[Bug 1786261] [NEW] strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)

fermulator Thu, 09 Aug 2018 07:21:02 -0700

Public bug reported:

as a continuation of
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786250 ...
(that bug can be focused on the apparmor profile issue in Ubuntu +
strongswan)


--
this bug report is for the stuck VPN connection issue

Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10.

ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage

A while ago I upgrade to 18.04 LTS and had consistent issues with
strongswan ipsec connectivity VPN.

```
 sudo ipsec up <CONNECTION_NAME>

... all the goods happen ...

but near the end:

IKE_SA <CONNECTION_NAME>[1] established between 
1.0.0.6[<USER_SNIPPED>]...64.7.137.180[OU=Domain Control Validated, 
CN=<SNIPPED_HOST>.com]
scheduling reauthentication in 56358s
maximum IKE_SA lifetime 56538s
installing DNS server 192.168.194.20 via resolvconf
installing DNS server 192.168.196.20 via resolvconf
<<HANGS FOREVER>>
```

while in this state, we see:
```
 sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64):
  uptime: 6 minutes, since Aug 09 10:03:04 2018
  malloc: sbrk 3403776, mmap 532480, used 1301456, free 2102320
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 0
  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 
sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey 
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt 
af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru 
bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default 
connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka 
eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc 
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc 
xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 
tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr 
addrblock unity counters
Listening IP addresses:
  1.0.0.6
  192.168.130.9
  192.168.140.17
  192.168.130.14
  192.168.140.2
  192.168.130.13
  192.168.130.15
  192.168.130.16
  192.168.130.8
  172.17.0.1
  192.168.122.1
Connections:
  <SITE_SNIPPED>primary:  %any...<SITE_SNIPPED>primary.<SNIPPED>.com  IKEv2, 
dpddelay=30s
  <SITE_SNIPPED>primary:   local:  [<USER_SNIPPED>] uses EAP_MSCHAPV2 
authentication
  <SITE_SNIPPED>primary:   remote: [OU=Domain Control Validated, 
CN=<SNIPPED>.com] uses public key authentication
  <SITE_SNIPPED>primary:   child:  192.168.140.0/24 === 192.168.128.0/17 
10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear
<SITE_SNIPPED>secondary:  %any...<SITE_SNIPPED>secondary.<SNIPPED>.com  IKEv2, 
dpddelay=30s
<SITE_SNIPPED>secondary:   local:  [<USER_SNIPPED>] uses EAP_MSCHAPV2 
authentication
<SITE_SNIPPED>secondary:   remote: [OU=Domain Control Validated, 
CN=<SNIPPED>.com] uses public key authentication
<SITE_SNIPPED>secondary:   child:  192.168.130.0/24 === 192.168.128.0/17 
10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear
Routed Connections:
<SITE_SNIPPED>secondary{2}:  ROUTED, TUNNEL, reqid 2
<SITE_SNIPPED>secondary{2}:   192.168.130.0/24 === 10.0.0.0/8 172.16.0.0/12 
192.168.128.0/17
  <SITE_SNIPPED>primary{1}:  ROUTED, TUNNEL, reqid 1
  <SITE_SNIPPED>primary{1}:   192.168.140.0/24 === 10.0.0.0/8 172.16.0.0/12 
192.168.128.0/17
Security Associations (0 up, 0 connecting):
  none
```

here are the logs  (post-restart of strongswan service)

Aug 09 10:03:05 <HOSTNAME_SNIPPED> systemd[1]: Started strongSwan IPsec 
IKEv1/IKEv2 daemon using ipsec.conf.
Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: Starting strongSwan 5.6.2 
IPsec [starter]...
Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[10448]: Starting strongSwan 
5.6.2 IPsec [starter]...
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[DMN] Starting IKE charon 
daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64)
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] PKCS11 module 
'<name>' lacks library path
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] disabling load-tester 
plugin, not configured
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] plugin 'load-tester': 
failed to load - load_tester_plugin_create returned NULL
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create IPv4 
routing table rule
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create IPv6 
routing table rule
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] dnscert plugin is 
disabled
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] ipseckey plugin is 
disabled
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] attr-sql plugin: 
database URI not set
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ca 
certificates from '/etc/ipsec.d/cacerts'
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG]   loaded ca 
certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy 
Root Certificate Authority - G2" from '/etc/ipsec.d/cacerts/<SNIPPED>-wildca
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading aa 
certificates from '/etc/ipsec.d/aacerts'
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ocsp signer 
certificates from '/etc/ipsec.d/ocspcerts'
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading attribute 
certificates from '/etc/ipsec.d/acerts'
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading crls from 
'/etc/ipsec.d/crls'
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading secrets from 
'/etc/ipsec.secrets'
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG]   loaded EAP secret 
for <USER_SNIPPED>
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] sql plugin: database 
URI not set
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] opening triplet file 
/etc/ipsec.d/triplets.dat failed: No such file or directory
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] eap-simaka-sql 
database URI missing
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded 0 RADIUS 
server configurations
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] HA config misses 
local/remote address
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] no threshold 
configured for systime-fix, disabled
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] coupling file path 
unspecified
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] loaded plugins: 
charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 
mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pk
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] dropped capabilities, 
running as uid 0, gid 0
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[JOB] spawning 16 worker 
threads
Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: charon (10474) started after 
40 ms
Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[10448]: charon (10474) started 
after 40 ms

