[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
*** This bug is a duplicate of bug 1752411 *** https://bugs.launchpad.net/bugs/1752411 **accepting duplication** -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
*** This bug is a duplicate of bug 1752411 *** https://bugs.launchpad.net/bugs/1752411 I also note; I think this is (at least partially) due to strongswan leaving a dangling duplicate DNS entry in resolve.conf. It's 100% consistent, that after step #3 above, there is a dangling DNS entry in resolve.conf, and this script hangs. More : 1. fresh boot 2. script checks: - "/usr/lib/avahi/avahi-daemon-check-dns.sh" is fine - "host -t soa local." returns 3. activate strongswan connection = SUCCESS {{{ fermulator@fermmy:~$ sudo /usr/lib/avahi/avahi-daemon-check-dns.sh fermulator@fermmy:~$ LC_ALL=C host -t soa local. Host local. not found: 3(NXDOMAIN) resolv.conf contains: nameserver 192.168.194.20 nameserver 192.168.196.20 nameserver 127.0.0.53 }}} then; 4. disconnect VPN, {{{ resolv.conf dangling: nameserver 192.168.194.20 nameserver 127.0.0.53 }}} 5. script checks: - "/usr/lib/avahi/avahi-daemon-check-dns.sh" HANGS - "host -t soa local." HANGS 6. killall host back to normal; resolv.conf properly only has the local nameserver now (no more dangling DNS), {{{ nameserver 127.0.0.53 }}} 7. script checks: - "/usr/lib/avahi/avahi-daemon-check-dns.sh" works - "host -t soa local." works $ host -t soa local. Host local not found: 2(SERVFAIL) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
*** This bug is a duplicate of bug 1752411 *** https://bugs.launchpad.net/bugs/1752411 ** This bug has been marked a duplicate of bug 1752411 bind9-host, avahi-daemon-check-dns.sh hang forever causes network connections to get stuck -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
*** This bug is a duplicate of bug 1752411 *** https://bugs.launchpad.net/bugs/1752411 The relationship to LP #1752411 certainly feels valid. (I think I agree to the duplication) Check this out btw (perhaps better submitted to the other bug) -- but -- despite "host" claiming a default timeout of a few seconds, this NEVER returns!! {{{ $ LC_ALL=C host -t soa local. }}} $ man host {{{ -W wait Timeout: Wait for up to wait seconds for a reply. If wait is less than one, the wait interval is set to one second. By default, host will wait for 5 seconds for UDP responses and 10 seconds for TCP connections. These defaults can be overridden by the timeout option in /etc/resolv.conf. See also the -w option. }}} But I even tried to manually specify how long to wait, it isn't honoured {{{ $ time LC_ALL=C host -W 1 -t soa local. <> }}} -- we're talking about THIS method btw /usr/lib/avahi/avahi-daemon-check-dns.sh {{{ dns_has_local() { # Some magic to do tests if [ -n "${FAKE_HOST_RETURN}" ] ; then if [ "${FAKE_HOST_RETURN}" = "true" ]; then return 0; else return 1; fi fi OUT=`LC_ALL=C host -t soa local. 2>&1`<<< HERE if [ $? -eq 0 ] ; then if echo "$OUT" | egrep -vq 'has no|not found'; then return 0 fi else # Checking the dns servers failed. Assuming no .local unicast dns, but # remove the nameserver cache so we recheck the next time we're triggered rm -f ${NS_CACHE} fi return 1 } }}} --- Steps to reproduce: 1. fresh boot 2. run "host -t soa local." (works fine) {{{ $ LC_ALL=C host -t soa local. Host local. not found: 3(NXDOMAIN) }}} 2. connect to strongswan vpn 3. disconnect the session 4. , now that command hangs forever {{{ $ time LC_ALL=C host -t soa local. }}} (tried timing it ...) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
*** This bug is a duplicate of bug 1752411 *** https://bugs.launchpad.net/bugs/1752411 $ dpkg --list | grep bind9 ii bind9-host 1:9.11.3+dfsg-1ubuntu1.1 amd64DNS lookup utility (deprecated) ii libbind9-160:amd64 1:9.11.3+dfsg-1ubuntu1.1 amd64BIND9 Shared Library used by BIND rc libbind9-80 1:9.8.1.dfsg.P1-4ubuntu0.9 amd64BIND9 Shared Library used by BIND rc libbind9-90 1:9.9.5.dfsg-3ubuntu0.8 amd64BIND9 Shared Library used by BIND -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
*** This bug is a duplicate of bug 1752411 *** https://bugs.launchpad.net/bugs/1752411 Yes, this is definitely another symptom (duplicate) of bug 1752411 . The folks on that bug might be people who will know if dig can be used instead. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
Hi, I just realized with you tracking it down so far - could it be "another symptom" of bug 1752411 ? If so we should add strongswan there as affected and make this bug a Dup, so that ALL effects of this one issue are in one place. I'd be glad if one of you could make the detail check if you think it really is the same. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
@paelzer, it is making an usual call to host and checking the return: LC_ALL=C host -t soa local. 2>&1 and theoretically this maps to: LC_ALL=C dig -t soa local. 2>&1 Practically, I don't think this works. I do not have a "local." start of authority record and when I run these commands I get a 1 return value from host and a 0 return value from dig. It might be possible that you can parse the output of dig to get the same information, but I don't know what dig outputs when "local." shows up with an SOA record. If I recall correctly, this should only happen on _very_ broken networks. The avahi folks might know more about how to proceed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
