Re: [strongSwan] charon unmet dependency on native android build
Hi Nathan, > Still no indication on why it fails when I look at the logs. Probably glob(3) is not available. Regards, Tobias
Re: [strongSwan] charon unmet dependency on native android build
Just another update. I decided to try including all the conf files directly include strongswan.d/charon/nonce.conf include And that worked, where doing includes with wildcard (include /strongswan.d/charon/*.conf) does not work. Still no indication on why it fails when I look at the logs. I added the flag --debug-cfg 4 and didn't get any extra logging that indicated any issues. On 05/26/2017 10:43 AM, Nathan Bahr wrote: Thanks Tobias, So I changed my strongswan.conf file so that charon.load_moduler = no and left everything else the same and the charon daemon was finally able to start up! After that I decided to consolidate all the configuration into the strongswan.conf file and re-enabled load_modular and it continued to work so it definitely seems that including conf files is the problem. For now this will work for me so I will continue with testing it out and making sure everything works. There is one issue that popped up now that charon was able to start successfully. I get these netlink errors. 00[LIB] loading feature CUSTOM:kernel-ipsec in plugin 'kernel-netlink' 00[KNL] sending XFRM_MSG_GETSPDINFO 201: => 20 bytes @ 0xbeba6580 00[KNL]0: 14 00 00 00 25 00 01 00 C9 00 00 00 C1 1E 00 00 %... 00[KNL] 16: 00 00 00 00 00[KNL] netlink write error: Invalid argument 00[KNL] sending XFRM_MSG_GETSPDINFO 202: => 20 bytes @ 0xbeba6580 00[KNL]0: 14 00 00 00 25 00 01 00 CA 00 00 00 C1 1E 00 00 %... 00[KNL] 16: 00 00 00 00 00[KNL] netlink write error: Invalid argument My kernel should have all the right modules enabled, and all the other netlink messaging that I see in the log is fine. It doesn't stop charon from starting though so for now I will push forward and see if I can establish a connection but any insight into why including conf files is failing would be appreciated because it does make it easier to configure connections. One last thing, cross compiling strongswan for android was actually a lot easier than I expected, but besides adding the -llog flag for android logging, there was only one other hack I had to make in order for the build to be correct. On my target device, sh is located at /system/bin/sh, but in the ipsec script, the makefile is hardcoded to replace @IPSEC_SHELL@ with /bin/sh, so I just updated the makefile with the correct path for my environment. Being able to set that via a configure flag though would probably be useful. Thanks again for the help! On 05/26/2017 03:10 AM, Tobias Brunner wrote: Hi Nathan, The output I get is (I get the same log output if I do ipsec start instead of executing charon directly): root@kltetmo:/ # charon 00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 3.4.0, armv7l) 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] failed to load 3 critical plugin features 00[DMN] initialization failed - aborting charon You could try to increase the log level for the LIB and perhaps CFG subsystems [1]. (By the way, I had to add the -llog flag to LDFLAGS because --enable-android-log didn't do it for me automatically, not sure if that is an issue or I have something set up wrong.) I've pushed a fix for that to master. I am using the same conf files that were generated from the make install, so strongswan.conf has load_modular = yes and includes all the plugin conf files. Each plugin conf file has load = yes. This could be the problem, perhaps resolving the plugin list fails (e.g. because including the files fails), which would also explain this: All the other executables seem to load ok, just running with --help to test loading libraries. For example this is the output of pki: This tool uses a hard-coded plugin list determined at compile-time. With the default config charon (and some of its charon-* derivatives) is the only program that uses the modular configuration. So you could also try to disable charon.load_modular in strongswan.conf so charon's hard-coded default plugin list is used. Regards, Tobias [1]https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration -- Nathan Bahr Architecture Technology Corp. 952-829-5864 x174
Re: [strongSwan] charon unmet dependency on native android build
