-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello list,
I'm currently trying to get away from ipsec starter, because I'm using systemd and thus far, wasn't quite successful in doing this. The issue I stumbled upon was that strongSwan doesn't quite give systemd any indication on when it's ready for swanctl/vici, if charon is invoked directly by running "/usr/lib/strongswan/charon". This is what swanctl says, when I run charon directly: Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: connecting to 'unix:///var/run/charon.vici' failed: No such file or directory Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: Error: connecting to 'default' URI failed: No such file or directory Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: strongSwan 5.2.0 swanctl Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: usage: Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: swanctl --load-creds [--raw|--pretty] Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --help (-h) show usage information Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --clear (-c) clear previously loaded credentials Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --noprompt (-n) do not prompt for passwords Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --raw (-r) dump raw response message Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --pretty (-P) dump raw response message in pretty print Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --debug (-v) set debug level, default: 1 Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --options (-+) read command line options from file Jul 12 20:45:43 thermi-pc.thermi swanctl[495]: --uri (-u) service URI to connect to Jul 12 20:45:43 thermi-pc.thermi colord[1011]: Using mapping database file /var/lib/colord/mapping.db Jul 12 20:45:43 thermi-pc.thermi systemd[1]: strongswan-prepare.service: main process exited, code=exited, status=2/INVALIDARGUMENT Before that, strongSwan is started: Jul 12 20:45:40 thermi-pc.thermi systemd[1]: Starting strongSwan IPsec daemon... Jul 12 20:45:40 thermi-pc.thermi systemd[1]: Started strongSwan IPsec daemon. Three seconds don't seem to be enough for strongSwan to get ready, so without adding any manual delays (ExecStart=/usr/bin/sleep 5s), I can't get it to work. The only solution I found for this is by running "/usr/bin/ipsec start" followed by another service, which loads creds, pools and conns with swanctl. The solution for this is to insert an "sd_notify()" after strongSwan forked all the worker threads. By doing that, people can use Type=notify, which makes strongSwan wait for an sd_notify() from the daemon before starting services that depend on it. I already tried to use "Type=forking" with "ExecStart=/usr/lib/strongswan/charon", but that didn't work either. My current" systemd.service" files look like this (Those work and you're allowed to use them): #strongswan.service [Unit] Description=strongSwan IPsec daemon After=syslog.target [Service] Type=forking ExecStart=/usr/bin/ipsec start PIDFile=/var/run/charon.pid StandardOutput=syslog [Install] WantedBy=multi-user.target #strongswan-prepare.service [Unit] Description=Load configuration with swanctl After=strongswan.service Requires=strongswan.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/swanctl --load-creds ExecStart=/usr/bin/swanctl --load-pools ExecStart=/usr/bin/swanctl --load-conns ExecReload=/usr/bin/swanctl --load-creds ExecReload=/usr/bin/swanctl --load-pools ExecReload=/usr/bin/swanctl --load-conns [Install] WantedBy=multi-user.target #strongswan-server.service #This initiates an IPsec connection to another host, when strongSwan is ready. [Unit] Description=Initiate connection to the server Requires=strongswan-prepare.service network-online.target After=strongswan-prepare.service network-online.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/bin/swanctl --initiate --child alpha ExecStop=/usr/bin/swanctl --terminate --child alpha StandardOutput=syslog [Install] WantedBy=multi-user.target Regards, Noel Kuntze - -- GPG Key id: 0x63EC6658 Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTwYdCAAoJEDg5KY9j7GZYTtsP/1Ae4cmamVO53dx6cJiG2Qcq ZVn+yWgQeqzdLHaTdG3sCmDQlw/dbASTKaNGf6YusLMAnVGGkPPWsX9TsViF1eo7 lmKi4Rhhvqm9hr70Zd5JCR1FhwZygrgSwsKUCuYQqRBH4JXyUsjXPvC2c6M7BCQs EypLy94AiZzW2ralC+XdLXH1KHoKc+IDoWf1orZl3Yo0uKpFfWt5VW4gxSlT1btQ ohuhtgLlYHwo911r/bUNMZZ/PexIhA/nLM7PyyDgs2YLGJpgYoEsVMtQptOHMUkt SaprIS4RnyfoVOTp+/aD92Z977fVBGrxIvpiSbC/6VRqvR5U42nJIcPutrCA/6Cz ql6jDIu6eiHluWnFOga+SkvySbiajy75WYLZye4EEES3Cw3LmQ6kweGysnUQSRdJ DYeSR6GMMNsKF981BI7gIUO/FrhBsEPsWsSJ5Tk7mDc1TrT8Ofcc3mqp94G1S7aV eNo1VsGdQLnDaTkR5vBt9cHICQe/cca5wWkSSTQLVhmpiokQnbLrE+RoFQtkO4BN +gz9Nc33oQOxpVwhBBXnGppI2BbXX56QwhA/neapjXoiabmKMh+KMmP5lo/KYj5/ xMw8m2Jjpj9CeeqdCtCwJvS4lsRjdhl0twW4m89iV83CQbteuDu7Dk/gI4OgKf2M DAKWH5qWN/8JG6Nork8y =o98F -----END PGP SIGNATURE----- _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
