Hi Terry, For a start, the code is here: https://git.alpinelinux.org/cgit/user/tteras/strongswan/log/?h=tteras-release That's not documented, but Timo didn't touch anything in the build system or the configure arguments, so the commands are the same as one would normally build strongSwan. The debian source is here: https://packages.debian.org/buster/strongswan You're interested in the archive that provides the "debian" directory. In that directory, look primarily at the "control" file. Maybe you have to provide an archive that contains the source, if you can't make those files clone from Timo's repo directly.
Kind regards Noel On 08.11.2017 21:48, Chengcheng Fu wrote: > Hi Noel, > > Any chance there is a document describing how Timo builds it? > > Regards, > > Terry > >> On 9 Nov 2017, at 3:37 AM, Noel Kuntze >> <[email protected]> wrote: >> >> Hello Terry, >> >> Of course it aborts. %any is neither an IP address, nor an FQDN. >> >> Check the output of `which ipsec` to figure out where your shell gets it >> from. Make sure it uses only libs that belong to your compiled version. You >> likely mixed up >> the files of the package with your self compiled ones. Uninstall the >> package. nhrp already told you, that the wrong version is in use on your >> system. >> Build the software the exact same way Timo does. Otherwise you will fail in >> one way or another. You do not know enough yourself to do this right without >> help. >> The best way for you, and to keep it maintained, is to just get the debian >> package source files of the package and change it to build from the source >> that supports nhrp. >> >> Kind regards >> >> Noel >> >>> On 08.11.2017 11:00, Terry Fu wrote: >>> Hi, >>> >>> Also, I’ve noticed a different error message. >>> >>> root@test-frr-debian-02:/run# ipsec up dmvpn >>> unable to resolve %any, initiate aborted >>> tried to checkin and delete nonexisting IKE_SA >>> establishing connection 'dmvpn’ failed >>> >>> >>> This is the output of “ispec statusall” >>> root@test-frr-debian-02:/run# ipsec statusall >>> Status of IKE charon daemon (strongSwan 5.5.3, Linux 4.13.9, x86_64): >>> uptime: 83 minutes, since Nov 08 03:33:12 2017 >>> malloc: sbrk 2297856, mmap 0, used 304288, free 1993568 >>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >>> scheduled: 0 >>> loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 >>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey >>> pem fips-prf gmp curve25519 xcbc cmac hmac attr kernel-netlink resolve >>> socket-default stroke vici updown xauth-generic >>> Listening IP addresses: >>> 192.168.23.208 >>> 192.168.200.2 >>> 192.168.222.1 >>> 192.168.12.2 >>> Connections: >>> dmvpn: %any...%any IKEv2, dpddelay=15s >>> dmvpn: local: [test-frr-debian-02] uses pre-shared key >>> authentication >>> dmvpn: remote: uses pre-shared key authentication >>> dmvpn: child: dynamic[gre] === dynamic[gre] TRANSPORT, >>> dpdaction=clear >>> Security Associations (0 up, 0 connecting): >>> none >>> >>> >>> Here’s my config of ipsec.secrets >>> # ipsec.secrets - strongSwan IPsec secrets file >>> 192.168.200.1 : PSK “XXXXXXXXXXXXXXXX" >>> >>> Here’s my config of swanctl.conf >>> >>> connections { >>> dmvpn { >>> version = 2 >>> pull = no >>> mobike = no >>> dpd_delay = 15 >>> dpd_timeout = 30 >>> fragmentation = yes >>> unique = replace >>> rekey_time = 4h >>> reauth_time = 13h >>> proposals = aes256-sha512-ecp384 >>> local { >>> auth = psk >>> id = test-frr-debian-02 >>> } >>> remote { >>> auth = psk >>> } >>> children { >>> dmvpn { >>> esp_proposals = aes256-sha512-ecp384 >>> local_ts = dynamic[gre] >>> remote_ts = dynamic[gre] >>> inactivity = 90m >>> rekey_time = 100m >>> mode = transport >>> dpd_action = clear >>> reqid = 1 >>> } >>> } >>> } >>> } >>> >>> >>> Regards, >>> >>> Terry >>> >>> >>>> On 8 November 2017 at 15:53:55, Terry Fu ([email protected] >>>> <mailto:[email protected]>) wrote: >>>> >>>> Hi Jafar, >>>> >>>> You are right! >>>> After I allowed user “frr” to access “charon.vici”, the error message is >>>> gone. >>>> >>>> Now I’m getting this error message. >>>> >>>> 2017/11/08 15:41:45 NHRP: VICI: StrongSwan does not support mandatory >>>> events (unpatched?) >>>> >>>> >>>> I installed tteras’ patched version of strongswan. >>>> However I’m not sure how to tell if it’s properly installed. >>>> >>>> I got it from git: git clone >>>> git://git.alpinelinux.org/user/tteras/strongswan >>>> Then I used the “autogen.sh” script, then “configure", then “make; make >>>> install”. >>>> >>>> Not sure if I have done anything wrong, or missed anything. >>>> >>>> Is there a way to validate that Strongswan is properly patched and >>>> installed? >>>> >>>> Regards, >>>> >>>> Terry >>>> >>>> >>>> >>>>> On 8 November 2017 at 00:34:52, Jafar Al-Gharaibeh ([email protected] >>>>> <mailto:[email protected]>) wrote: >>>>> >>>>> Terry, >>>>> >>>>> From the limited information you are giving, my guess is that nhrpd >>>>> doesn't have permissions to access the VICI socket. nhrpd is probably >>>>> configured as part of FRR/Quagga with permissions to access >>>>> /var/run/frr or /var/run/quagga only. Whereas the vici socket, according >>>>> to >>>>> >>>>> https://wiki.strongswan.org/projects/strongswan/wiki/VICI >>>>> >>>>> is: unix:///var/run/charon.vici >>>>> >>>>> Give nhrpd permissions to access to this file and you should be good to. >>>>> >>>>> --Jafar >>>>> >>>>> >>>>>> On 11/7/2017 10:06 AM, Chengcheng Fu wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> I’m trying to setup nhrpd with strongswan, and I’m getting this error >>>>>>> message. >>>>>>> >>>>>>> Failure connecting VICI socket: permission denied >>>>>>> >>>>>>> >>>>>>> I wonder if there is a way to test the VICI socket and see if it’s >>>>>>> running properly? >>>>>>> >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> >>>>>>> Terry >>>>>>> >>>>>
signature.asc
Description: OpenPGP digital signature