Thanks Tobias, So I changed my strongswan.conf file so that charon.load_moduler = no and left everything else the same and the charon daemon was finally able to start up! After that I decided to consolidate all the configuration into the strongswan.conf file and re-enabled load_modular and it continued to work so it definitely seems that including conf files is the problem. For now this will work for me so I will continue with testing it out and making sure everything works. There is one issue that popped up now that charon was able to start successfully. I get these netlink errors. 00[LIB] loading feature CUSTOM:kernel-ipsec in plugin 'kernel-netlink' 00[KNL] sending XFRM_MSG_GETSPDINFO 201: => 20 bytes @ 0xbeba6580 00[KNL]0: 14 00 00 00 25 00 01 00 C9 00 00 00 C1 1E 00 00 %... 00[KNL] 16: 00 00 00 00 00[KNL] netlink write error: Invalid argument 00[KNL] sending XFRM_MSG_GETSPDINFO 202: => 20 bytes @ 0xbeba6580 00[KNL]0: 14 00 00 00 25 00 01 00 CA 00 00 00 C1 1E 00 00 %... 00[KNL] 16: 00 00 00 00 00[KNL] netlink write error: Invalid argument My kernel should have all the right modules enabled, and all the other netlink messaging that I see in the log is fine. It doesn't stop charon from starting though so for now I will push forward and see if I can establish a connection but any insight into why including conf files is failing would be appreciated because it does make it easier to configure connections. One last thing, cross compiling strongswan for android was actually a lot easier than I expected, but besides adding the -llog flag for android logging, there was only one other hack I had to make in order for the build to be correct. On my target device, sh is located at /system/bin/sh, but in the ipsec script, the makefile is hardcoded to replace @IPSEC_SHELL@ with /bin/sh, so I just updated the makefile with the correct path for my environment. Being able to set that via a configure flag though would probably be useful. Thanks again for the help! On 05/26/2017 03:10 AM, Tobias Brunner wrote: Hi Nathan, The output I get is (I get the same log output if I do ipsec start instead of executing charon directly): root@kltetmo:/ # charon 00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 3.4.0, armv7l) 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] failed to load 3 critical plugin features 00[DMN] initialization failed - aborting charon You could try to increase the log level for the LIB and perhaps CFG subsystems [1]. (By the way, I had to add the -llog flag to LDFLAGS because --enable-android-log didn't do it for me automatically, not sure if that is an issue or I have something set up wrong.) I've pushed a fix for that to master. I am using the same conf files that were generated from the make install, so strongswan.conf has load_modular = yes and includes all the plugin conf files. Each plugin conf file has load = yes. This could be the problem, perhaps resolving the plugin list fails (e.g. because including the files fails), which would also explain this: All the other executables seem to load ok, just running with --help to test loading libraries. For example this is the output of pki: This tool uses a hard-coded plugin list determined at compile-time. With the default config charon (and some of its charon-* derivatives) is the only program that uses the modular configuration. So you could also try to disable charon.load_modular in strongswan.conf so charon's hard-coded default plugin list is used. Regards, Tobias [1]https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration -- Nathan Bahr Architecture Technology Corp. 952-829-5864 x174
Re: [strongSwan] charon unmet dependency on native android build
Hi Nathan, > The output I get is (I get the same log output if I do ipsec start > instead of executing charon directly): > > root@kltetmo:/ # charon > 00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 3.4.0, armv7l) > 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet > dependency: NONCE_GEN > 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' > has unmet dependency: HASHER:HASH_SHA1 > 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' > has unmet dependency: HASHER:HASH_SHA1 > 00[LIB] failed to load 3 critical plugin features > 00[DMN] initialization failed - aborting charon You could try to increase the log level for the LIB and perhaps CFG subsystems [1]. > (By the way, I had to add the -llog flag to LDFLAGS because > --enable-android-log didn't do it for me automatically, not sure if that > is an issue or I have something set up wrong.) I've pushed a fix for that to master. > I am using the same conf files that were generated from the make > install, so strongswan.conf has load_modular = yes and includes all the > plugin conf files. Each plugin conf file has load = yes. This could be the problem, perhaps resolving the plugin list fails (e.g. because including the files fails), which would also explain this: > All the other executables seem to load ok, just running with --help to > test loading libraries. For example this is the output of pki: This tool uses a hard-coded plugin list determined at compile-time. With the default config charon (and some of its charon-* derivatives) is the only program that uses the modular configuration. So you could also try to disable charon.load_modular in strongswan.conf so charon's hard-coded default plugin list is used. Regards, Tobias [1] https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