---
and when I try to connect:

Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] received stroke: add 
connection '<SITE_SNIPPED>primary'
Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] CA certificate 
"/etc/ipsec.d/cacerts/<SNIPPED>-wildcard.pem" not found, discarding CA 
constraint
Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] added configuration 
'<SITE_SNIPPED>primary'
Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 07[CFG] received stroke: 
route '<SITE_SNIPPED>primary'
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_SNIPPED>primary' routed
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]: 
'<SITE_SNIPPED>primary' routed
Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]:
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] received stroke: add 
connection '<SITE_SNIPPED>secondary'
Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] CA certificate 
"/etc/ipsec.d/cacerts/<SNIPPED>-wildcard.pem" not found, discarding CA 
constraint
Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] added configuration 
'<SITE_SNIPPED>secondary'
Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 14[CFG] received stroke: 
route '<SITE_SNIPPED>secondary'
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_SNIPPED>secondary' 
routed
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[10448]: 
'<SITE_SNIPPED>secondary' routed
Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[10448]:

** Affects: strongswan (Ubuntu)
     Importance: Undecided
         Status: New

** Description changed:

- as a continuation of #1786250 ... (that bug can be focused on the
- apparmor profile issue in Ubuntu + strongswan)
+ as a continuation of
+ https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786250 ...
+ (that bug can be focused on the apparmor profile issue in Ubuntu +
+ strongswan)
  
  --
  this bug report is for the stuck VPN connection issue
  
  Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10.
  
  ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage
  
  A while ago I upgrade to 18.04 LTS and had consistent issues with
  strongswan ipsec connectivity VPN.
  
  ```
-  sudo ipsec up <CONNECTION_NAME>
+  sudo ipsec up <CONNECTION_NAME>
  
  ... all the goods happen ...
  
  but near the end:
  
  IKE_SA <CONNECTION_NAME>[1] established between 
1.0.0.6[<USER_SNIPPED>]...64.7.137.180[OU=Domain Control Validated, 
CN=<SNIPPED_HOST>.com]
  scheduling reauthentication in 56358s
  maximum IKE_SA lifetime 56538s
  installing DNS server 192.168.194.20 via resolvconf
  installing DNS server 192.168.196.20 via resolvconf
  <<HANGS FOREVER>>
  ```
  
  while in this state, we see:
  ```
-  sudo ipsec statusall
+  sudo ipsec statusall
  Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, 
x86_64):
-   uptime: 6 minutes, since Aug 09 10:03:04 2018
-   malloc: sbrk 3403776, mmap 532480, used 1301456, free 2102320
-   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 0
-   loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 
sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey 
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt 
af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru 
bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default 
connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka 
eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc 
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc 
xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 
tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr 
addrblock unity counters
+   uptime: 6 minutes, since Aug 09 10:03:04 2018
+   malloc: sbrk 3403776, mmap 532480, used 1301456, free 2102320
+   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
scheduled: 0
+   loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 
sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey 
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt 
af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru 
bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default 
connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka 
eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc 
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc 
xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 
tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr 
addrblock unity counters
  Listening IP addresses:
-   1.0.0.6
-   192.168.130.9
-   192.168.140.17
-   192.168.130.14
-   192.168.140.2
-   192.168.130.13
-   192.168.130.15
-   192.168.130.16
-   192.168.130.8
-   172.17.0.1
-   192.168.122.1
+   1.0.0.6
+   192.168.130.9
+   192.168.140.17
+   192.168.130.14
+   192.168.140.2
+   192.168.130.13
+   192.168.130.15
+   192.168.130.16
+   192.168.130.8
+   172.17.0.1
+   192.168.122.1
  Connections:
-   <SITE_SNIPPED>primary:  %any...<SITE_SNIPPED>primary.<SNIPPED>.com  IKEv2, 
dpddelay=30s
-   <SITE_SNIPPED>primary:   local:  [<USER_SNIPPED>] uses EAP_MSCHAPV2 
authentication
-   <SITE_SNIPPED>primary:   remote: [OU=Domain Control Validated, 
CN=<SNIPPED>.com] uses public key authentication
-   <SITE_SNIPPED>primary:   child:  192.168.140.0/24 === 192.168.128.0/17 
10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear
+   <SITE_SNIPPED>primary:  %any...<SITE_SNIPPED>primary.<SNIPPED>.com  IKEv2, 
dpddelay=30s
+   <SITE_SNIPPED>primary:   local:  [<USER_SNIPPED>] uses EAP_MSCHAPV2 
authentication
+   <SITE_SNIPPED>primary:   remote: [OU=Domain Control Validated, 
CN=<SNIPPED>.com] uses public key authentication
+   <SITE_SNIPPED>primary:   child:  192.168.140.0/24 === 192.168.128.0/17 
10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear
  <SITE_SNIPPED>secondary:  %any...<SITE_SNIPPED>secondary.<SNIPPED>.com  
IKEv2, dpddelay=30s
  <SITE_SNIPPED>secondary:   local:  [<USER_SNIPPED>] uses EAP_MSCHAPV2 
authentication
  <SITE_SNIPPED>secondary:   remote: [OU=Domain Control Validated, 
CN=<SNIPPED>.com] uses public key authentication
  <SITE_SNIPPED>secondary:   child:  192.168.130.0/24 === 192.168.128.0/17 
10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear
  Routed Connections:
  <SITE_SNIPPED>secondary{2}:  ROUTED, TUNNEL, reqid 2
  <SITE_SNIPPED>secondary{2}:   192.168.130.0/24 === 10.0.0.0/8 172.16.0.0/12 
192.168.128.0/17
-   <SITE_SNIPPED>primary{1}:  ROUTED, TUNNEL, reqid 1
-   <SITE_SNIPPED>primary{1}:   192.168.140.0/24 === 10.0.0.0/8 172.16.0.0/12 
192.168.128.0/17
+   <SITE_SNIPPED>primary{1}:  ROUTED, TUNNEL, reqid 1
+   <SITE_SNIPPED>primary{1}:   192.168.140.0/24 === 10.0.0.0/8 172.16.0.0/12 
192.168.128.0/17
  Security Associations (0 up, 0 connecting):
-   none
+   none
  ```
  
