Project

General

Profile

Issue #3661

StrongSwan Kernel modules were not loaded - Complied from source code

Added by TAHER BAHASHWAN 9 months ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
build
Affected version:
5.9.1
Resolution:
No change required

Description

Dears

Kindly I need your support with this setup, after I installed strongswan by compiling it from source code, now I do not see strongswan kernel modules loaded, I came to know that because I see no policies installed and routes there
Operating System and other details you can find them below:

[root@b4a65b ~]# uname -r
3.8.13-118.49.1.el7uek.x86_64
[root@b4a65b ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.8 (Maipo)

Installation command and paramaeters:

Configure

./configure --enable-eap-identity --enable-eap-md5 --enable-eap-mschapv2 --enable-eap-tls --enable-eap-ttls --enable-eap-peap --enable-eap-tnc --enable-eap-dynamic --enable-eap-radius --enable-xauth-eap --enable-xauth-pam --enable-dhcp --enable-openssl --enable-addrblock --enable-unity --enable-certexpire --enable-radattr --enable-tools --disable-gmp --disable-static --enable-shared --enable-kernel-libipsec

Then make
make
sudo make install

Logs from /var/log/messages

Dec 21 14:50:09 b4a65b charon: 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
Dec 21 14:50:10 b4a65b charon: 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
Dec 21 14:50:11 b4a65b charon: 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
Dec 21 14:50:12 b4a65b charon: 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet
Dec 21 14:50:13 b4a65b charon: 07[ESP] could not find an outbound IPsec SA for reqid {1}, dropping packet

[root@b4a65b ~]# ipsec statusall[root@b4a65b ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.1, Linux 3.8.13-118.49.1.el7uek.x86_64, x86_64):
  uptime: 28 minutes, since Dec 21 14:54:40 2020
  malloc: sbrk 2428928, mmap 0, used 435344, free 1993584
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac attr kernel-libipsec kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp certexpire radattr addrblock unity counters
Listening IP addresses:
  192.168.100.7
  100.67.2.246
Connections:
IPSec-To-COB-RUH-OS:  100.67.2.246...91.122.172.11  IKEv2, dpddelay=10s
IPSec-To-COB-RUH-OS:   local:  [76.49.15.5] uses pre-shared key authentication
IPSec-To-COB-RUH-OS:   remote: [91.122.172.11] uses pre-shared key authentication
IPSec-To-COB-RUH-OS:   child:  100.67.2.0/24 === 10.10.103.0/28 TUNNEL, dpdaction=restart
Routed Connections:
IPSec-To-COB-RUH-OS{1}:  ROUTED, TUNNEL, reqid 1
IPSec-To-COB-RUH-OS{1}:   100.67.2.0/24 === 10.10.103.0/28
Security Associations (0 up, 0 connecting):
  none

Config:

 cd /usr/local/etc
[root@b4a65b etc]# cat ipsec.conf
config setup
        charondebug="all" 
        uniqueids=yes
        strictcrlpolicy=no

conn IPSec-To-COB-RUH-OS
   #aggressive = no
   #fragmentation = yes
    keyexchange = ikev2
    authby=secret
    installpolicy = yes
    type = tunnel
    left=100.67.2.246
    right=91.122.172.11
    leftid=76.49.15.5
    rightid=91.122.172.11
    leftsubnet=100.67.2.0/24
    rightsubnet=10.10.103.0/28
    ike=aes256-sha2_256-modp2048!
    esp=aes256-sha2_256!
    forceencaps = yes
    keyingtries=0
    ikelifetime=28800s
    lifetime=3600s
    dpddelay=10s
    dpdtimeout=60s
    dpdaction=restart
    auto=route

Current Modules are:

