Hi Piyush, have you tried
interfaces_use = lo without the double quotes? Regards Andreas On 02.05.2017 19:27, Piyush Agarwal wrote:
Ok, I had missed setting the lo up (when charon ran lo was DOWN, not UNKNOWN). So now I make sure "ifconfig lo up" is issued before charon runs. And I do see charon.log mention: 00[KNL] known interfaces and IP addresses: 00[KNL] lo 00[KNL] 127.0.0.1 00[KNL] *1.100.0.5* 00[KNL] ::1 But ipsec statusall still reports no listening IP addresses: Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-72-generic, x86_64): uptime: 4 minutes, since May 02 10:22:32 2017 malloc: sbrk 2568192, mmap 0, used 331120, free 2237072 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock *Listening IP addresses:* Connections: Security Associations (0 up, 0 connecting): none On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <agarwalpiy...@gmail.com <mailto:agarwalpiy...@gmail.com>> wrote: Noel, Thank for pointing out my mistake -- my bad I should have read the ipsec.conf carefully. Having said that, I have now specified "lo" as the charon.interfaces_use and I see it is NOT finding an IP address that the lo has for listening on. charon { * interfaces_use = "lo"* load_modular = yes plugins { include strongswan.d/charon/*.conf } } The charon.log has no interfaces and IP addresses now: 00[KNL] known interfaces and IP addresses: 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA I was expecting it to listen on 1.100.0.5 given lo has that IP address. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state *UNKNOWN* group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo valid_lft forever preferred_lft forever inet *1.100.0.5*/32 scope global lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever Could one not specify "lo" as the charon.interfaces_use? Could it be because of the state the interface is in? It is strange that charon didn't find ANY ip for the loopback (not even 127.0.0.1). Any help for debugging would be great. Thanks. On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <agarwalpiy...@gmail.com <mailto:agarwalpiy...@gmail.com>> wrote: Noel, Thank for pointing out my mistake -- my bad I should have read the ipsec.conf carefully. Having said that, I have now specified "lo" as the charon.interfaces_use and I see it is NOT finding an IP address that the lo has for listening on. charon { * interfaces_use = "lo"* load_modular = yes plugins { include strongswan.d/charon/*.conf } } The charon.log has no interfaces and IP addresses now: 00[KNL] known interfaces and IP addresses: 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: PUBKEY:DSA I was expecting it to listen on 1.100.0.5 given lo has that IP address. Could one not specify "lo" as the charon.interfaces_use? Could it be because of the state the interface is in? It is strange that charon didn't find ANY ip for the loopback (not even 127.0.0.1). Any help for debugging would be great. Thanks. On Mon, May 1, 2017 at 8:03 PM, Piyush Agarwal <agarwalpiy...@gmail.com <mailto:agarwalpiy...@gmail.com>> wrote: I don't see any loopback addresses listed in the "known interfaces": 8150 00[KNL] known interfaces and IP addresses: 8151 00[KNL] p2p1 8152 00[KNL] 169.x.x.x 8153 00[KNL] fe80:::4ae5 where p2p1 interface has an internal 169 IP, not the one I want to listen on. The IP I want to listen on is actually on the lo interface: ip -d addr show lo | grep 104.100.x.x inet 104.100.x.x/32 scope global lo Not that it should matter, but all this is being done inside a ip/mininet network namespace. Thanks. Piyush On Mon, May 1, 2017 at 4:13 PM, Piyush Agarwal <agarwalpiy...@gmail.com <mailto:agarwalpiy...@gmail.com>> wrote: Hi, I am using strongswan 5.1.2 on Ubuntu 14.04 and I need to specify the IP address on which to listen on. I found some ipsec.conf manpages (https://linux.die.net/man/5/ipsec.conf <https://linux.die.net/man/5/ipsec.conf>) which suggest a config item "listen", but strongswan 5.1.2 at least doesn't seem to have this option. Is there not a way to specify the listen IP address? In my case, this IP address is actually on the loopback interface. As long as I can specify the listen interface, I should be fine. config setup * listen=10.100.0.5* conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 authby=rsasig conn 10.10.10.8 type=transport left=10.100.0.5 leftcert=left.cert leftsendcert=always rightcert=right.cert right=10.10.10.8 auto=start */etc/ipsec.conf:7: unknown keyword 'listen' [10.100.0.5]* *unable to start strongSwan -- fatal errors in config* -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards. -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards. -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards. -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards. -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards. _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
-- ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Open Source VPN Solution! www.strongswan.org Institute for Networked Solutions University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[INS-HSR]==
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users