Hi Andreas, Actually both "lo" and lo had the same result: no IP is displayed below "Listening IP addresses". However, my IKE and IPsec SAs from the initiator (to this responder machine) were established. I suppose I am unblocked then.
Thanks. Piyush On Tue, May 2, 2017 at 11:00 AM, Andreas Steffen < andreas.stef...@strongswan.org> wrote: > Hi Piyush, > > have you tried > > interfaces_use = lo > > without the double quotes? > > Regards > > Andreas > > On 02.05.2017 19:27, Piyush Agarwal wrote: > >> Ok, I had missed setting the lo up (when charon ran lo was DOWN, not >> UNKNOWN). So now I make sure "ifconfig lo up" is issued before charon >> runs. And I do see charon.log mention: >> >> 00[KNL] known interfaces and IP addresses: >> 00[KNL] lo >> 00[KNL] 127.0.0.1 >> 00[KNL] *1.100.0.5* >> 00[KNL] ::1 >> >> But ipsec statusall still reports no listening IP addresses: >> >> Status of IKE charon daemon (strongSwan 5.1.2, Linux 4.4.0-72-generic, >> x86_64): >> uptime: 4 minutes, since May 02 10:22:32 2017 >> malloc: sbrk 2568192, mmap 0, used 331120, free 2237072 >> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 0 >> loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand >> random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem >> openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve >> socket-default stroke updown eap-identity addrblock >> *Listening IP addresses:* >> Connections: >> Security Associations (0 up, 0 connecting): >> none >> >> >> >> On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal <agarwalpiy...@gmail.com >> <mailto:agarwalpiy...@gmail.com>> wrote: >> >> Noel, >> Thank for pointing out my mistake -- my bad I should have read the >> ipsec.conf carefully. >> >> Having said that, I have now specified "lo" as the >> charon.interfaces_use and I see it is NOT finding an IP address that >> the lo has for listening on. >> >> charon { >> * interfaces_use = "lo"* >> load_modular = yes >> plugins { >> include strongswan.d/charon/*.conf >> } >> } >> >> The charon.log has no interfaces and IP addresses now: >> >> 00[KNL] known interfaces and IP addresses: >> 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: >> PUBKEY:DSA >> >> I was expecting it to listen on 1.100.0.5 given lo has that IP >> address. >> >> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state >> *UNKNOWN* group default qlen 1 >> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 >> inet 127.0.0.1/8 <http://127.0.0.1/8> scope host lo >> valid_lft forever preferred_lft forever >> inet *1.100.0.5*/32 scope global lo >> valid_lft forever preferred_lft forever >> inet6 ::1/128 scope host >> valid_lft forever preferred_lft forever >> >> Could one not specify "lo" as the charon.interfaces_use? Could it be >> because of the state the interface is in? It is strange that charon >> didn't find ANY ip for the loopback (not even 127.0.0.1). Any help >> for debugging would be great. Thanks. >> >> >> On Tue, May 2, 2017 at 10:13 AM, Piyush Agarwal >> <agarwalpiy...@gmail.com <mailto:agarwalpiy...@gmail.com>> wrote: >> >> Noel, >> Thank for pointing out my mistake -- my bad I should have read >> the ipsec.conf carefully. >> >> Having said that, I have now specified "lo" as the >> charon.interfaces_use and I see it is NOT finding an IP address >> that the lo has for listening on. >> >> charon { >> * interfaces_use = "lo"* >> load_modular = yes >> plugins { >> include strongswan.d/charon/*.conf >> } >> } >> >> The charon.log has no interfaces and IP addresses now: >> >> 00[KNL] known interfaces and IP addresses: >> 00[LIB] feature PUBKEY:DSA in plugin 'pem' has unmet dependency: >> PUBKEY:DSA >> >> I was expecting it to listen on 1.100.0.5 given lo has that IP >> address. >> >> >> Could one not specify "lo" as the charon.interfaces_use? Could >> it be because of the state the interface is in? It is strange >> that charon didn't find ANY ip for the loopback (not even >> 127.0.0.1). Any help for debugging would be great. Thanks. >> >> >> >> >> >> On Mon, May 1, 2017 at 8:03 PM, Piyush Agarwal >> <agarwalpiy...@gmail.com <mailto:agarwalpiy...@gmail.com>> wrote: >> >> I don't see any loopback addresses listed in the "known >> interfaces": >> >> 8150 00[KNL] known interfaces and IP addresses: >> 8151 00[KNL] p2p1 >> 8152 00[KNL] 169.x.x.x >> 8153 00[KNL] fe80:::4ae5 >> >> where p2p1 interface has an internal 169 IP, not the one I >> want to listen on. The IP I want to listen on is actually on >> the lo interface: >> >> ip -d addr show lo | grep 104.100.x.x >> inet 104.100.x.x/32 scope global lo >> >> Not that it should matter, but all this is being done inside >> a ip/mininet network namespace. >> >> Thanks. >> Piyush >> >> >> On Mon, May 1, 2017 at 4:13 PM, Piyush Agarwal >> <agarwalpiy...@gmail.com <mailto:agarwalpiy...@gmail.com>> >> wrote: >> >> Hi, >> I am using strongswan 5.1.2 on Ubuntu 14.04 and I need >> to specify the IP address on which to listen on. I found >> some ipsec.conf manpages >> (https://linux.die.net/man/5/ipsec.conf >> <https://linux.die.net/man/5/ipsec.conf>) which suggest >> a config item "listen", but strongswan 5.1.2 at least >> doesn't seem to have this option. >> >> Is there not a way to specify the listen IP address? In >> my case, this IP address is actually on the loopback >> interface. As long as I can specify the listen >> interface, I should be fine. >> >> config setup >> * listen=10.100.0.5* >> >> conn %default >> ikelifetime=60m >> keylife=20m >> rekeymargin=3m >> keyingtries=1 >> keyexchange=ikev2 >> authby=rsasig >> >> conn 10.10.10.8 >> type=transport >> left=10.100.0.5 >> leftcert=left.cert >> leftsendcert=always >> rightcert=right.cert >> right=10.10.10.8 >> auto=start >> >> */etc/ipsec.conf:7: unknown keyword 'listen' [10.100.0.5]* >> *unable to start strongSwan -- fatal errors in config* >> >> >> -- >> Piyush Agarwal >> Life can only be understood backwards; but it must be >> lived forwards. >> >> >> >> >> -- >> Piyush Agarwal >> Life can only be understood backwards; but it must be lived >> forwards. >> >> >> >> >> -- >> Piyush Agarwal >> Life can only be understood backwards; but it must be lived >> forwards. >> >> >> >> >> -- >> Piyush Agarwal >> Life can only be understood backwards; but it must be lived forwards. >> >> >> >> >> -- >> Piyush Agarwal >> Life can only be understood backwards; but it must be lived forwards. >> >> >> _______________________________________________ >> Users mailing list >> Users@lists.strongswan.org >> https://lists.strongswan.org/mailman/listinfo/users >> >> > -- > ====================================================================== > Andreas Steffen andreas.stef...@strongswan.org > strongSwan - the Open Source VPN Solution! www.strongswan.org > Institute for Networked Solutions > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[INS-HSR]== > > -- Piyush Agarwal Life can only be understood backwards; but it must be lived forwards.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users