Re: [strongSwan] charon unmet dependency on native android build
Thanks for the response Andreas. I have double checked and I am certain the plugins are available. As I stated in my previous message, I am doing a monolithic build because without it I am having additional problems, but the libraries are installed in the same location as I specify during configure. root@kltetmo:/ # ls -l /etc/strongswan/ipsec/ -rw--- root root 1231756 2017-05-25 11:24 libcharon.a -rw--- root root 997 2017-05-25 11:24 libcharon.la -rw--- root root 906240 2017-05-25 11:24 libcharon.so -rw--- root root 1269370 2017-05-25 11:24 libstrongswan.a -rw--- root root 970 2017-05-25 11:24 libstrongswan.la -rw--- root root 2859228 2017-05-25 11:24 libstrongswan.so -rw--- root root10568 2017-05-25 11:24 libtpmtss.a -rw--- root root 997 2017-05-25 11:24 libtpmtss.la -rw--- root root12116 2017-05-25 11:24 libtpmtss.so -rw--- root root25612 2017-05-25 11:24 libvici.a -rw--- root root 987 2017-05-25 11:24 libvici.la -rw--- root root27948 2017-05-25 11:24 libvici.so I've gone through the make output and the nonce and sha1 plugins are being built and both linked into the libstrongswan library. I have verified that the symbols are in the libstrongswan.so file. All the conf files look ok as far as I know, I haven't changed them from what was generated during make install. root@kltetmo:/ # cat /etc/strongswan.conf # strongswan.conf - strongSwan configuration file # # Refer to the strongswan.conf(5) manpage for details # # Configuration changes should be made in the included files charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf root@kltetmo:/ # ls -l /etc/strongswan.d/ drwx-- root root 2017-05-24 23:17 charon -rw--- root root 1792 2017-05-25 11:24 charon-logging.conf -rw--- root root10309 2017-05-25 11:24 charon.conf -rw--- root root 65 2017-05-25 11:24 pki.conf -rw--- root root 79 2017-05-25 11:24 scepclient.conf -rw--- root root 173 2017-05-25 11:24 starter.conf -rw--- root root 62 2017-05-25 11:24 swanctl.conf root@kltetmo:/ # ls -l /etc/strongswan.d/charon -rw--- root root 130 2017-05-25 11:24 aes.conf -rw--- root root 138 2017-05-25 11:24 android-log.conf -rw--- root root 362 2017-05-25 11:24 attr.conf -rw--- root root 131 2017-05-25 11:24 cmac.conf -rw--- root root 138 2017-05-25 11:24 constraints.conf -rw--- root root 137 2017-05-25 11:24 curve25519.conf -rw--- root root 130 2017-05-25 11:24 des.conf -rw--- root root 133 2017-05-25 11:24 dnskey.conf -rw--- root root 135 2017-05-25 11:24 fips-prf.conf -rw--- root root 130 2017-05-25 11:24 gmp.conf -rw--- root root 131 2017-05-25 11:24 hmac.conf -rw--- root root 2239 2017-05-25 11:24 kernel-netlink.conf -rw--- root root 130 2017-05-25 11:24 md5.conf -rw--- root root 132 2017-05-25 11:24 nonce.conf -rw--- root root 301 2017-05-25 11:24 openssl.conf -rw--- root root 130 2017-05-25 11:24 pem.conf -rw--- root root 130 2017-05-25 11:24 pgp.conf -rw--- root root 132 2017-05-25 11:24 pkcs1.conf -rw--- root root 133 2017-05-25 11:24 pkcs12.conf -rw--- root root 132 2017-05-25 11:24 pkcs7.conf -rw--- root root 132 2017-05-25 11:24 pkcs8.conf -rw--- root root 133 2017-05-25 11:24 pubkey.conf -rw--- root root 425 2017-05-25 11:24 random.conf -rw--- root root 130 2017-05-25 11:24 rc2.conf -rw--- root root 340 2017-05-25 11:24 resolve.conf -rw--- root root 283 2017-05-25 11:24 revocation.conf -rw--- root root 131 2017-05-25 11:24 sha1.conf -rw--- root root 131 2017-05-25 11:24 sha2.conf -rw--- root root 402 2017-05-25 11:24 socket-default.conf -rw--- root root 133 2017-05-25 11:24 sshkey.conf -rw--- root root 986 2017-05-25 11:24 stroke.conf -rw--- root root 297 2017-05-25 11:24 updown.conf -rw--- root root 221 2017-05-25 11:24 vici.conf -rw--- root root 131 2017-05-25 11:24 x509.conf -rw--- root root 140 2017-05-25 11:24 xauth-generic.conf -rw--- root root 131 2017-05-25 11:24 xcbc.conf root@kltetmo:/ # cat /etc/strongswan.d/charon/nonce.conf nonce { # Whether to load the plugin. Can also be an integer to increase the # priority of this plugin. load = yes
Re: [strongSwan] charon unmet dependency on native android build
Hi Nathan, you are missing the nonce and sha1 plugins which are required for charon to start up successfully. Regards Andreas On 25.05.2017 01:37, Nathan Bahr wrote: Hello, I've been trying to cross compile strongswan to run on android natively and I am having trouble starting the charon daemon. The output I get is (I get the same log output if I do ipsec start instead of executing charon directly): root@kltetmo:/ # charon 00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 3.4.0, armv7l) 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] failed to load 3 critical plugin features > 00[DMN] initialization failed - aborting charon root@kltetmo:/ # pki --help strongSwan 5.5.2 PKI tool loaded plugins: aes des rc2 sha2 sha1 md5 random x509 revocation pkcs1 pkcs7 pkcs8 pkcs12 dnskey sshkey pem gmp hmac == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[INS-HSR]== smime.p7s Description: S/MIME Cryptographic Signature
