Project

General

Profile

Issue #2798

charon can't start

Added by zhonghai li about 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Affected version:
5.5.3
Resolution:
No change required

Description

Hi

When I use "oam-sys start" to start the strongswan ipsec, the ipsec charon can't start.
the Ubuntu system report an internal error about strongswan.

But I use "ipsec start" can start charon normally.

Terminal info:
root@ubuntu:/opt/strongswan/sbin# ./ipsec status
connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
failed to connect to stroke socket 'unix:///var/run/charon.ctl'

root@ubuntu:/opt/strongswan/sbin# ps -aux |grep ipsec
root 5188 0.0 0.0 11116 2004 ? Ss 15:12 0:00 /opt/strongswan/libexec/ipsec/starter --daemon charon
root 5482 0.0 0.0 15960 932 pts/17 S+ 15:13 0:00 grep --color=auto ipsec

root@ubuntu:/opt/strongswan/sbin# uname -a
Linux ubuntu 4.15.0-34-generic #37~16.04.1-Ubuntu SMP Tue Aug 28 10:44:06 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Other info:
I use other ubuntu run the same CMD "oam-sys start", the charon is start OK.

root@ubuntu:/opt/strongswan/sbin# ps -aux |grep ipsec
root 6241 0.0 0.0 11116 1880 ? Ss 15:40 0:00 /opt/strongswan/libexec/ipsec/starter --daemon charon
root 6242 1.7 0.1 942036 4340 ? Ssl 15:40 0:00 /opt/strongswan/libexec/ipsec/charon --use-syslog
root 6262 0.0 0.0 14224 968 pts/5 R+ 15:40 0:00 grep --color=auto ipsec

root@ubuntu:/var/log# uname -a
Linux ubuntu.ll.com 4.4.0-111-generic #134~14.04.1-Ubuntu SMP Mon Jan 15 15:39:56 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

I try to use many method from online,but it isn't work.
Would you give me some advice?

thanks in advance.

_opt_strongswan_libexec_ipsec_charon.0.crash (474 KB) _opt_strongswan_libexec_ipsec_charon.0.crash /var/crash/ zhonghai li, 13.10.2018 09:58
syslog (1.92 MB) syslog /var/log/ zhonghai li, 13.10.2018 09:58
kernel_modules.txt (4.55 KB) kernel_modules.txt zhonghai li, 15.10.2018 15:07
core_dump.log (4.9 KB) core_dump.log Stack info zhonghai li, 25.10.2018 09:54

History

#1 Updated by Tobias Brunner about 2 years ago

  • Category deleted (charon)
  • Status changed from New to Feedback

When I use "oam-sys start"

And what exactly should that be?

the Ubuntu system report an internal error about strongswan.

How is the above related to Ubuntu. The command above rather looks like it belongs to a proprietary, vendor-specific solution. So you should probably discuss your problems with that vendor.

Terminal info:
root@ubuntu:/opt/strongswan/sbin# ./ipsec status
connecting to 'unix:///var/run/charon.ctl' failed: Connection refused
failed to connect to stroke socket 'unix:///var/run/charon.ctl'

Sounds like a permission problem (or perhaps the daemon is not running while the file still exists).

#2 Updated by zhonghai li about 2 years ago

And what exactly should that be?

oam-sys is a daemon to control strongswan ipsec.

How is the above related to Ubuntu. The command above rather looks like it belongs to a proprietary, vendor-specific solution. So you should probably discuss your problems with that vendor.

The command is run on the Ubuntu system and after running it the system return a error dialog.
So I write the info about it.

Sounds like a permission problem (or perhaps the daemon is not running while the file still exists).

I try to delete the file of /run/charon.ctl /run/charon.pid /run/charon.vici,but it also can't start the charon.

from the log "syslog", we can see that when start charon daemon unable to create IPv4/IPv6 routing table rule.

charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Linux 4.15.0-34-generic, x86_64)
charon: 00[KNL] unable to create IPv4 routing table rule
charon: 00[KNL] unable to create IPv6 routing table rule

#3 Updated by Tobias Brunner about 2 years ago

And what exactly should that be?

oam-sys is a daemon to control strongswan ipsec.

That is not from us, so please contact the developer/vendor of that product for support on this issue.

How is the above related to Ubuntu. The command above rather looks like it belongs to a proprietary, vendor-specific solution. So you should probably discuss your problems with that vendor.

The command is run on the Ubuntu system and after running it the system return a error dialog.
So I write the info about it.

Again, contact the provider of the software that shows you that error dialog (strongSwan does not offer a GUI, unless you consider the NetworkManager plugin, which you are not using).

from the log "syslog", we can see that when start charon daemon unable to create IPv4/IPv6 routing table rule.

charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Linux 4.15.0-34-generic, x86_64)
charon: 00[KNL] unable to create IPv4 routing table rule
charon: 00[KNL] unable to create IPv6 routing table rule

Either a permission problem, or perhaps due to missing modules in the kernel. But that won't prevent the daemon from starting.

#4 Updated by zhonghai li about 2 years ago

Tobias Brunner wrote:

And what exactly should that be?

oam-sys is a daemon to control strongswan ipsec.

That is not from us, so please contact the developer/vendor of that product for support on this issue.

I will confirm it. thanks.

How is the above related to Ubuntu. The command above rather looks like it belongs to a proprietary, vendor-specific solution. So you should probably discuss your problems with that vendor.