bind9-host is deprecated anyway isn't it? Could the avahi shell script easily be modified to try dig at the same place? Also as requested since you isolated it towards resolveconf I'm adding a bug task for that as well. ** Also affects: bind9 (Ubuntu) Importance: Undecided Status: New ** Also affects: resolvconf (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
@ehoover; great isolation! that's absolutely it I too noticed it hangs in several other ways randomly. One other example I had not mentioned was failing here: {{{ Aug 20 09:02:49 fermmy charon[3698]: 14[IKE] maximum IKE_SA lifetime 56591s Aug 20 09:02:49 fermmy charon[3698]: 14[IKE] processing INTERNAL_IP4_ADDRESS attribute Aug 20 09:02:49 fermmy charon[3698]: 14[IKE] processing INTERNAL_IP4_DNS attribute <> }}} During this state: {{{ $ ps wuaxxx | grep host root 8526 0.0 0.0 187628 8792 ?Sl 09:02 0:00 host -t soa local. }}} Then: {{{ $ sudo killall host }}} tada: (this immediately followed log message then appears) {{{ Aug 20 09:04:24 fermmy charon[3698]: 10[IKE] removing DNS server 192.168.194.20 via resolvconf Aug 20 09:04:24 fermmy charon[3698]: 14[IKE] installing DNS server 192.168.194.20 via resolvconf Aug 20 09:04:24 fermmy charon[3698]: 14[IKE] processing INTERNAL_IP4_DNS attribute Aug 20 09:04:24 fermmy charon[3698]: 14[IKE] installing DNS server 192.168.196.20 via resolvconf Aug 20 09:04:24 fermmy charon[3698]: 14[IKE] installing new virtual IP 192.168.130.4 Aug 20 09:04:24 fermmy charon[3698]: 14[IKE] CHILD_SA wtlsecondary{72} established with SPIs c557c437_i 9ae567d1_o and TS 192.168.130.4/32 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 Aug 20 09:04:24 fermmy charon[3698]: 14[IKE] CHILD_SA wtlsecondary{72} established with SPIs c557c437_i 9ae567d1_o and TS 192.168.130.4/32 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 }}} it's definitely resolvconf related :( -- and as you suggest we should move this defect to the appropriate sub-category then -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
fwiw {{{ $ dpkg --list | grep avahi-daemon ii avahi-daemon 0.7-3.1ubuntu1 amd64Avahi mDNS/DNS-SD daemon $ dpkg --list | grep resolvconf ii resolvconf 1.79ubuntu10 all name server information handler }}} -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
I think I may have somewhat figured it out. @fermulator, could you get it to lockup and then run "sudo killall host" in another terminal window? It looks like this is some sort of integration issue between the latest bind9-host (used by avahi-daemon) and the latest systemd, downgrading either one of these packages appears to resolve the issue for me. Further, digging through the resolvconf scripts I found that it appears to be hanging when "host" is called by /usr/lib/avahi/avahi-daemon- check-dns.sh, so interrupting that tasks seems to bypass the issue. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
So, I've noticed something else that may be relevant. My work's configuration actually has two DNS servers, which show up like so: installing DNS server 10.10.0.8 via resolvconf installing DNS server 10.10.0.2 via resolvconf However, I saw that there was some probability that it failed after either log message. In addition to that, there is a "leftupdown" script that makes an _additional_ call to resolvconf to setup the DNS search (and tear it down afterwards). I also (sometimes) locks up at these times, so I disabled that script and noticed more successful runs. So, suspecting that the problem was with resolvconf I downgraded it to 1.79ubuntu8. That didn't do the trick, but these days resolvconf is managed by systemd - so I then downgraded systemd to 234-2ubuntu12.1 (except for a conflict with netplan.io, which I ignored). That "worked" in an interesting way, now it reliably connects and finishes - but sometimes it takes about 10 seconds to complete each resolvconf transaction. Based on this, I suspect that the issue is actually somehow in calling resolvconf (if I call resolvconf in a terminal then I don't see a lockup). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
(yes, the upstream report back-refs this downstream report, myself or someone else should do the needful communication once upstream is fixed) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
Thanks Fermulator, no auto-import from this type of bug tracker, but the URL is great to check!. Since remote tracking can't be done automatically, can you ping here once something interesting is coming back there? ** Also affects: strongswan Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
I am having a similar problem, but I have some additional tidbits: 1) I had the same issue after upgrading from 17.10 to 18.04, but before rebooting 2) I have the same problem if I downgrade all the strongswan/charon packages to 5.5.1-4ubuntu2.2 3) First connection attempt after reboot does not always work 4) "sudo service strongswan restart" has some probability that the next connection attempt will work, but no guarantee -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