[root@b4a65b etc]# lsmod
Module                  Size  Used by
tun                    19993  2
xenfs                   3377  1
xen_privcmd             5587  1 xenfs
ppdev                   8174  0
ghash_clmulni_intel     4611  0
aesni_intel            45119  0
xts                     3242  1 aesni_intel
aes_x86_64              7935  1 aesni_intel
lrw                     4062  1 aesni_intel
gf128mul                7871  2 lrw,xts
ablk_helper             2997  1 aesni_intel
cryptd                  9927  3 ghash_clmulni_intel,aesni_intel,ablk_helper
microcode             115735  0
parport_pc             21261  0
parport                38024  2 ppdev,parport_pc
pcspkr                  2150  0
i2c_piix4              11538  0
i2c_core               30920  1 i2c_piix4
ip_tables              18323  0
xfs                   866206  2
libcrc32c               1252  1 xfs
ata_generic             3758  0
pata_acpi               3654  0
xen_netfront           21104  0
xen_blkfront           31495  3
crc32c_intel           14391  1
floppy                 62993  0
serio_raw               5567  0
ata_piix               26174  0
dm_mirror              13667  0
dm_region_hash         10821  1 dm_mirror
dm_log                  9451  2 dm_region_hash,dm_mirror
dm_mod                 81239  9 dm_log,dm_mirror
ipv6                  334493  44
autofs4                33017  2

History

#1 Updated by Noel Kuntze 9 months ago

  • Status changed from New to Feedback

Hi,

The errors are due to you using kernel-libipsec and libipsec. Don't load kernel-libipsec and the kernel IPsec implementation, that also supports policy based tunnels, will be used.
That is the root of all your issues.

Also, please don't install from source. CentOS and RHEL packages of strongSwan are usually in the EPEL repos. They should be good enough.

#2 Updated by TAHER BAHASHWAN 9 months ago

Noel Kuntze wrote:

Hi,

The errors are due to you using kernel-libipsec and libipsec. Don't load kernel-libipsec and the kernel IPsec implementation, that also supports policy based tunnels, will be used.
That is the root of all your issues.

Also, please don't install from source. CentOS and RHEL packages of strongSwan are usually in the EPEL repos. They should be good enough.

Hi

Many thanks, yes that is indeed resolved the issue, but how to get rid of the current installed one, now we have both ipsec command and strongswan command working after installing it

IPSec 
Located in /usr/local/sbin/ipsec
[root@vClinic-VPN-Server ~]# ipsec version
Linux strongSwan U5.8.1/K3.8.13-118.49.1.el7uek.x86_64
University of Applied Sciences Rapperswil, Switzerland
See 'ipsec --copyright' for copyright information.

StrongSwan

Located in /sbin/strongswan
strongswan version
Linux strongSwan U5.7.2/K3.8.13-118.49.1.el7uek.x86_64
University of Applied Sciences Rapperswil, Switzerland
See 'strongswan --copyright' for copyright information.

#3 Updated by Noel Kuntze 9 months ago

Hi,

run "make uninstall" in the directory of the sources you originally installed from.

#4 Updated by TAHER BAHASHWAN 9 months ago

Noel Kuntze wrote:

Hi,

run "make uninstall" in the directory of the sources you originally installed from.

Excellent dear :) Thanks a lot

#5 Updated by TAHER BAHASHWAN 9 months ago

Noel Kuntze wrote:

Hi,

The errors are due to you using kernel-libipsec and libipsec. Don't load kernel-libipsec and the kernel IPsec implementation, that also supports policy based tunnels, will be used.
That is the root of all your issues.

Also, please don't install from source. CentOS and RHEL packages of strongSwan are usually in the EPEL repos. They should be good enough.

What is the best way to install it from source code if kernel-libipsec and libipsec are causing this issue?

#6 Updated by Noel Kuntze 9 months ago

TBH the best way is to just not build them. Then you can't forgot to disable them later.
You can configure which plugins are to be loaded before you start the daemon, but in your case, you already made the grave mistake of installing from source.

Best way to install from source is not to and instead to build a package of the code and install that package then.

#7 Updated by TAHER BAHASHWAN 9 months ago

Noel Kuntze wrote:

TBH the best way is to just not build them. Then you can't forgot to disable them later.
You can configure which plugins are to be loaded before you start the daemon, but in your case, you already made the grave mistake of installing from source.

Best way to install from source is not to and instead to build a package of the code and install that package then.

Thanks a lot, Can you please give an example for enabling HA plugin for a running and installed StrongSwan package

#8 Updated by Tobias Brunner 9 months ago

  • Category set to build
  • Status changed from Feedback to Closed
  • Assignee set to Noel Kuntze
  • Resolution set to No change required

Can you please give an example for enabling HA plugin for a running and installed StrongSwan package

How to build a package with different configure options depends on the distribution and is out of scope here.

Also available in: Atom PDF