Replies: 25 comments 20 replies
-
any quick help? |
Beta Was this translation helpful? Give feedback.
-
Did you build strongSwan yourself? It looks like you mixed up old compilation files and new ones or something else happened.
That is telling you roughly what the issue is. Maybe you forgot to also update the plugin files or something like that? |
Beta Was this translation helpful? Give feedback.
-
We didn't build it manually, using yum we install strongswan.
|
Beta Was this translation helpful? Give feedback.
-
logs from journalctl -u strongswan,
|
Beta Was this translation helpful? Give feedback.
-
That looks like it just works. |
Beta Was this translation helpful? Give feedback.
-
actually not.. swanctl initiate commands doesn't show any success. it retransmits and shows failed. |
Beta Was this translation helpful? Give feedback.
-
Can I ask why you censor in this post but not the previous one and then also with the same pattern for both IP addresses and don't keep the line breaks in this last post? |
Beta Was this translation helpful? Give feedback.
-
umm.. that was the output I directly captured and posted it here.. |
Beta Was this translation helpful? Give feedback.
-
@Thermi Can you pls help with where is it getting issue? |
Beta Was this translation helpful? Give feedback.
-
So the output here #1384 (comment) is from the previous version that worked and that one here #1384 (comment) and following is from the new one?
|
Beta Was this translation helpful? Give feedback.
-
The output snippets above are both from 5.9.8. |
Beta Was this translation helpful? Give feedback.
-
so it works if the other peer initiates? |
Beta Was this translation helpful? Give feedback.
-
no.. it still fails |
Beta Was this translation helpful? Give feedback.
-
So why does it complete negotiation in #1384 (comment) then? Those logs contain no timeouts.
|
Beta Was this translation helpful? Give feedback.
-
We have NAT so, is there any chance of port not getting to the other side.. as it say from initiate command peer not responding. |
Beta Was this translation helpful? Give feedback.
-
That sounds like the router implementing NAT is broken and doesn't map the ports correctly. |
Beta Was this translation helpful? Give feedback.
-
Is there a way I can conform this? |
Beta Was this translation helpful? Give feedback.
-
Ideally check outbound traffic of the router. |
Beta Was this translation helpful? Give feedback.
-
Also the first starts it under control, monitoring and with environment as configured by systemd, the latter as under your currently running user and without monitoring by systemd.
Always control strongswan via systemd (or whatever your init daemon is). Never start it as your user.
Am 11. November 2022 08:53:22 UTC schrieb Tobias Brunner ***@***.***>:
Yes, the latter starts _starter/charon_, the former starts _charon-systemd_.
--
Reply to this email directly or view it on GitHub:
#1390 (reply in thread)
You are receiving this because you were mentioned.
Message ID: ***@***.***>
--
Sent from mobile. Please excuse any typos or brevity
|
Beta Was this translation helpful? Give feedback.
-
Same problem here. Updating Fedora 35 to 37, I get a new version of strongswag (5.9.8) and the error:
After downgrading to 5.9.6 it works like before... the configuration didn't change. I can do some tests to understand the problem if it helps. |
Beta Was this translation helpful? Give feedback.
-
But the process run by the systemd unit is "charon-systemd", no? Please check if maybe there are two units starting some variant of strongSwan, you can see the units with their processes in the output of `systemctl status`.
On November 22, 2022 10:28:01 AM UTC, Domenico Briganti ***@***.***> wrote:
What a shame! sorry I didn't read the log correctly. The point is that installed the 5.9.8 version there is the charon-systemd process that occupies those ports and with the previous version that process is not started (or is not present), for this, I suspected it was a bug of this version. Once charon-systemd is killed, the VPNs start as usual
--
Reply to this email directly or view it on GitHub:
#1390 (reply in thread)
You are receiving this because you were mentioned.
Message ID: ***@***.***>
--
Sent from mobile. Please excuse any typos or brevity
|
Beta Was this translation helpful? Give feedback.
-
I had the same problem and your solution worked for me like a charm. I really appreciate it!!
(Though I'm not sure that is appropriate or not) |
Beta Was this translation helpful? Give feedback.
-
The same issue happened to me. We got upgraded from 5.9.6 to 5.9.10. We are using Strongman on RHEL9.1. Can the above issue be solved if I do not use the default option to compile and install the strongswan? As I can see systemd specific IKE daemon charon-systemd getting enabled default here because we specify --enable-systemd as default with ./confgure |
Beta Was this translation helpful? Give feedback.
-
Hi, |
Beta Was this translation helpful? Give feedback.
-
Hi Guys, Am having thesame issue with strongswan, but we didn't update . The VPN connectivity just stopped working. It works and later stopped working without any changes. see logs below: Connections: And also checking the Journalctl log: charon[725]: 15[IKE] sending DPD request Please can anyone point me in the right direction to the solution? |
Beta Was this translation helpful? Give feedback.
-
System (please complete the following information):
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A clear and concise description of what you expected to happen.
Logs/Backtraces
If applicable, add logs or backtraces to help explain your problem.
Additional context
We are using Strongswan for providing IPSEC over GRE. We had previously running 5.9.6 and using swanctl.conf we could able to successful it working. And, suddently upgrade to 5.9.8, it stopped working and swanctl initiate command goes retrying and fails with
[IKE] establishing IKE_SA failed, peer not responding
initiate failed: establishing CHILD_SA 'dc-dsnet' failed
I have configured log file with highest level of logging and could see..
Oct 31 13:35:37 00[LIB] plugin 'tpm': failed to load - tpm_plugin_create returned NULL
Oct 31 13:35:37 00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'eap-tnc': failed to load - eap_tnc_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnc-ifmap': failed to load - tnc_ifmap_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnc-pdp': failed to load - tnc_pdp_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnc-imc': failed to load - tnc_imc_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnc-imv': failed to load - tnc_imv_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnc-tnccs': failed to load - tnc_tnccs_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnccs-20': failed to load - tnccs_20_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnccs-11': failed to load - tnccs_11_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] plugin 'tnccs-dynamic': failed to load - tnccs_dynamic_plugin_create not found and no plugin file available
Oct 31 13:35:37 00[LIB] feature CUSTOM:sql in plugin 'sql' failed to load
Oct 31 13:35:37 00[CFG] opening triplet file /etc/strongswan/ipsec.d/triplets.dat failed: No such file or directory
Oct 31 13:35:37 00[LIB] feature CUSTOM:eap-sim-file-triplets in plugin 'eap-sim-file' failed to load
Oct 31 13:35:37 00[LIB] feature CUSTOM:ha in plugin 'ha' failed to load
Oct 31 13:35:37 00[LIB] feature CUSTOM:ext_auth in plugin 'ext-auth' failed to load
Oct 31 13:35:37 03[NET] no socket implementation registered, receiving failed
And, not sure if everything is to be concerned but except no socket implementation registered, receiving failed
Our pipeline is blocked and we are at no clue, what is the issue.
Any quick help pls
Beta Was this translation helpful? Give feedback.
All reactions