After upgrade from strongswan5.9.6 to 5.9.8, swanctl initiate establishing IKE_SA failed, peer not responding

[ssai12]

System (please complete the following information):

• OS: rockylinux8
• Kernel version (if applicable): 4.18.0-372.26.1.el8_6.x86_64
• strongSwan version(s): 5.9.8
• Tested/confirmed with the latest version: [yes/no]

Describe the bug
A clear and concise description of what the bug is.

To Reproduce
Steps to reproduce the behavior:

1. ...
2. ...
3. ...

Expected behavior
A clear and concise description of what you expected to happen.

Logs/Backtraces
If applicable, add logs or backtraces to help explain your problem.

Additional context
We are using Strongswan for providing IPSEC over GRE. We had previously running 5.9.6 and using swanctl.conf we could able to successful it working. And, suddently upgrade to 5.9.8, it stopped working and swanctl initiate command goes retrying and fails with

[IKE] establishing IKE_SA failed, peer not responding
initiate failed: establishing CHILD_SA 'dc-dsnet' failed

I have configured log file with highest level of logging and could see..
Oct 31 13:35:37 00[LIB] plugin 'tpm': failed to load - tpm_plugin_create returned NULL
Oct 31 13:35:37 00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'eap-tnc': failed to load - eap_tnc_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnc-ifmap': failed to load - tnc_ifmap_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnc-pdp': failed to load - tnc_pdp_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnc-imc': failed to load - tnc_imc_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnc-imv': failed to load - tnc_imv_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnc-tnccs': failed to load - tnc_tnccs_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnccs-20': failed to load - tnccs_20_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnccs-11': failed to load - tnccs_11_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnccs-dynamic': failed to load - tnccs_dynamic_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] feature CUSTOM:sql in plugin 'sql' failed to load
Oct 31 13:35:37 00[CFG] opening triplet file /etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory
Oct 31 13:35:37 00[LIB] feature CUSTOM:eap-sim-file-triplets in plugin 'eap-sim-file' failed to load
Oct 31 13:35:37 00[LIB] feature CUSTOM:ha in plugin 'ha' failed to load
Oct 31 13:35:37 00[LIB] feature CUSTOM:ext_auth in plugin 'ext-auth' failed to load
Oct 31 13:35:37 03[NET] no socket implementation registered, receiving failed

And, not sure if everything is to be concerned but except no socket implementation registered, receiving failed

Our pipeline is blocked and we are at no clue, what is the issue.
Any quick help pls

[ssai12]

any quick help?

[Thermi]

Did you build strongSwan yourself? It looks like you mixed up old compilation files and new ones or something else happened.

Oct 31 13:35:37 03[NET] no socket implementation registered, receiving failed

That is telling you roughly what the issue is. Maybe you forgot to also update the plugin files or something like that?

[ssai12]

We didn't build it manually, using yum we install strongswan.
Just days before, we had 5.9.6 and our pipeline auto pulled latest 5.9.8 and from then it started failing.
this is our swanctl.conf

# Section defining IKE connection configurations.

  connections {
   dc-net {
      remote_addrs = 10.x.x.x
      mobike = no
      local {
        auth = pubkey
        certs = client1Cert.pem
      }
      remote {
        auth = pubkey
        id = "C=CH, O=strongSwan, CN=d2"
      }
      children {
        dc-dsnet {
#          mode = tunnel
          start_action = trap
          esp_proposals=aes256-sha2_256
        }
      }
      proposals = aes256-sha2_256-modp1024
    }
  }
# Section defining attributes of certification authorities.
 authorities {

    # Section defining a certification authority with a unique name.
     dc1autho {

        # CA certificate belonging to the certification authority.
         cacert = strongswanCert.pem

        # Absolute path to the certificate to load.
         file = /etc/strongswan/swanctl/x509ca/

 }

}

# Include config snippets
include conf.d/*.conf

[ssai12]

