Issue #1418
IKEv2 site-to-site PSK example issue
Description
I've been configuring an IKEv2 site-to-site PSK tunnel. I've been using https://www.strongswan.org/uml/testresults/ikev2/net2net-psk/ (cred to you for an awesome suite of examples!). The "strongswan.conf" files states I should have
load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updownin the `charon { ... }` section. When I do that 1) I get the following warning when restarting ipsec
mydir # ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 4.5.2 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for
!! pluto and/or charon. This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoadand 2) my IPSEC tunnels aren't able to eastiblish an SA. My syslog says:
Apr 19 10:47:35 myhost charon: 00[DMN] Starting IKEv2 charon daemon (strongSwan 4.5.2)
Apr 19 10:47:35 myhost charon: 00[LIB] plugin 'nonce' failed to load: /usr/lib/ipsec/plugins/libstrongswan-nonce.so: cannot open shared object file: No such file
or directory
Apr 19 10:47:35 myhost charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Apr 19 10:47:35 myhost charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Apr 19 10:47:35 myhost charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Apr 19 10:47:35 myhost charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Apr 19 10:47:35 myhost charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Apr 19 10:47:35 myhost charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Apr 19 10:47:35 myhost charon: 00[CFG] loaded IKE secret for @ZZZ @YYY
Apr 19 10:47:35 myhost charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
Apr 19 10:47:35 myhost charon: 00[KNL] listening on interfaces:
Apr 19 10:47:35 myhost charon: 00[KNL] eth0
Apr 19 10:47:35 myhost charon: 00[KNL] X.X:X.X
Apr 19 10:47:35 myhost charon: 00[KNL] XXXX::XX:XXXX:XXXX:XXXX
Apr 19 10:47:35 myhost charon: 00[KNL] eth1
Apr 19 10:47:35 myhost charon: 00[KNL] Y.Y.Y.Y
Apr 19 10:47:35 myhost charon: 00[KNL] XXXX::XXX:XXXX:XXXX:XXXX
Apr 19 10:47:35 myhost charon: 00[LIB] plugin 'socket-default' failed to load: /usr/lib/ipsec/plugins/libstrongswan-socket-default.so: cannot open shared object file: No such file or directory
Apr 19 10:47:35 myhost charon: 00[DMN] loaded plugins: aes des sha1 sha2 md5 gmp random hmac stroke kernel-netlink updown
Apr 19 10:47:35 myhost charon: 00[JOB] spawning 16 worker threads
Apr 19 10:47:35 myhost charon: 11[NET] no socket implementation registered, receiving failed
Apr 19 10:47:35 myhost charon: 08[CFG] received stroke: add connection 'net-net'
Apr 19 10:47:35 myhost charon: 08[CFG] added configuration 'net-net'
Apr 19 10:47:35 myhost charon: 12[CFG] received stroke: initiate 'net-net'
Apr 19 10:47:35 myhost charon: 12[IKE] initiating IKE_SA net-net[1] to X.X.X.X
Apr 19 10:47:35 myhost charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Apr 19 10:47:35 myhost charon: 12[NET] sending packet: from Y.Y.Y.Y[500] to Z.Z.Z.Z[500]
Apr 19 10:47:35 myhost charon: 06[NET] no socket implementation registered, sending failed
Apr 19 10:47:39 myhost charon: 15[IKE] retransmit 1 of request with message ID 0
Apr 19 10:47:39 myhost charon: 15[NET] sending packet: from Z.Z.Z.Z[500] to Z.Z.Z.Z[500]
Apr 19 10:47:39 myhost charon: 06[NET] no socket implementation registered, sending failedRemoving the "load" attribute makes by SA established and removed the warning I get when starting the ipsec.
I am using the StrongSwan Ubuntu package that comes with Ubuntu 12.04 version 4.5.2-1.2.
History
#1 Updated by Jens Rantil over 9 years ago
If the issue here is that I am running an older client, I suggest the documentation more clearly state which version of StrongSwan the examples are for.
#2 Updated by Tobias Brunner over 9 years ago
- Tracker changed from Bug to Issue
- Status changed from New to Feedback
Removing the "load" attribute makes by SA established and removed the warning I get when starting the ipsec.
Good, so the warning message accomplished its purpose.
The "examples" are actually regression test scenarios and to run all of them pretty much all plugins are required and get built and installed. That's why the load statements are used here to only load the plugins that are actually needed for each scenario.
The config files in these "examples" are not meant to be copy-n-pasted literally. They just serve as, well, examples. Attempting to understand each setting and its effects is definitely advisable.
If the issue here is that I am running an older client, I suggest the documentation more clearly state which version of StrongSwan the examples are for.
Since these are the results of running the regression tests against a specific strongSwan version (usually the latest) they are always for the release stated on the overview page of a test run (e.g. https://www.strongswan.org/testing/testresults/).
Apr 19 10:47:35 myhost charon: 00[LIB] plugin 'socket-default' failed to load: /usr/lib/ipsec/plugins/libstrongswan-socket-default.so: cannot open shared object file: No such file or directory
In the version you are using (which is extremely old) the socket-raw plugin was required as two daemons handled the two IKE protocol versions. Apparently the socket-default plugin was not even distributed. You can find example scenarios for the 4.x series on ConfigurationExamples or https://www.strongswan.org/testing/testresults4/.
#3 Updated by Jens Rantil over 9 years ago
Tobias, thank you for your extensive answer! (Clearly) I am new to StrongSwan so I didn't know any of this. To make things easier for beginners like me, how about we close this issue by summarizing https://wiki.strongswan.org/issues/1418#note-2 in a sentence or two in the text here: https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation#Configuration-Examples ?
#4 Updated by Tobias Brunner over 9 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to Fixed
I've added ConfigurationExamplesNotes and linked it on UserDocumentation (or rather ConfigurationExamples as that's included in the other page).
#5 Updated by Jens Rantil over 9 years ago
Perfect! Thanks!