[strongSwan] charon unmet dependency on native android build
Hello, I've been trying to cross compile strongswan to run on android natively and I am having trouble starting the charon daemon. The output I get is (I get the same log output if I do ipsec start instead of executing charon directly): root@kltetmo:/ # charon 00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 3.4.0, armv7l) 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] failed to load 3 critical plugin features 00[DMN] initialization failed - aborting charon I made a standalone toolchain from the latest ndk (14b) targeting armv7a on api 23. This is my configure command: ./configure \ CFLAGS="-march=armv7-a -mfloat-abi=softfp -mfpu=vfpv3-d16 -mthumb -Wl,--fix-cortex-a8 -fPIC" LDFLAGS="-fPIE -pie -llog" \ --build=x86_64-linux-gnu \ --host=arm-linux-androideabi \ --target=arm-linux-androideabi \ --with-sysroot=/tmp/myarmtc/sysroot \ --with-piddir=/etc/strongswan/run \ --with-ipsecdir=/system/bin \ --prefix= \ --bindir=/system/bin \ --sbindir=/system/bin \ --libdir=/etc/strongswan \ --with-plugindir=/etc/strongswan/plugins \ --with-strongswan-conf=/etc/strongswan.conf \ --enable-android-log \ --enable-monolithic (By the way, I had to add the -llog flag to LDFLAGS because --enable-android-log didn't do it for me automatically, not sure if that is an issue or I have something set up wrong.) So on the device, I am installing all the executables and the scripts to /system/bin and using /etc/strongswan for the libraries. Configuration is going to the standard /etc locations. I am doing a make install with DESTDIR set to a staging area and everything looks good there, they are getting installed to the same locations on the device. I am using the same conf files that were generated from the make install, so strongswan.conf has load_modular = yes and includes all the plugin conf files. Each plugin conf file has load = yes. All the other executables seem to load ok, just running with --help to test loading libraries. For example this is the output of pki: root@kltetmo:/ # pki --help strongSwan 5.5.2 PKI tool loaded plugins: aes des rc2 sha2 sha1 md5 random x509 revocation pkcs1 pkcs7 pkcs8 pkcs12 dnskey sshkey pem gmp hmac usage: I have tried removing the --enable-monolithic flag and plugins located in /etc/strongswan/plugins, however, this changes nothing for charon and adds additional errors. This is the output of pki without monolithic build: root@kltetmo:/ # pki --help plugin 'aes' failed to load: dlopen failed: cannot locate symbol "memwipe_noinline" referenced by "/system/etc/strongswan/plugins/libstrongswan-aes.so"... plugin 'des' failed to load: dlopen failed: cannot locate symbol "memwipe_noinline" referenced by "/system/etc/strongswan/plugins/libstrongswan-des.so"... plugin 'rc2' failed to load: dlopen failed: cannot locate symbol "memwipe_noinline" referenced by "/system/etc/strongswan/plugins/libstrongswan-rc2.so"... plugin 'random' failed to load: dlopen failed: cannot locate symbol "dbg" referenced by "/system/etc/strongswan/plugins/libstrongswan-random.so"... plugin 'x509' failed to load: dlopen failed: cannot locate symbol "chunk_empty" referenced by "/system/etc/strongswan/plugins/libstrongswan-x509.so"... plugin 'revocation' failed to load: dlopen failed: cannot locate symbol "lib" referenced by "/system/etc/strongswan/plugins/libstrongswan-revocation.so"... plugin 'pkcs1' failed to load: dlopen failed: cannot locate symbol "lib" referenced by "/system/etc/strongswan/plugins/libstrongswan-pkcs1.so"... plugin 'pkcs7' failed to load: dlopen failed: cannot locate symbol "chunk_empty" referenced by "/system/etc/strongswan/plugins/libstrongswan-pkcs7.so"... plugin 'pkcs8' failed to load: dlopen failed: cannot locate symbol "chunk_empty" referenced by "/system/etc/strongswan/plugins/libstrongswan-pkcs8.so"... plugin 'pkcs12' failed to load: dlopen failed: cannot locate symbol "chunk_empty" referenced by "/system/etc/strongswan/plugins/libstrongswan-pkcs12.so"... plugin 'dnskey' failed to load: dlopen failed: cannot locate symbol "lib" referenced by "/system/etc/strongswan/plugins/libstrongswan-dnskey.so"... plugin 'sshkey' failed to load: dlopen failed: cannot locate symbol "lib" referenced by "/system/etc/strongswan/plugins/libstrongswan-sshkey.so"... plugin 'pem' failed to load: dlopen failed: cannot locate symbol "lib" referenced by "/system/etc/strongswan/plugins/libstrongswan-pem.so"... plugin 'gmp' failed to load: dlopen failed: library "libgmp.so" not found plugin 'hmac' failed to load: dlopen failed: cannot locate symbol "chunk_empty" referenced by "/system/etc/strongswan/plugins/libstrongswan-hmac.so"... strongSwan 5.5.2 PKI tool loaded plu