Issue #3661
StrongSwan Kernel modules were not loaded - Complied from source code
Description
Dears
Kindly I need your support with this setup, after I installed strongswan by compiling it from source code, now I do not see strongswan kernel modules loaded, I came to know that because I see no policies installed and routes there
Operating System and other details you can find them below:
[root@b4a65b ~]# uname -r
3.8.13-118.49.1.el7uek.x86_64
[root@b4a65b ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.8 (Maipo)
Installation command and paramaeters:
Configure
./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --disable-gmp --disable-static --enable-shared --enable-kernel-libipsec
Then make
make
sudo make install
Logs from /var/log/messages
Dec 21 14:50:09 b4a65b charon: 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
Dec 21 14:50:10 b4a65b charon: 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
Dec 21 14:50:11 b4a65b charon: 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
Dec 21 14:50:12 b4a65b charon: 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
Dec 21 14:50:13 b4a65b charon: 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
[root@b4a65b ~]# ipsec statusall[root@b4a65b ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.1, Linux 3.8.13-118.49.1.el7uek.x86_64, x86_64):
uptime: 28 minutes, since Dec 21 14:54:40 2020
malloc: sbrk 2428928, mmap 0, used 435344, free 1993584
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp certexpire radattr addrblock unity counters
Listening IP addresses:
192.168.100.7
100.67.2.246
Connections:
IPSec-To-COB-RUH-OS: 100.67.2.246...91.122.172.11 IKEv2, dpddelay=10s
IPSec-To-COB-RUH-OS: local: [76.49.15.5] uses pre-shared key authentication
IPSec-To-COB-RUH-OS: remote: [91.122.172.11] uses pre-shared key authentication
IPSec-To-COB-RUH-OS: child: 100.67.2.0/24 === 10.10.103.0/28 TUNNEL, dpdaction=restart
Routed Connections:
IPSec-To-COB-RUH-OS{1}: ROUTED, TUNNEL, reqid 1
IPSec-To-COB-RUH-OS{1}: 100.67.2.0/24 === 10.10.103.0/28
Security Associations (0 up, 0 connecting):
none
Config:
cd /usr/local/etc
[root@b4a65b etc]# cat ipsec.conf
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn IPSec-To-COB-RUH-OS
#aggressive = no
#fragmentation = yes
keyexchange = ikev2
authby=secret
installpolicy = yes
type = tunnel
left=100.67.2.246
right=91.122.172.11
leftid=76.49.15.5
rightid=91.122.172.11
leftsubnet=100.67.2.0/24
rightsubnet=10.10.103.0/28
ike=aes256-sha2_256-modp2048!
esp=aes256-sha2_256!
forceencaps = yes
keyingtries=0
ikelifetime=28800s
lifetime=3600s
dpddelay=10s
dpdtimeout=60s
dpdaction=restart
auto=route
Current Modules are:
[root@b4a65b etc]# lsmod
Module Size Used by
tun 19993 2
xenfs 3377 1
xen_privcmd 5587 1 xenfs
ppdev 8174 0
ghash_clmulni_intel 4611 0
aesni_intel 45119 0
xts 3242 1 aesni_intel
aes_x86_64 7935 1 aesni_intel
lrw 4062 1 aesni_intel
gf128mul 7871 2 lrw,xts
ablk_helper 2997 1 aesni_intel
cryptd 9927 3 ghash_clmulni_intel,aesni_intel,ablk_helper
microcode 115735 0
parport_pc 21261 0
parport 38024 2 ppdev,parport_pc
pcspkr 2150 0
i2c_piix4 11538 0
i2c_core 30920 1 i2c_piix4
ip_tables 18323 0
xfs 866206 2
libcrc32c 1252 1 xfs
ata_generic 3758 0
pata_acpi 3654 0
xen_netfront 21104 0
xen_blkfront 31495 3
crc32c_intel 14391 1
floppy 62993 0
serio_raw 5567 0
ata_piix 26174 0
dm_mirror 13667 0
dm_region_hash 10821 1 dm_mirror
dm_log 9451 2 dm_region_hash,dm_mirror
dm_mod 81239 9 dm_log,dm_mirror
ipv6 334493 44
autofs4 33017 2
History
#1 Updated by Noel Kuntze 4 months ago
- Status changed from New to Feedback
Hi,
The errors are due to you using kernel-libipsec and libipsec. Don't load kernel-libipsec and the kernel IPsec implementation, that also supports policy based tunnels, will be used.
That is the root of all your issues.
Also, please don't install from source. CentOS and RHEL packages of strongSwan are usually in the EPEL repos. They should be good enough.
#2 Updated by TAHER BAHASHWAN 4 months ago
Noel Kuntze wrote:
Hi,
The errors are due to you using kernel-libipsec and libipsec. Don't load kernel-libipsec and the kernel IPsec implementation, that also supports policy based tunnels, will be used.
That is the root of all your issues.Also, please don't install from source. CentOS and RHEL packages of strongSwan are usually in the EPEL repos. They should be good enough.
Hi
Many thanks, yes that is indeed resolved the issue, but how to get rid of the current installed one, now we have both ipsec command and strongswan command working after installing it
IPSec
Located in /usr/local/sbin/ipsec
[root@vClinic-VPN-Server ~]# ipsec version
Linux strongSwan U5.8.1/K3.8.13-118.49.1.el7uek.x86_64
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.
StrongSwan
Located in /sbin/strongswan
strongswan version
Linux strongSwan U5.7.2/K3.8.13-118.49.1.el7uek.x86_64
University of Applied Sciences Rapperswil, Switzerland
See 'strongswan --copyright' for copyright information.
#3 Updated by Noel Kuntze 4 months ago
Hi,
run "make uninstall" in the directory of the sources you originally installed from.
#4 Updated by TAHER BAHASHWAN 4 months ago
Noel Kuntze wrote:
Hi,
run "make uninstall" in the directory of the sources you originally installed from.
Excellent dear :) Thanks a lot
#5 Updated by TAHER BAHASHWAN 4 months ago
Noel Kuntze wrote:
Hi,
The errors are due to you using kernel-libipsec and libipsec. Don't load kernel-libipsec and the kernel IPsec implementation, that also supports policy based tunnels, will be used.
That is the root of all your issues.Also, please don't install from source. CentOS and RHEL packages of strongSwan are usually in the EPEL repos. They should be good enough.
What is the best way to install it from source code if kernel-libipsec and libipsec are causing this issue?
#6 Updated by Noel Kuntze 4 months ago
TBH the best way is to just not build them. Then you can't forgot to disable them later.
You can configure which plugins are to be loaded before you start the daemon, but in your case, you already made the grave mistake of installing from source.
Best way to install from source is not to and instead to build a package of the code and install that package then.
#7 Updated by TAHER BAHASHWAN 4 months ago
Noel Kuntze wrote:
TBH the best way is to just not build them. Then you can't forgot to disable them later.
You can configure which plugins are to be loaded before you start the daemon, but in your case, you already made the grave mistake of installing from source.Best way to install from source is not to and instead to build a package of the code and install that package then.
Thanks a lot, Can you please give an example for enabling HA plugin for a running and installed StrongSwan package
#8 Updated by Tobias Brunner 3 months ago
- Category set to build
- Status changed from Feedback to Closed
- Assignee set to Noel Kuntze
- Resolution set to No change required
Can you please give an example for enabling HA plugin for a running and installed StrongSwan package
How to build a package with different configure options depends on the distribution and is out of scope here.