logs from journalctl -u strongswan,

Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: selected peer config 'dc-net'
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]:   using certificate "C=CH, O=strongSwan, CN=device1"
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]:   using trusted ca certificate "C=CH, O=strongSwan, CN=Root CA"
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]:   reached self-signed root ca with a path length of 0
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: checking certificate status of "C=CH, O=strongSwan, CN=device1"
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: certificate status is not available
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: authentication of 'C=CH, O=strongSwan, CN=device1' with RSA_EMSA_PKCS1_SHA2_256 successful
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: peer supports MOBIKE
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: authentication of 'C=CH, O=strongSwan, CN=device2' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: sending end entity cert "C=CH, O=strongSwan, CN=device2"
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: IKE_SA dc-net[2] established between 10.127.5.175[C=CH, O=strongSwan, CN=device2]...10.127.5.166[C=CH, O=strongSwan>
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: scheduling rekeying in 13295s
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: maximum IKE_SA lifetime 14735s
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: received packet: from 10.127.5.166[4500] to 10.127.5.175[4500] (1236 bytes)
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: parsed IKE_AUTH response 1 [ EF(1/2) ]
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: received fragment #1 of 2, waiting for complete IKE message
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: received packet: from 10.127.5.166[4500] to 10.127.5.175[4500] (468 bytes)
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: parsed IKE_AUTH response 1 [ EF(2/2) ]
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: received fragment #2 of 2, reassembled fragmented IKE message (1632 bytes)
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: received end entity cert "C=CH, O=strongSwan, CN=device1"
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]:   using certificate "C=CH, O=strongSwan, CN=device1"
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]:   using trusted ca certificate "C=CH, O=strongSwan, CN=Root CA"
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]:   reached self-signed root ca with a path length of 0
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: checking certificate status of "C=CH, O=strongSwan, CN=device1"
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: certificate status is not available
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: authentication of 'C=CH, O=strongSwan, CN=device1' with RSA_EMSA_PKCS1_SHA2_256 successful
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: peer supports MOBIKE
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: IKE_SA dc-net[1] established between 10.127.5.175[C=CH, O=strongSwan, CN=device2]...10.127.5.166[C=CH, O=strongSwan>
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: scheduling rekeying in 14152s
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: maximum IKE_SA lifetime 15592s
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: detected duplicate IKE_SA for 'C=CH, O=strongSwan, CN=device1', triggering delete for old IKE_SA
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: CHILD_SA dc-dsnet{3} established with SPIs c10d20e2_i c18000b9_o and TS 10.127.5.175/32 === 10.127.5.166/32
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: splitting IKE message (1632 bytes) into 2 fragments
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: generating IKE_AUTH response 1 [ EF(1/2) ]
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: generating IKE_AUTH response 1 [ EF(2/2) ]
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: sending packet: from 10.127.5.175[4500] to 10.127.5.166[4500] (1236 bytes)
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: sending packet: from 10.127.5.175[4500] to 10.127.5.166[4500] (468 bytes)
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: CHILD_SA dc-dsnet{2} established with SPIs c100a22f_i c88e9977_o and TS 10.127.5.175/32 === 10.127.5.166/32
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: deleting IKE_SA dc-net[2] between 10.127.5.175[C=CH, O=strongSwan, CN=device2]...10.127.5.166[C=CH, O=strongSwan, C>
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: sending DELETE for IKE_SA dc-net[2]
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: generating INFORMATIONAL request 0 [ D ]
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: sending packet: from 10.127.5.175[4500] to 10.127.5.166[4500] (80 bytes)
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: received packet: from 10.127.5.166[4500] to 10.127.5.175[4500] (80 bytes)
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: parsed INFORMATIONAL request 0 [ D ]
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: received DELETE for IKE_SA dc-net[1]
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: deleting IKE_SA dc-net[1] between 10.127.5.175[C=CH, O=strongSwan, CN=device2]...10.127.5.166[C=CH, O=strongSwan, C>
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: IKE_SA deleted
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: generating INFORMATIONAL response 0 [ ]
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: sending packet: from 10.127.5.175[4500] to 10.127.5.166[4500] (80 bytes)
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: received packet: from 10.127.5.166[4500] to 10.127.5.175[4500] (80 bytes)
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: parsed INFORMATIONAL response 0 [ ]
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: got a response on a duplicate IKE_SA for 'C=CH, O=strongSwan, CN=device1', deleting new IKE_SA
Oct 31 21:50:39 host-10-127-5-175 charon-systemd[44786]: IKE_SA deleted
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: creating acquire job for policy 10.127.5.175/32[tcp/ssh] === 10.127.5.166/32[tcp/40360] with reqid {1}
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: initiating IKE_SA dc-net[3] to 10.127.5.166
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: sending packet: from 10.127.5.175[500] to 10.127.5.166[500] (336 bytes)
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: received packet: from 10.127.5.166[500] to 10.127.5.175[500] (369 bytes)
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N>
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: received cert request for "C=CH, O=strongSwan, CN=Root CA"
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: sending cert request for "C=CH, O=strongSwan, CN=Root CA"
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: authentication of 'C=CH, O=strongSwan, CN=device2' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: sending end entity cert "C=CH, O=strongSwan, CN=device2"
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: establishing CHILD_SA dc-dsnet{4} reqid 1
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(>
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: splitting IKE message (1792 bytes) into 2 fragments
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: generating IKE_AUTH request 1 [ EF(1/2) ]
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: generating IKE_AUTH request 1 [ EF(2/2) ]
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: sending packet: from 10.127.5.175[4500] to 10.127.5.166[4500] (1236 bytes)
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: sending packet: from 10.127.5.175[4500] to 10.127.5.166[4500] (628 bytes)
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: received packet: from 10.127.5.166[4500] to 10.127.5.175[4500] (1236 bytes)
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: parsed IKE_AUTH response 1 [ EF(1/2) ]
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: received fragment #1 of 2, waiting for complete IKE message
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: received packet: from 10.127.5.166[4500] to 10.127.5.175[4500] (468 bytes)
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: parsed IKE_AUTH response 1 [ EF(2/2) ]
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: received fragment #2 of 2, reassembled fragmented IKE message (1632 bytes)
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: received end entity cert "C=CH, O=strongSwan, CN=device1"
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]:   using certificate "C=CH, O=strongSwan, CN=device1"
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]:   using trusted ca certificate "C=CH, O=strongSwan, CN=Root CA"
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]:   reached self-signed root ca with a path length of 0
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: checking certificate status of "C=CH, O=strongSwan, CN=device1"
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: certificate status is not available
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: authentication of 'C=CH, O=strongSwan, CN=device1' with RSA_EMSA_PKCS1_SHA2_256 successful
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: peer supports MOBIKE
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: IKE_SA dc-net[3] established between 10.127.5.175[C=CH, O=strongSwan, CN=device2]...10.127.5.166[C=CH, O=strongSwan>
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: scheduling rekeying in 14040s
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: maximum IKE_SA lifetime 15480s
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: CHILD_SA dc-dsnet{4} established with SPIs c304fbdf_i c8f68e6b_o and TS 10.127.5.175/32 === 10.127.5.166/32