The command is run on the Ubuntu system and after running it the system return a error dialog.
So I write the info about it.

Again, contact the provider of the software that shows you that error dialog (strongSwan does not offer a GUI, unless you consider the NetworkManager plugin, which you are not using).

from the log "syslog", we can see that when start charon daemon unable to create IPv4/IPv6 routing table rule.

charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Linux 4.15.0-34-generic, x86_64)
charon: 00[KNL] unable to create IPv4 routing table rule
charon: 00[KNL] unable to create IPv6 routing table rule

Either a permission problem, or perhaps due to missing modules in the kernel. But that won't prevent the daemon from starting.

This command I executed under root authority. About the permission problem, would you give me more info?
I checked the kernel modules.The result put into the file "kernel_modules". the Required Kernel Modules are in it.

#5 Updated by Tobias Brunner about 2 years ago

About the permission problem, would you give me more info?

The NET_ADMIN capability is required to create the routing rules. If the daemon runs as root user that should be the case, but not if it's started by a different user. There could also be other issues e.g. a security framework like AppArmor on Ubuntu that prevents access to routing sockets.

#6 Updated by zhonghai li about 2 years ago

It is crashed when I run the ipsec command.
the backtrace is as follow. I try to analyse it but no result.would you give some help?the detailed backtrace info was writed to core_dump.log.

-------------------------------------
Core was generated by `/opt/strongswan/libexec/ipsec/charon --use-syslog'.
Program terminated with signal SIGABRT, Aborted.
#0 0x00007f2f3cc19428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
54 ../sysdeps/unix/sysv/linux/raise.c: 没有那个文件或目录.
[Current thread is 1 (Thread 0x7f2f31758700 (LWP 14772))]
(gdb) bt
#0 0x00007f2f3cc19428 in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:54
#1 0x00007f2f3cc1b02a in __GI_abort () at abort.c:89
#2 0x00000000004020b4 in segv_handler (signal=4) at charon.c:181
#3 <signal handler called>
#4 0x00007f2f398039d4 in __gmpz_import () from /opt/twsys/lib/libgmp.so.10
#5 0x00007f2f39a62cad in create_generic (group=<optimized out>, exp_len=128, g=..., p=...) at gmp_diffie_hellman.c:239
#6 0x00007f2f3d45e6f6 in create_dh (this=0x8f3d60, group=MODP_1024_160) at crypto/crypto_factory.c:429
#7 0x00007f2f3d21b29c in build_i (this=0x7f2f1c001850, message=0x7f2f1c0028a0) at sa/ikev2/tasks/ike_init.c:533
#8 0x00007f2f3d20b7b1 in initiate (this=0x7f2f1c001c00) at sa/ikev2/task_manager_v2.c:635
#9 0x00007f2f3d1e0a9b in initiate_execute (job=job@entry=0x7f2f1c001070) at control/controller.c:472
#10 0x00007f2f3d1e152d in initiate (this=<optimized out>, peer_cfg=0x7f2f0c001930, child_cfg=0x7f2f0c002320, callback=0x0,
param=0x0, timeout=0, limits=false) at control/controller.c:528
#11 0x00007f2f38597ad2 in charon_initiate (peer_cfg=<optimized out>, child_cfg=<optimized out>, msg=msg@entry=0x7f2f1c000b90,
out=out@entry=0x7f2f1c000e40, this=0x922310) at stroke_control.c:110
#12 0x00007f2f38597eb4 in initiate (this=0x922310, msg=0x7f2f1c000b90, out=0x7f2f1c000e40) at stroke_control.c:195
#13 0x00007f2f38593fad in stroke_initiate (this=0x91d360, out=0x7f2f1c000e40, msg=0x7f2f1c000b90) at stroke_socket.c:251
#14 on_accept (this=0x91d360, stream=<optimized out>) at stroke_socket.c:659
#15 0x00007f2f3d470d51 in accept_async (data=0x7f2f1c000a50) at networking/streams/stream_service.c:189
#16 0x00007f2f3d474122 in execute (this=<optimized out>) at processing/jobs/callback_job.c:77
#17 0x00007f2f3d474a9b in process_job (worker=0x929e30, this=0x8f5910) at processing/processor.c:235
#18 process_jobs (worker=0x929e30) at processing/processor.c:321
#19 0x00007f2f3d48610b in thread_main (this=0x929e60) at threading/thread.c:331
#20 0x00007f2f3cfb56ba in start_thread (arg=0x7f2f31758700) at pthread_create.c:333
#21 0x00007f2f3cceb41d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109
----------------------------------------

#7 Updated by Tobias Brunner about 2 years ago

No idea. It seems to cause a segmentation fault while importing predefined/static DH parameters (source:src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c#L239). MODP_1024_160 is a rare (and weak) group to use, but I don't really see a reason why it shouldn't work.

#8 Updated by zhonghai li about 2 years ago

No idea. It seems to cause a segmentation fault while importing predefined/static DH parameters (source:src/libstrongswan/plugins/gmp/gmp_diffie_hellman.c#L239). MODP_1024_160 is a rare (and weak) group to use, but I don't really see a reason why it shouldn't work.

Thank you all the same.
Using MODP_1024 is also the same error.
This happens when configuring the client (auto=start)side.

#9 Updated by zhonghai li almost 2 years ago

This issue was eventually solved by replacing a machine with higher configuration.

#10 Updated by Tobias Brunner almost 2 years ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF