Hi Noel, Any chance there is a document describing how Timo builds it?
Regards, Terry > On 9 Nov 2017, at 3:37 AM, Noel Kuntze > <[email protected]> wrote: > > Hello Terry, > > Of course it aborts. %any is neither an IP address, nor an FQDN. > > Check the output of `which ipsec` to figure out where your shell gets it > from. Make sure it uses only libs that belong to your compiled version. You > likely mixed up > the files of the package with your self compiled ones. Uninstall the package. > nhrp already told you, that the wrong version is in use on your system. > Build the software the exact same way Timo does. Otherwise you will fail in > one way or another. You do not know enough yourself to do this right without > help. > The best way for you, and to keep it maintained, is to just get the debian > package source files of the package and change it to build from the source > that supports nhrp. > > Kind regards > > Noel > >> On 08.11.2017 11:00, Terry Fu wrote: >> Hi, >> >> Also, I’ve noticed a different error message. >> >> root@test-frr-debian-02:/run# ipsec up dmvpn >> unable to resolve %any, initiate aborted >> tried to checkin and delete nonexisting IKE_SA >> establishing connection 'dmvpn’ failed >> >> >> This is the output of “ispec statusall” >> root@test-frr-debian-02:/run# ipsec statusall >> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.13.9, x86_64): >> uptime: 83 minutes, since Nov 08 03:33:12 2017 >> malloc: sbrk 2297856, mmap 0, used 304288, free 1993568 >> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 0 >> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem >> fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve >> socket-default stroke vici updown xauth-generic >> Listening IP addresses: >> 192.168.23.208 >> 192.168.200.2 >> 192.168.222.1 >> 192.168.12.2 >> Connections: >> dmvpn: %any...%any IKEv2, dpddelay=15s >> dmvpn: local: [test-frr-debian-02] uses pre-shared key >> authentication >> dmvpn: remote: uses pre-shared key authentication >> dmvpn: child: dynamic[gre] === dynamic[gre] TRANSPORT, >> dpdaction=clear >> Security Associations (0 up, 0 connecting): >> none >> >> >> Here’s my config of ipsec.secrets >> # ipsec.secrets - strongSwan IPsec secrets file >> 192.168.200.1 : PSK “XXXXXXXXXXXXXXXX" >> >> Here’s my config of swanctl.conf >> >> connections { >> dmvpn { >> version = 2 >> pull = no >> mobike = no >> dpd_delay = 15 >> dpd_timeout = 30 >> fragmentation = yes >> unique = replace >> rekey_time = 4h >> reauth_time = 13h >> proposals = aes256-sha512-ecp384 >> local { >> auth = psk >> id = test-frr-debian-02 >> } >> remote { >> auth = psk >> } >> children { >> dmvpn { >> esp_proposals = aes256-sha512-ecp384 >> local_ts = dynamic[gre] >> remote_ts = dynamic[gre] >> inactivity = 90m >> rekey_time = 100m >> mode = transport >> dpd_action = clear >> reqid = 1 >> } >> } >> } >> } >> >> >> Regards, >> >> Terry >> >> >>> On 8 November 2017 at 15:53:55, Terry Fu ([email protected] >>> <mailto:[email protected]>) wrote: >>> >>> Hi Jafar, >>> >>> You are right! >>> After I allowed user “frr” to access “charon.vici”, the error message is >>> gone. >>> >>> Now I’m getting this error message. >>> >>> 2017/11/08 15:41:45 NHRP: VICI: StrongSwan does not support mandatory >>> events (unpatched?) >>> >>> >>> I installed tteras’ patched version of strongswan. >>> However I’m not sure how to tell if it’s properly installed. >>> >>> I got it from git: git clone >>> git://git.alpinelinux.org/user/tteras/strongswan >>> Then I used the “autogen.sh” script, then “configure", then “make; make >>> install”. >>> >>> Not sure if I have done anything wrong, or missed anything. >>> >>> Is there a way to validate that Strongswan is properly patched and >>> installed? >>> >>> Regards, >>> >>> Terry >>> >>> >>> >>>> On 8 November 2017 at 00:34:52, Jafar Al-Gharaibeh ([email protected] >>>> <mailto:[email protected]>) wrote: >>>> >>>> Terry, >>>> >>>> From the limited information you are giving, my guess is that nhrpd >>>> doesn't have permissions to access the VICI socket. nhrpd is probably >>>> configured as part of FRR/Quagga with permissions to access >>>> /var/run/frr or /var/run/quagga only. Whereas the vici socket, according to >>>> >>>> https://wiki.strongswan.org/projects/strongswan/wiki/VICI >>>> >>>> is: unix:///var/run/charon.vici >>>> >>>> Give nhrpd permissions to access to this file and you should be good to. >>>> >>>> --Jafar >>>> >>>> >>>>> On 11/7/2017 10:06 AM, Chengcheng Fu wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I’m trying to setup nhrpd with strongswan, and I’m getting this error >>>>>> message. >>>>>> >>>>>> Failure connecting VICI socket: permission denied >>>>>> >>>>>> >>>>>> I wonder if there is a way to test the VICI socket and see if it’s >>>>>> running properly? >>>>>> >>>>>> >>>>>> Regards, >>>>>> >>>>>> >>>>>> Terry >>>>>> >>>>