[Thermi]

That looks like it just works.

[ssai12]

That looks like it just works.

actually not.. swanctl initiate commands doesn't show any success. it retransmits and shows failed.
plugin 'sqlite': failed to load - sqlite_plugin_create not found and no plugin file available\ninitiate failed: establishing CHILD_SA 'dc-dsnet' failed", "stderr_lines": ["plugin 'sqlite': failed to load - sqlite_plugin_create not found and no plugin file available", "initiate failed: establishing CHILD_SA 'dc-dsnet' failed"], "stdout": "[IKE] initiating IKE_SA dc-net[1] to 10.x.x.x\n[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]\n[NET] sending packet: from 10.x.x.x to 10.x.x.x[500] (336 bytes)\n[IKE] retransmit 1 of request with message ID 0\n[NET] sending packet: from 10.x.x.x to 10.x.x.x[500] (336 bytes)\n[IKE] retransmit 2 of request with message ID 0\n[NET] sending packet: from 10.x.x.x to 10.x.x.x[500] (336 bytes)\n[IKE] retransmit 3 of request with message ID 0\n[NET] sending packet: from 10.x.x.x to 10.x.x.x[500] (336 bytes)\n[IKE] retransmit 4 of request with message ID 0\n[NET] sending packet: from 10.x.x.x to 10.x.x.x[500] (336 bytes)\n[IKE] retransmit 5 of request with message ID 0\n[NET] sending packet: from 10.x.x.x to 10.x.x.x[500] (336 bytes)\n[IKE] giving up after 5 retransmits\n[IKE] establishing IKE_SA failed, peer not responding", "stdout_lines": ["[IKE] initiating IKE_SA dc-net[1] to 10.x.x.x", "[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]", "[NET] sending packet: from 10.x.x.x to 10.x.x.x[500] (336 bytes)", "[IKE] retransmit 1 of request with message ID 0", "[NET] sending packet: from 10.x.x.x to 10.x.x.x[500] (336 bytes)", "[IKE] retransmit 2 of request with message ID 0", "[NET] sending packet: from 10.x.x.x to 10.x.x.x[500] (336 bytes)", "[IKE] retransmit 3 of request with message ID 0", "[NET] sending packet: from 10.x.x.x to 10.x.x.x[500] (336 bytes)", "[IKE] retransmit 4 of request with message ID 0", "[NET] sending packet: from 10.x.x.x to 10.x.x.x[500] (336 bytes)", "[IKE] retransmit 5 of request with message ID 0", "[NET] sending packet: from 10.x.x.x to 10.x.x.x[500] (336 bytes)", "[IKE] giving up after 5 retransmits", "[IKE] establishing IKE_SA failed, peer not responding"

[Thermi]

Can I ask why you censor in this post but not the previous one and then also with the same pattern for both IP addresses and don't keep the line breaks in this last post?

[ssai12]

umm.. that was the output I directly captured and posted it here..

