Ok, I had missed setting the lo up (when charon ran lo was DOWN, not UNKNOWN). So now I make sure "ifconfig lo up" is issued before charon runs. And I do see charon.log mention:
00[KNL] known interfaces and IP addresses: 00[KNL] lo 00[KNL] 127.0.0.1 00[KNL] *1.100.0.5* 00[KNL] ::1 But ipsec statusall still reports no listening IP addresses: Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-72-generic, x86_64): uptime: 4 minutes, since May 02 10:22:32 2017 malloc: sbrk 2568192, mmap 0, used 331120, free 2237072 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock *Listening IP addresses:* Connections: Security Associations (0 up, 0 connecting): none On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <[email protected]> wrote: > Noel, > Thank for pointing out my mistake -- my bad I should have read the > ipsec.conf carefully. > > Having said that, I have now specified "lo" as the charon.interfaces_use > and I see it is NOT finding an IP address that the lo has for listening on. > > charon { > * interfaces_use = "lo"* > load_modular = yes > plugins { > include strongswan.d/charon/*.conf > } > } > > The charon.log has no interfaces and IP addresses now: > > 00[KNL] known interfaces and IP addresses: > 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA > > I was expecting it to listen on 1.100.0.5 given lo has that IP address. > > 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state *UNKNOWN* group > default qlen 1 > link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 > inet 127.0.0.1/8 scope host lo > valid_lft forever preferred_lft forever > inet *1.100.0.5*/32 scope global lo > valid_lft forever preferred_lft forever > inet6 ::1/128 scope host > valid_lft forever preferred_lft forever > > Could one not specify "lo" as the charon.interfaces_use? Could it be > because of the state the interface is in? It is strange that charon didn't > find ANY ip for the loopback (not even 127.0.0.1). Any help for debugging > would be great. Thanks. > > > On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <[email protected]> > wrote: > >> Noel, >> Thank for pointing out my mistake -- my bad I should have read the >> ipsec.conf carefully. >> >> Having said that, I have now specified "lo" as the charon.interfaces_use >> and I see it is NOT finding an IP address that the lo has for listening on. >> >> charon { >> * interfaces_use = "lo"* >> load_modular = yes >> plugins { >> include strongswan.d/charon/*.conf >> } >> } >> >> The charon.log has no interfaces and IP addresses now: >> >> 00[KNL] known interfaces and IP addresses: >> 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: >> PUBKEY:DSA >> >> I was expecting it to listen on 1.100.0.5 given lo has that IP address. >> >> >> Could one not specify "lo" as the charon.interfaces_use? Could it be >> because of the state the interface is in? It is strange that charon didn't >> find ANY ip for the loopback (not even 127.0.0.1). Any help for debugging >> would be great. Thanks. >> >> >> >> >> >> On Mon, May 1, 2017 at 8:03 PM, Piyush Agarwal <[email protected]> >> wrote: >> >>> I don't see any loopback addresses listed in the "known interfaces": >>> >>> 8150 00[KNL] known interfaces and IP addresses: >>> 8151 00[KNL] p2p1 >>> 8152 00[KNL] 169.x.x.x >>> 8153 00[KNL] fe80:::4ae5 >>> >>> where p2p1 interface has an internal 169 IP, not the one I want to >>> listen on. The IP I want to listen on is actually on the lo interface: >>> >>> ip -d addr show lo | grep 104.100.x.x >>> inet 104.100.x.x/32 scope global lo >>> >>> Not that it should matter, but all this is being done inside a >>> ip/mininet network namespace. >>> >>> Thanks. >>> Piyush >>> >>> >>> On Mon, May 1, 2017 at 4:13 PM, Piyush Agarwal <[email protected]> >>> wrote: >>> >>>> Hi, >>>> I am using strongswan 5.1.2 on Ubuntu 14.04 and I need to specify the >>>> IP address on which to listen on. I found some ipsec.conf manpages ( >>>> https://linux.die.net/man/5/ipsec.conf) which suggest a config item >>>> "listen", but strongswan 5.1.2 at least doesn't seem to have this option. >>>> >>>> Is there not a way to specify the listen IP address? In my case, this >>>> IP address is actually on the loopback interface. As long as I can specify >>>> the listen interface, I should be fine. >>>> >>>> config setup >>>> * listen=10.100.0.5* >>>> >>>> conn %default >>>> ikelifetime=60m >>>> keylife=20m >>>> rekeymargin=3m >>>> keyingtries=1 >>>> keyexchange=ikev2 >>>> authby=rsasig >>>> >>>> conn 10.10.10.8 >>>> type=transport >>>> left=10.100.0.5 >>>> leftcert=left.cert >>>> leftsendcert=always >>>> rightcert=right.cert >>>> right=10.10.10.8 >>>> auto=start >>>> >>>> */etc/ipsec.conf:7: unknown keyword 'listen' [10.100.0.5]* >>>> *unable to start strongSwan -- fatal errors in config* >>>> >>>> >>>> -- >>>> Piyush Agarwal >>>> Life can only be understood backwards; but it must be lived forwards. >>>> >>>> >>> >>> >>> -- >>> Piyush Agarwal >>> Life can only be understood backwards; but it must be lived forwards. >>> >> >> >> >> -- >> Piyush Agarwal >> Life can only be understood backwards; but it must be lived forwards. >> > > > > -- > Piyush Agarwal > Life can only be understood backwards; but it must be lived forwards. > -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards.
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