  here are the logs  (post-restart of strongswan service)
  
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> systemd[1]: Started strongSwan IPsec 
IKEv1/IKEv2 daemon using ipsec.conf.
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: Starting strongSwan 5.6.2 
IPsec [starter]...
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[10448]: Starting strongSwan 
5.6.2 IPsec [starter]...
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[DMN] Starting IKE charon 
daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64)
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] PKCS11 module 
'<name>' lacks library path
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] disabling 
load-tester plugin, not configured
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] plugin 
'load-tester': failed to load - load_tester_plugin_create returned NULL
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create 
IPv4 routing table rule
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create 
IPv6 routing table rule
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] dnscert plugin is 
disabled
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] ipseckey plugin is 
disabled
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] attr-sql plugin: 
database URI not set
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ca 
certificates from '/etc/ipsec.d/cacerts'
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG]   loaded ca 
certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy 
Root Certificate Authority - G2" from '/etc/ipsec.d/cacerts/<SNIPPED>-wildca
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading aa 
certificates from '/etc/ipsec.d/aacerts'
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ocsp signer 
certificates from '/etc/ipsec.d/ocspcerts'
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading attribute 
certificates from '/etc/ipsec.d/acerts'
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading crls from 
'/etc/ipsec.d/crls'
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading secrets 
from '/etc/ipsec.secrets'
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG]   loaded EAP secret 
for <USER_SNIPPED>
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] sql plugin: 
database URI not set
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] opening triplet 
file /etc/ipsec.d/triplets.dat failed: No such file or directory
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] eap-simaka-sql 
database URI missing
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded 0 RADIUS 
server configurations
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] HA config misses 
local/remote address
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] no threshold 
configured for systime-fix, disabled
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] coupling file path 
unspecified
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] loaded plugins: 
charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 
mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pk
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] dropped 
capabilities, running as uid 0, gid 0
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[JOB] spawning 16 worker 
threads
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: charon (10474) started after 
40 ms
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[10448]: charon (10474) 
started after 40 ms
  
- 
  ---
  and when I try to connect:
  
  Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] received stroke: 
add connection '<SITE_SNIPPED>primary'
  Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] CA certificate 
"/etc/ipsec.d/cacerts/<SNIPPED>-wildcard.pem" not found, discarding CA 
constraint
  Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] added configuration 
'<SITE_SNIPPED>primary'
  Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 07[CFG] received stroke: 
route '<SITE_SNIPPED>primary'
  Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
  Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
  Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
  Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_SNIPPED>primary' 
routed
  Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
  Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
  Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
  Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
  Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
  Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already 
exists, try to update it
  Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]: 
'<SITE_SNIPPED>primary' routed
- Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]: 
+ Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]:
  Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] received stroke: 
add connection '<SITE_SNIPPED>secondary'
  Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] CA certificate 
"/etc/ipsec.d/cacerts/<SNIPPED>-wildcard.pem" not found, discarding CA 
constraint
  Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] added configuration 
'<SITE_SNIPPED>secondary'
  Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 14[CFG] received stroke: 
route '<SITE_SNIPPED>secondary'
  Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
  Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
  Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_SNIPPED>secondary' 
routed
  Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
  Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
  Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
  Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
  Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
  Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
  Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already 
exists, try to update it
  Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[10448]: 
'<SITE_SNIPPED>secondary' routed
  Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[10448]:

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1786261

Title:
  strongswan ipsec fails to finish connection (hangs after installing
  DNS server via resolvconf)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786261/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1786261] [NEW] strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)

Reply via email to