Upstream report: https://wiki.strongswan.org/issues/2724 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
FYI upstream issue tracker is at https://wiki.strongswan.org/projects/strongswan/issues -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
Hi Fermulator, while I regularly pick up new strongswan versions I'm not enough of an expert to give good suggestions on what the reason might be. But fortunately there are often a few community members here using strongswan that can chime in. Never the less for a technical discussion on the very low details of your connection hang an upstream issue report might be useful. I'd ask you to report the ID you get here so that we can link it and follow the discussion. Also include as much of your setup (simplified and stripped of confidential things) to the bug here and there. As it would help a lot if we'd get it to a list of steps to locally reproduce the issue. Version-wise you said 17.10 was good but in 18.04 it is showing this behavior. In terms of versions that would be 5.5.1 -> 5.6.2 - maybe that rings a bell for upstream? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1786261 Title: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786261/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1786261] Re: strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
** Description changed: as a continuation of https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786250 ... (that bug can be focused on the apparmor profile issue in Ubuntu + strongswan) -- this bug report is for the stuck VPN connection issue Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10. ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage A while ago I upgrade to 18.04 LTS and had consistent issues with strongswan ipsec connectivity VPN. ``` sudo ipsec up ... all the goods happen ... but near the end: IKE_SA [1] established between 1.0.0.6[]...64.7.137.180[OU=Domain Control Validated, CN=.com] scheduling reauthentication in 56358s maximum IKE_SA lifetime 56538s installing DNS server 192.168.194.20 via resolvconf installing DNS server 192.168.196.20 via resolvconf <> ``` while in this state, we see: ``` sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64): uptime: 6 minutes, since Aug 09 10:03:04 2018 malloc: sbrk 3403776, mmap 532480, used 1301456, free 2102320 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Listening IP addresses: 1.0.0.6 192.168.130.9 192.168.140.17 192.168.130.14 192.168.140.2 192.168.130.13 192.168.130.15 192.168.130.16 192.168.130.8 172.17.0.1 192.168.122.1 Connections: primary: %any...primary..com IKEv2, dpddelay=30s primary: local: [] uses EAP_MSCHAPV2 authentication primary: remote: [OU=Domain Control Validated, CN=.com] uses public key authentication primary: child: 192.168.140.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear secondary: %any...secondary..com IKEv2, dpddelay=30s secondary: local: [] uses EAP_MSCHAPV2 authentication secondary: remote: [OU=Domain Control Validated, CN=.com] uses public key authentication secondary: child: 192.168.130.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear Routed Connections: secondary{2}: ROUTED, TUNNEL, reqid 2 secondary{2}: 192.168.130.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 primary{1}: ROUTED, TUNNEL, reqid 1 primary{1}: 192.168.140.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 Security Associations (0 up, 0 connecting): none ``` here are the logs (post-restart of strongswan service) + journalctl --system -u strongswan + + ``` Aug 09 10:03:05 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf. Aug 09 10:03:05 ipsec[10448]: Starting strongSwan 5.6.2 IPsec [starter]... Aug 09 10:03:05 ipsec_starter[10448]: Starting strongSwan 5.6.2 IPsec [starter]... Aug 09 10:03:05 charon[10474]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64) Aug 09 10:03:05 charon[10474]: 00[CFG] PKCS11 module '' lacks library path Aug 09 10:03:05 charon[10474]: 00[CFG] disabling load-tester plugin, not configured Aug 09 10:03:05 charon[10474]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Aug 09 10:03:05 charon[10474]: 00[KNL] unable to create IPv4 routing table rule Aug 09 10:03:05 charon[10474]: 00[KNL] unable to create IPv6 routing table rule Aug 09 10:03:05 charon[10474]: 00[CFG] dnscert plugin is disabled Aug 09 10:03:05 charon[10474]: 00[CFG] ipseckey plugin is disabled Aug 09 10:03:05 charon[10474]: 00[CFG] attr-sql plugin: database URI not set Aug 09 10:03:05 charon[10474]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Aug 09 10:03:05 charon[10474]: 00[CFG] loaded ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2" from '/etc/ipsec.d/cacerts/-wildca Aug 09 10:03:05 charon[10474]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Aug 09 10:03:05 charon[10474]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Aug 09 10:03:05 charon[10474]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Aug 09