Re: [ovs-discuss] IPsec tunnel - swordfish issue

Ansis Mon, 06 Apr 2020 13:32:26 -0700

On Mon, Apr 6, 2020 at 1:22 PM Majcher Wojciech (STUD)
<wojciech.majcher.s...@pw.edu.pl> wrote:
>
> Hi,
>
> I've tried to establish ipsec tunnel according to OvS IPsec tutorial. On one 
> side of the tunnel i use Fedora 31 OS and StrongSwan IKE daemon.
>
> I am getting strongswan service error:
>
> strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
>    Loaded: loaded (/usr/lib/systemd/system/strongswan.service; disabled; 
> vendor preset: disabled)
>    Active: inactive (dead)
>
> Apr 06 20:19:49 fedora.wojtek strongswan[3177]: 00[CFG] 
> /etc/strongswan/strongswan.d/charon.conf:4: syntax error, unexpected ., 
> expecting : or '{' or '=' [.]
> Apr 06 20:19:49 fedora.wojtek strongswan[3177]: 00[CFG] invalid config file 
> '/etc/strongswan/strongswan.conf'
> Apr 06 20:19:49 fedora.wojtek strongswan[3177]: 00[LIB] abort initialization 
> due to invalid configuration
> Apr 06 20:19:49 fedora.wojtek strongswan[3177]: charon has quit: integrity 
> test of libstrongswan failed
> Apr 06 20:19:49 fedora.wojtek ipsec_starter[3177]: charon has quit: integrity 
> test of libstrongswan failed
> Apr 06 20:19:49 fedora.wojtek strongswan[3177]: charon refused to be started
> Apr 06 20:19:49 fedora.wojtek ipsec_starter[3177]: charon refused to be 
> started
> Apr 06 20:19:49 fedora.wojtek strongswan[3177]: ipsec starter stopped
> Apr 06 20:19:49 fedora.wojtek ipsec_starter[3177]: ipsec starter stopped
> Apr 06 20:19:49 fedora.wojtek systemd[1]: strongswan.service: Succeeded.
>
>
> charon.conf:
>
> # Generated by ovs-monitor-ipsec...do not modify by hand!
>
>
> charon.plugins.kernel-netlink.set_proto_port_transport_sa = yes
Is the line line #4 that is causing the issue the one above?


If yes, then I am wondering if that option has been removed
set_proto_port_transport_sa option in later versions. Can you simply
remove it and reload strongswan with "ipsec restart" to see if the
issue went away?


> charon.plugins.kernel-netlink.xfrm_ack_expires = 10
> charon.load_modular = yes
> charon.plugins.gcm.load = yes
>
> strongswan.conf:
>
> # strongswan.conf - strongSwan configuration file
> #
> # Refer to the strongswan.conf(5) manpage for details
> #
> # Configuration changes should be made in the included files
>
> charon {
> load_modular = yes
> plugins {
> include strongswan.d/charon/*.conf
>     }
> }
>
> include strongswan.d/*.conf
>
>
> OvS:
>
> openvswitch-ipsec.x86_64                                                      
>                                            2.12.0-1.fc31
> openvswitch.x86_64                                                            
>                                               2.12.0-1.fc31
>
> StrongSwan:
>
> strongswan.x86_64                                                             
>                                                5.7.2-3.fc31
>
> Is it the StrongSwan service issue ? The tutorial is for fedora 27 and 
> StrongSwan (>= v5.3.5).
>
> Best Regards,
> Wojtek
>
>
> _______________________________________________
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

Re: [ovs-discuss] IPsec tunnel - swordfish issue

Reply via email to