Issue #2442
child_sa not found when configured with swanctl
Affected version:
5.6.0
Resolution:
No change required
Description
Connection details -
stac16---------------cool1--------------------viper1----------------sandy4
10.1.1.196 10.1.1.21 20.1.1.21 20.1.1.96 30.1.1.96 30.1.1.184
Configuration on cool1 -
[root@cool1 swanctl]# pwd
/usr/local/etc/swanctl
[root@cool1 swanctl]# cat swanctl.conf
connections {
gw-gw {
local_addrs = 20.1.1.21
remote_addrs = 20.1.1.96
local {
auth = pubkey
certs = cool1Cert.der
id = "C=CH, O=blr.asicdesigners.com, CN=cool1"
}
remote {
auth = pubkey
id = "C=CH, O=blr.asicdesigners.com, CN=viper1"
}
children {
net-net {
local_ts = 10.1.1.0/24
remote_ts = 30.1.1.0/24
# updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
esp_proposals = aes128gcm128-x25519
hw_offload = yes
}
}
version = 2
mobike = no
reauth_time = 10800
proposals = aes128-sha256-x25519
}
}
Configuration on viper1 -
[root@viper1 swanctl]# pwd
/usr/local/etc/swanctl
[root@viper1 swanctl]# cat swanctl.conf
connections {
gw-gw {
local_addrs = 20.1.1.96
remote_addrs = 20.1.1.21
local {
auth = pubkey
certs = viper1Cert.der
id = "C=CH, O=blr.asicdesigners.com, CN=viper1"
}
remote {
auth = pubkey
id = "C=CH, O=blr.asicdesigners.com, CN=cool1"
}
children {
net-net {
local_ts = 30.1.1.0/24
remote_ts = 10.1.1.0/24
# updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
esp_proposals = aes128gcm128-x25519
hw_offload = yes
}
}
version = 2
mobike = no
reauth_time = 10800
proposals = aes128-sha256-x25519
}
}
On initiating I get the following error -
[root@cool1 etc]# sudo /usr/local/libexec/ipsec/charon & [1] 8257 [root@cool1 etc]# 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, Linux 4.14.0-rc1-withespoffload+, x86_64) 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "C=CH, O=blr.asicdesigners.com, CN=blr.asicdesigners.com CA" from '/usr/local/etc/ipsec.d/cacerts/caCert.der' 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets' 00[CFG] maximum level of 10 includes reached, ignored 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der' 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der' 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der' 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der' 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der' 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der' 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der' 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der' 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der' 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der' 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der' 00[CFG] loaded RSA private key from '/usr/local/etc/ipsec.d/private/cool1Key.der' 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prnel-netlink resolve socket-default stroke vici updown xauth-generic 00[JOB] spawning 16 worker threads [root@cool1 etc]# ps -ef | grep charon root 8257 3254 0 05:18 pts/0 00:00:00 sudo /usr/local/libexec/ipsec/charon root 8258 8257 0 05:18 pts/0 00:00:00 /usr/local/libexec/ipsec/charon root 8276 3254 0 05:18 pts/0 00:00:00 grep --color=auto charon [root@cool1 etc]# swanctl --initiate --child net-net --ike gw-gw 10[CFG] vici initiate 'net-net' initiate failed: CHILD_SA config 'net-net' not found
What am I missing ??
History
#1 Updated by Tobias Brunner almost 8 years ago
- Description updated (diff)
- Status changed from New to Feedback
- Priority changed from Urgent to Normal
You need to load the config first (see swanctl).
#2 Updated by Sony Arpita Das almost 8 years ago
Hi Tobias,
How do I load the config ?
I am new to strongswan's swanctl. Please help
Thanks,
Sony
#3 Updated by Sony Arpita Das almost 8 years ago
Thanks Tobias.
Please close this issue.
I tried the following and it worked -
swanctl --load-conns gw-gw
swanctl -i -c net-net
#4 Updated by Tobias Brunner almost 8 years ago
- Status changed from Feedback to Closed
- Assignee set to Tobias Brunner
- Resolution set to No change required
I tried the following and it worked -
Great you found the solution yourself.
swanctl --load-conns gw-gw
This command actually does not take any arguments (i.e. gw-gw is just ignored).