[ssai12]

@Thermi Can you pls help with where is it getting issue?
Its the same conf, everything etc.. which was working yesterday and started failing today with new version.

[Thermi]

So the output here #1384 (comment) is from the previous version that worked and that one here #1384 (comment) and following is from the new one?

Oct 31 13:35:37 00[LIB] plugin 'tpm': failed to load - tpm_plugin_create returned NULL Oct 31 13:35:37 00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create not found and no plugin file available Oct 31 13:35:37 00[LIB] plugin 'eap-tnc': failed to load - eap_tnc_plugin_create not found and no plugin file available Oct 31 13:35:37 00[LIB] plugin 'tnc-ifmap': failed to load - tnc_ifmap_plugin_create not found and no plugin file available Oct 31 13:35:37 00[LIB] plugin 'tnc-pdp': failed to load - tnc_pdp_plugin_create not found and no plugin file available Oct 31 13:35:37 00[LIB] plugin 'tnc-imc': failed to load - tnc_imc_plugin_create not found and no plugin file available Oct 31 13:35:37 00[LIB] plugin 'tnc-imv': failed to load - tnc_imv_plugin_create not found and no plugin file available Oct 31 13:35:37 00[LIB] plugin 'tnc-tnccs': failed to load - tnc_tnccs_plugin_create not found and no plugin file available Oct 31 13:35:37 00[LIB] plugin 'tnccs-20': failed to load - tnccs_20_plugin_create not found and no plugin file available Oct 31 13:35:37 00[LIB] plugin 'tnccs-11': failed to load - tnccs_11_plugin_create not found and no plugin file available Oct 31 13:35:37 00[LIB] plugin 'tnccs-dynamic': failed to load - tnccs_dynamic_plugin_create not found and no plugin file available Oct 31 13:35:37 00[LIB] feature CUSTOM:sql in plugin 'sql' failed to load Oct 31 13:35:37 00[CFG] opening triplet file /etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory Oct 31 13:35:37 00[LIB] feature CUSTOM:eap-sim-file-triplets in plugin 'eap-sim-file' failed to load Oct 31 13:35:37 00[LIB] feature CUSTOM:ha in plugin 'ha' failed to load Oct 31 13:35:37 00[LIB] feature CUSTOM:ext_auth in plugin 'ext-auth' failed to load Oct 31 13:35:37 03[NET] no socket implementation registered, receiving failed

[ssai12]

The output snippets above are both from 5.9.8.

[Thermi]

so it works if the other peer initiates?

[ssai12]

so it works if the other peer initiates?

no.. it still fails
[IKE] establishing IKE_SA failed, peer not responding
initiate failed: establishing CHILD_SA 'dc-dsnet' failed

[Thermi]

So why does it complete negotiation in #1384 (comment) then? Those logs contain no timeouts.

Oct 31 21:50:41 host-10-127-5-175 charon-systemd[44786]: CHILD_SA dc-dsnet{4} established with SPIs c304fbdf_i c8f68e6b_o and TS 10.127.5.175/32 === 10.127.5.166/32

[ssai12]

We have NAT so, is there any chance of port not getting to the other side.. as it say from initiate command peer not responding.
I just tried with charon.conf and set 0 to port and port_nat_t and it worked.
Is this appropriate?

[ssai12]

I also observed few behavior changes from 5.9.6 to 5.9.8, _systemctl start strongswan_ vs _strongswan start_.
In one scenario I got initiate working that is when I only do start/restart using systemctl it is working, and if I also do later one.. initiate is failing.

Also, what is the diff b/n systemctl start/restart/stop strongswan and systemctl start/restart/stop strongswan.service

[Thermi]

Also, what is the diff b/n systemctl start/restart/stop strongswan and systemctl start/restart/stop strongswan.service

They are equivalent. If you don't gibe an extension to the name with the systemctl command, it assumes .service.

Check with ps aux | grep charon

[ssai12]

Same result, only charon-systemd is running.

# ps aux | grep charon
root       47425  0.0  0.0 1471396 10404 ?       Ssl  Nov02   0:07 /usr/sbin/charon-systemd
root      780269  0.0  0.0 221936  1164 pts/0    S+   02:39   0:00 grep --color=auto charon

[ssai12]

Is there a diff b/n systemctl start strongswan vs strongswan start?

[tobiasbrunner]

Yes, the latter starts starter/charon, the former starts charon-systemd.

[Thermi]

That sounds like the router implementing NAT is broken and doesn't map the ports correctly.

[ssai12]

Is there a way I can conform this?

[Thermi]

Ideally check outbound traffic of the router.

[Thermi]

Also the first starts it under control, monitoring and with environment as configured by systemd, the latter as under your currently running user and without monitoring by systemd. Always control strongswan via systemd (or whatever your init daemon is). Never start it as your user. Am 11. November 2022 08:53:22 UTC schrieb Tobias Brunner ***@***.***>:

Yes, the latter starts _starter/charon_, the former starts _charon-systemd_. -- Reply to this email directly or view it on GitHub: #1390 (reply in thread) You are receiving this because you were mentioned. Message ID: ***@***.***>

-- Sent from mobile. Please excuse any typos or brevity

[dometec]

Same problem here. Updating Fedora 35 to 37, I get a new version of strongswag (5.9.8) and the error:

nov 17 11:58:27 localhost.localdomain charon[62668]: 03[NET] sending packet: from 192.168.178.182 to x.x.x.x[500] (1156 bytes)
nov 17 11:58:27 localhost.localdomain charon[62668]: 04[NET] no socket implementation registered, sending failed
nov 17 11:58:27 localhost.localdomain charon[62668]: 12[IKE] retransmit 1 of request with message ID 0
nov 17 11:58:27 localhost.localdomain charon[62668]: 12[NET] sending packet: from 192.168.178.182 to x.x.x.x[500] (1156 bytes)
nov 17 11:58:27 localhost.localdomain charon[62668]: 04[NET] no socket implementation registered, sending failed
nov 17 11:58:27 localhost.localdomain charon[62668]: 10[IKE] retransmit 1 of request with message ID 0
nov 17 11:58:27 localhost.localdomain charon[62668]: 10[NET] sending packet: from 192.168.178.182 to x.x.x.x[500] (1156 bytes)
nov 17 11:58:27 localhost.localdomain charon[62668]: 04[NET] no socket implementation registered, sending failed

After downgrading to 5.9.6 it works like before... the configuration didn't change. I can do some tests to understand the problem if it helps.

[Thermi]

We need proper complete logs.
Please see #196

[dometec]

Hi Thermi, ok thanks. Here you are the complete logs of charon, my ipsec.conf (ipsec.secret has only a PSK) and the output of statusall before stopping the daemon:

[root@localhost dometec]# strongswan stop
Stopping strongSwan IPsec failed: starter is not running
[root@localhost dometec]# strongswan statusall
[root@localhost dometec]# strongswan start
Starting strongSwan 5.9.8 IPsec [starter]...
[root@localhost dometec]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.9.8, Linux 6.0.8-300.fc37.x86_64, x86_64):
uptime: 3 seconds, since Nov 21 10:01:51 2022
malloc: sbrk 2179072, mmap 0, used 1058992, free 1120080
worker threads: 12 of 16 idle, 4/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon pkcs11 aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf ctr ccm gcm drbg newhope curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-sim-file eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
Listening IP addresses:
172.27.2.43
192.168.122.1
172.17.0.1
172.18.0.1
fc00:f853:ccd:e793::1
192.168.113.5
Connections:
xxx-prod-vpn:  %any...bastionhost.xxx.xxx  IKEv2, dpddelay=30s
xxx-prod-vpn:   local:  uses pre-shared key authentication
xxx-prod-vpn:   remote: [bastionhost.xxx.xxx] uses pre-shared key authentication
xxx-prod-vpn:   child:  dynamic === 10.80.0.0/16 10.81.0.0/16 172.31.0.0/16 TUNNEL, dpdaction=start
Security Associations (0 up, 1 connecting):
xxx-prod-vpn[1]: CONNECTING, 172.27.2.43[%any]...63.x.x.x[%any]
xxx-prod-vpn[1]: IKEv2 SPIs: a3b68587aaed32c4_i* 0000000000000000_r
xxx-prod-vpn[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG IKE_AUTH_LIFETIME IKE_MOBIKE IKE_ESTABLISH CHILD_CREATE
[root@localhost dometec]# strongswan stop
Stopping strongSwan IPsec...
[root@localhost dometec]#

# ipsec.conf - strongSwan IPsec configuration file

config setup
    strictcrlpolicy=no
    uniqueids=yes
    charondebug="all"

conn xxx-prod-vpn
    auto=start
    type=tunnel
    keyexchange=ikev2
    ike=aes256-sha1-modp1024
    esp=3des-sha1
    dpdaction=restart
    dpddelay=30
    dpdtimeout=120
    leftsourceip=%config    
    right=bastionhost.xxx.xxx
    rightsubnet=10.80.0.0/16,10.81.0.0/16,172.31.0.0/16
    authby=secret 
    keyingtries=0
    ikelifetime=24h
    lifetime=24h

