the IKE
>> layer and NHRP registration is complete.
>>
>> > And yeah can't se anything related to ipsec happening, nothing in
>> > "ipsec status" and no 500 or 4500 udp packets, just BGP tries to peer
>> > but sourcing from ETH0 and not GRE1 which is weird.
>>
>> Do you have any strongSwan logs?
>>
>> > Could it be anything to do with NFLOG and the iptables rules?
>>
>> No. NFLOG is needed only for sending NHRP Traffic Indication message
>> from a hub. If there's a problem with this the only result is that
>> spoke-spoke shortcuts will not establish.
>>
>> > Does this require any special kernel module that I may not have
>> > access to in LXD?
>>
>> No.
>>
>> > Jul 30 18:56:01 hub2-nhrp charon[1959]: 00[LIB] loaded plugins:
>> > charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation
>> > constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
>> > fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resol
>> > Jul 30 18:56:01 hub2-nhrp charon[1959]: 00[JOB] spawning 16 worker
>> > threads Jul 30 18:56:01 hub2-nhrp ipsec[1722]: charon (1959) started
>> > after 600 ms Jul 30 18:56:01 hub2-nhrp ipsec_starter[1722]: charon
>> > (1959) started after 600 ms
>>
>> > root@hub2-nhrp:/home/jon# ipsec status
>> > Security Associations (0 up, 0 connecting):
>> > none
>>
>> Perhaps the swanctl configurations are not loaded? In Alpine this is
>> done automatically by the init.d script, but this might differ on
>> Ubuntu.
>>
>> What does the following say:
>> swanctl --list-conns
>> swanctl --list-creds
>>
>> You may need to do:
>> swanctl --reload-settings
>> swanctl --load-all
>>
>> if it those are not part of the systemd init scripts. There might be
>> also a permission issue that strongSwan is unable to read it's
>> configuration file.
>>
>> Timo
>>
>> --
> M87 TECH
> Jon Clayton
>
> --
M87 TECH
Jon Clayton
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel
