Hello Terry, Of course it aborts. %any is neither an IP address, nor an FQDN.
Check the output of `which ipsec` to figure out where your shell gets it from.
Make sure it uses only libs that belong to your compiled version. You likely
mixed up
the files of the package with your self compiled ones. Uninstall the package.
nhrp already told you, that the wrong version is in use on your system.
Build the software the exact same way Timo does. Otherwise you will fail in one
way or another. You do not know enough yourself to do this right without help.
The best way for you, and to keep it maintained, is to just get the debian
package source files of the package and change it to build from the source that
supports nhrp.
Kind regards
Noel
On 08.11.2017 11:00, Terry Fu wrote:
> Hi,
>
> Also, I’ve noticed a different error message.
>
> root@test-frr-debian-02:/run# ipsec up dmvpn
> unable to resolve %any, initiate aborted
> tried to checkin and delete nonexisting IKE_SA
> establishing connection 'dmvpn’ failed
>
>
> This is the output of “ispec statusall”
> root@test-frr-debian-02:/run# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.13.9, x86_64):
> uptime: 83 minutes, since Nov 08 03:33:12 2017
> malloc: sbrk 2297856, mmap 0, used 304288, free 1993568
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 0
> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
> fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke vici updown xauth-generic
> Listening IP addresses:
> 192.168.23.208
> 192.168.200.2
> 192.168.222.1
> 192.168.12.2
> Connections:
> dmvpn: %any...%any IKEv2, dpddelay=15s
> dmvpn: local: [test-frr-debian-02] uses pre-shared key
> authentication
> dmvpn: remote: uses pre-shared key authentication
> dmvpn: child: dynamic[gre] === dynamic[gre] TRANSPORT,
> dpdaction=clear
> Security Associations (0 up, 0 connecting):
> none
>
>
> Here’s my config of ipsec.secrets
> # ipsec.secrets - strongSwan IPsec secrets file
> 192.168.200.1 : PSK “XXXXXXXXXXXXXXXX"
>
> Here’s my config of swanctl.conf
>
> connections {
> dmvpn {
> version = 2
> pull = no
> mobike = no
> dpd_delay = 15
> dpd_timeout = 30
> fragmentation = yes
> unique = replace
> rekey_time = 4h
> reauth_time = 13h
> proposals = aes256-sha512-ecp384
> local {
> auth = psk
> id = test-frr-debian-02
> }
> remote {
> auth = psk
> }
> children {
> dmvpn {
> esp_proposals = aes256-sha512-ecp384
> local_ts = dynamic[gre]
> remote_ts = dynamic[gre]
> inactivity = 90m
> rekey_time = 100m
> mode = transport
> dpd_action = clear
> reqid = 1
> }
> }
> }
> }
>
>
> Regards,
>
> Terry
>
>
> On 8 November 2017 at 15:53:55, Terry Fu ([email protected]
> <mailto:[email protected]>) wrote:
>
>> Hi Jafar,
>>
>> You are right!
>> After I allowed user “frr” to access “charon.vici”, the error message is
>> gone.
>>
>> Now I’m getting this error message.
>>
>> 2017/11/08 15:41:45 NHRP: VICI: StrongSwan does not support mandatory events
>> (unpatched?)
>>
>>
>> I installed tteras’ patched version of strongswan.
>> However I’m not sure how to tell if it’s properly installed.
>>
>> I got it from git: git clone
>> git://git.alpinelinux.org/user/tteras/strongswan
>> Then I used the “autogen.sh” script, then “configure", then “make; make
>> install”.
>>
>> Not sure if I have done anything wrong, or missed anything.
>>
>> Is there a way to validate that Strongswan is properly patched and installed?
>>
>> Regards,
>>
>> Terry
>>
>>
>>
>> On 8 November 2017 at 00:34:52, Jafar Al-Gharaibeh ([email protected]
>> <mailto:[email protected]>) wrote:
>>
>>> Terry,
>>>
>>> From the limited information you are giving, my guess is that nhrpd
>>> doesn't have permissions to access the VICI socket. nhrpd is probably
>>> configured as part of FRR/Quagga with permissions to access /var/run/frr
>>> or /var/run/quagga only. Whereas the vici socket, according to
>>>
>>> https://wiki.strongswan.org/projects/strongswan/wiki/VICI
>>>
>>> is: unix:///var/run/charon.vici
>>>
>>> Give nhrpd permissions to access to this file and you should be good to.
>>>
>>> --Jafar
>>>
>>>
>>> On 11/7/2017 10:06 AM, Chengcheng Fu wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I’m trying to setup nhrpd with strongswan, and I’m getting this error
>>>>> message.
>>>>>
>>>>> Failure connecting VICI socket: permission denied
>>>>>
>>>>>
>>>>> I wonder if there is a way to test the VICI socket and see if it’s
>>>>> running properly?
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>> Terry
>>>>>
>>>
signature.asc
Description: OpenPGP digital signature