nov 21 10:01:51 localhost.localdomain ipsec_starter[2297225]: Starting strongSwan 5.9.8 IPsec [starter]...
nov 21 10:01:51 localhost.localdomain charon[2297230]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.8, Linux 6.0.8-300.fc37.x86_64, x86_64)
nov 21 10:01:51 localhost.localdomain charon[2297230]: 00[CFG] PKCS11 module '<name>' lacks library path
nov 21 10:01:51 localhost.localdomain charon[2297230]: 00[PTS] TPM 2.0 - could not load "libtss2-tcti-tabrmd.so.0"
nov 21 10:01:51 localhost.localdomain charon[2297230]: 00[LIB] plugin 'tpm': failed to load - tpm_plugin_create returned NULL
nov 21 10:01:51 localhost.localdomain charon[2297230]: 00[LIB] providers loaded by OpenSSL: legacy default
nov 21 10:01:51 localhost.localdomain charon[2297230]: 00[LIB] plugin 'sqlite': failed to load - sqlite_plugin_create not found and no plugin file available
nov 21 10:01:51 localhost.localdomain charon[2297230]: 00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create not found and no plugin file available
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[LIB] plugin 'eap-tnc': failed to load - eap_tnc_plugin_create not found and no plugin file available
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[LIB] plugin 'tnc-ifmap': failed to load - tnc_ifmap_plugin_create not found and no plugin file available
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[LIB] plugin 'tnc-pdp': failed to load - tnc_pdp_plugin_create not found and no plugin file available
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[LIB] plugin 'tnc-imc': failed to load - tnc_imc_plugin_create not found and no plugin file available
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[LIB] plugin 'tnc-imv': failed to load - tnc_imv_plugin_create not found and no plugin file available
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[LIB] plugin 'tnc-tnccs': failed to load - tnc_tnccs_plugin_create not found and no plugin file available
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[LIB] plugin 'tnccs-20': failed to load - tnccs_20_plugin_create not found and no plugin file available
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[LIB] plugin 'tnccs-11': failed to load - tnccs_11_plugin_create not found and no plugin file available
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[LIB] plugin 'tnccs-dynamic': failed to load - tnccs_dynamic_plugin_create not found and no plugin file available
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[NET] unable to bind socket: Address already in use
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[NET] could not open IPv6 socket, IPv6 disabled
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[NET] unable to bind socket: Address already in use
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[NET] could not open IPv4 socket, IPv4 disabled
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[NET] could not create any sockets
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[CFG] loading ca certificates from '/etc/strongswan/ipsec.d/cacerts'
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[CFG] loading aa certificates from '/etc/strongswan/ipsec.d/aacerts'
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[CFG] loading ocsp signer certificates from '/etc/strongswan/ipsec.d/ocspcerts'
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[CFG] loading attribute certificates from '/etc/strongswan/ipsec.d/acerts'
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[CFG] loading crls from '/etc/strongswan/ipsec.d/crls'
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[CFG]   loaded IKE secret for bastionhost-eu-west-1.xxx.xxx
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[CFG] read 0 triplets from /etc/strongswan/ipsec.d/triplets.dat
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[CFG] loaded 0 RADIUS server configurations
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[CFG] HA config misses local/remote address
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[CFG] no script for ext-auth script defined, disabled
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[LIB] loaded plugins: charon pkcs11 aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf ctr ccm gcm drbg newhope curl attr kernel-netlink resolvesocket-default farp stroke vici updown eap-identity eap-sim eap-sim-file eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[LIB] dropped capabilities, running as uid 0, gid 0
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[JOB] spawning 16 worker threads
nov 21 10:01:52 localhost.localdomain ipsec_starter[2297229]: charon (2297230) started after 60 ms
nov 21 10:01:52 localhost.localdomain charon[2297230]: 03[NET] no socket implementation registered, receiving failed
nov 21 10:01:52 localhost.localdomain charon[2297230]: 06[CFG] received stroke: add connection 'xxx-prod-vpn'
nov 21 10:01:52 localhost.localdomain charon[2297230]: 06[CFG] added configuration 'xxx-prod-vpn'
nov 21 10:01:52 localhost.localdomain charon[2297230]: 07[CFG] received stroke: initiate 'xxx-prod-vpn'
nov 21 10:01:52 localhost.localdomain charon[2297230]: 07[IKE] initiating IKE_SA xxx-prod-vpn[1] to 63.x.x.x
nov 21 10:01:52 localhost.localdomain charon[2297230]: 07[IKE] initiating IKE_SA xxx-prod-vpn[1] to 63.x.x.x
nov 21 10:01:52 localhost.localdomain charon[2297230]: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
nov 21 10:01:52 localhost.localdomain charon[2297230]: 07[NET] sending packet: from 172.27.2.43 to 63.x.x.x[500] (1156 bytes)
nov 21 10:01:52 localhost.localdomain charon[2297230]: 05[NET] no socket implementation registered, sending failed
nov 21 10:01:56 localhost.localdomain charon[2297230]: 11[IKE] retransmit 1 of request with message ID 0
nov 21 10:01:56 localhost.localdomain charon[2297230]: 11[NET] sending packet: from 172.27.2.43 to 63.x.x.x[500] (1156 bytes)
nov 21 10:01:56 localhost.localdomain charon[2297230]: 05[NET] no socket implementation registered, sending failed
nov 21 10:02:02 localhost.localdomain charon[2297230]: 00[DMN] SIGINT received, shutting down
nov 21 10:02:02 localhost.localdomain charon[2297230]: 00[IKE] destroying IKE_SA in state CONNECTING without notification
nov 21 10:02:02 localhost.localdomain ipsec_starter[2297229]: charon stopped after 200 ms
nov 21 10:02:02 localhost.localdomain ipsec_starter[2297229]: ipsec starter stopped

[Thermi]

nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[NET] unable to bind socket: Address already in use
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[NET] could not open IPv6 socket, IPv6 disabled
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[NET] unable to bind socket: Address already in use
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[NET] could not open IPv4 socket, IPv4 disabled
nov 21 10:01:52 localhost.localdomain charon[2297230]: 00[NET] could not create any sockets

Something is already listening on the ports for IKE (UDP 500 and UDP 4500). Check which processes these are and stop them. I suppose it's another instance of strongswan that was started by another way than the systemd unit.

[dometec]

What a shame! sorry I didn't read the log correctly. The point is that installed the 5.9.8 version there is the charon-systemd process that occupies those ports and with the previous version that process is not started (or is not present), for this, I suspected it was a bug of this version. Once charon-systemd is killed, the VPNs start as usual

[Thermi]

But the process run by the systemd unit is "charon-systemd", no? Please check if maybe there are two units starting some variant of strongSwan, you can see the units with their processes in the output of `systemctl status`.

On November 22, 2022 10:28:01 AM UTC, Domenico Briganti ***@***.***> wrote: What a shame! sorry I didn't read the log correctly. The point is that installed the 5.9.8 version there is the charon-systemd process that occupies those ports and with the previous version that process is not started (or is not present), for this, I suspected it was a bug of this version. Once charon-systemd is killed, the VPNs start as usual -- Reply to this email directly or view it on GitHub: #1390 (reply in thread) You are receiving this because you were mentioned. Message ID: ***@***.***>

-- Sent from mobile. Please excuse any typos or brevity

[Thermi]

btw you are supposed to use the systemd unit to manage strongswan. Don't start it from CLI.

[acro5piano]

@ssai12

I had the same problem and your solution worked for me like a charm. I really appreciate it!!

I just tried with charon.conf and set 0 to port and port_nat_t and it worked.
Is this appropriate?

(Though I'm not sure that is appropriate or not)

[tobiasbrunner]

I just start systemd service and run ipsec restart command

First, don't use the ipsec script to control the daemon if you already use systemd (i.e. don't use ipsec start|stop|restart but instead use systemctl start|stop|restart ...).

But be aware that there are two systemd units for strongSwan:

• The strongswan unit controls the charon-systemd IKE daemon, which is configured and managed via swanctl.conf/swanctl
• The strongswan-starter unit controls the legacy starter and charon daemons, which are managed via ipsec.conf/ipsec (technically it could also be managed via swanctl)

Depending on the configuration backend you want to use enable the correct unit and disable the other via systemctl disable .... And maybe consider uninstalling the packages you don't need (e.g. on Debian/Ubuntu uninstall strongswan-starter to remove the latter, or charon-systemd to remove the former).

[acro5piano]

@tobiasbrunner Thank you for your detailed explanation!

I found both of them are installed on my Arch Linux. Is it recommended to uninstall strongswan-starter and only use strongswan and configure vpn with swanctl.conf and swanctl?

[tobiasbrunner]

Yes, that would be my recommendation (you don't have to uninstall it, I don't think that's even possible with Arch as everything comes in one package, just disable it via systemctl).

[acro5piano]

Thank you. I'll try it later.

[sithglan]

03[NET] no socket implementation registered, sending failed

This happened to me twice, the issue was I had multiple charon packages installed and running in parallel. This resolved the issue for me:

apt-get remove strongswan strongswan-starter
reboot

[hbhokare]

The same issue happened to me. We got upgraded from 5.9.6 to 5.9.10. We are using Strongman on RHEL9.1. Can the above issue be solved if I do not use the default option to compile and install the strongswan? As I can see systemd specific IKE daemon charon-systemd getting enabled default here because we specify --enable-systemd as default with ./confgure

[Thermi]

charon-systemd getting enabled default here

That only makes it build the daemon. If it's ...

1. installed
   and
2. enabled

depends on if/how you install from source, and if you have the systemd unit for strongswan-swanctl enabled

[hrhasani]

Hi,
I had the same issue. I found that the problem is related to IPv6! I try to disable IPv6 in socket-default.conf and anything works fine.
I think this is a problem in the Strong that should be fixed. I used IPv4 in both local and remote addresses but it sounds like the Strong send packet in IPv6 format!

[ola1617]

Hi Guys,

Am having thesame issue with strongswan, but we didn't update . The VPN connectivity just stopped working. It works and later stopped working without any changes. see logs below:

Connections:
vpn-c: 194.83.16....194.83.245. IKEv2, dpddelay=30s
vpn-c: local: [194.83.16..] uses pre-shared key authentication
vpn-c: remote: [10.17.66.18] uses pre-shared key authentication
vpn-c: child: 0.0.0.0/0 === 10.17.128.0/18 TUNNEL, dpdaction=restart
vpn-on: 194.83....81.130.210. IKEv1, dpddelay=30s
vpn-on: local: [194.83.] uses pre-shared key authentication
vpn-on: remote: [81.130.210.] uses pre-shared key authentication
vpn-on: child: 10.0.0.0/8 === 10.17.2.0/24 TUNNEL, dpdaction=restart
vpn-l: 194.83.16...81.130.141. IKEv1, dpddelay=30s
vpn-l: local: [194.83.16.] uses pre-shared key authentication
vpn-l: remote: [81.130.141.] uses pre-shared key authentication
vpn-l: child: 0.0.0.0/0 === 10.17.1.0/24 TUNNEL, dpdaction=restart
vpn-m: 194.83.16...81.149.5. IKEv1, dpddelay=30s
vpn-m: local: [194.83.16] uses pre-shared key authentication
vpn-m: remote: [81.149.5.] uses pre-shared key authentication
vpn-m: child: 0.0.0.0/0 === 10.17.0.0/16 TUNNEL, dpdaction=restart
Security Associations (0 up, 4 connecting):
vpn-m[4]: CONNECTING, 194.83.16[%any]...81.149.5.[%any]
vpn-m[4]: IKEv1 SPIs: 8b1d5ef19c8fdac5_i* 0000000000000000_r
vpn-m[4]: Tasks queued: QUICK_MODE
vpn-m[4]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
vpn-l[3]: CONNECTING, 194.83.16[%any]...81.130.141.[%any]
vpn-l[3]: IKEv1 SPIs: 250fd8513d59eb9b_i* 0000000000000000_r
vpn-l[3]: Tasks queued: QUICK_MODE
vpn-l[3]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
vpn-on[2]: CONNECTING, 194.83.16[%any]...81.130.210.[%any]
vpn-on[2]: IKEv1 SPIs: 8c2907ecc59600ab_i* 0000000000000000_r
vpn-on[2]: Tasks queued: QUICK_MODE
vpn-on[2]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD
vpn-c[1]: CONNECTING, 194.83.16[%any]...194.83.245.[%any]
vpn-c[1]: IKEv2 SPIs: 1815ec8f849ae2dd_i* 0000000000000000_r
vpn-c[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE

And also checking the Journalctl log:

charon[725]: 15[IKE] sending DPD request
charon[725]: 15[ENC] generating INFORMATIONAL_V1 request 1508109817 [ HASH N(DPD) ]
charon[725]: 15[NET] sending packet: from 194.83.163.[500] to 81.130.141.[500] (108 bytes)
charon[725]: 13[KNL] 194.83.163. disappeared from eth0
charon[725]: 16[KNL] interface eth0 deactivated
charon[725]: 06[KNL] fe80::250:56ff:fe83:1cfa disappeared from eth0
charon[725]: 13[KNL] 127.0.0.1 disappeared from lo
charon[725]: 16[KNL] ::1 disappeared from lo
charon[725]: 06[KNL] interface lo deactivated
charon[725]: 06[KNL] interface lo activated
charon[725]: 07[KNL] 127.0.0.1 appeared on lo
charon[725]: 12[KNL] ::1 appeared on lo
charon[725]: 14[KNL] interface eth0 activated
charon[725]: 07[KNL] received netlink error: Network is unreachable (101)
charon[725]: 07[KNL] received netlink error: Network is unreachable (101)
charon[725]: 11[KNL] fe80::250:56ff:fe83:1cfa appeared on eth0
charon[725]: 16[KNL] received netlink error: Network is unreachable (101).

Please can anyone point me in the right direction to the solution?