OPNsense Forum
Archive => 22.1 Legacy Series => Topic started by: jgrande on February 01, 2022, 06:59:01 am
-
I'm unable to get the strongswan service to start on a clean install of 22.1. I checked the generated config files in /usr/local/etc and they're all installation default (checked ipsec, swanctl, strongswan, including the .d folders). As far as I can tell the config files aren't getting generated. Suspecting a bad option, I reset the IPsec config and set up a tunnel with as many defaults as possible, but it still won't start. The only thing I can find in logs is this:
2022-01-31T22:29:35-07:00 Notice opnsense plugins_configure ipsec (execute task : ipsec_configure_do(1))
2022-01-31T22:29:35-07:00 Notice opnsense plugins_configure ipsec (1)
2022-01-31T22:29:34-07:00 Notice configctl event @ 1643693374.31 exec: system event config_changed
2022-01-31T22:29:37-07:00 Error configd.py [cf9dc8e9-3ecf-49a4-bd81-3361c4e73102] Script action stderr returned "b"connecting to 'unix:///var/run/charon.vici' failed: No such file or directory\nError: connecting to 'default' URI failed: No such file or directory\nstrongSwan 5.9.4 swanctl\nusage:\n swanctl --stats [--raw|--pretty]\n --help (-h) show u""
2022-01-31T22:29:37-07:00 Notice configd.py [cf9dc8e9-3ecf-49a4-bd81-3361c4e73102] request IPsec status
2022-01-31T22:29:35-07:00 Notice configd.py [d90d7a0a-c063-4a0c-8a7d-49f65784b4f2] IPsec config generation
2022-01-31T22:29:34-07:00 Notice configd.py [fd625239-5795-4d32-a6ed-da6d3c5c1fa4] trigger config changed event
I with I could be more specific but I'm at a loss here. Any help would be appreciated.
-
I have the same issue:-
2022-02-02T02:52:18 Error configd.py [6816a134-33e6-49aa-a46b-6f6dcd568fb9] Script action stderr returned "b"connecting to 'unix:///var/run/charon.vici' failed: No such file or directory\nError: connecting to 'default' URI failed: No such file or directory\nstrongSwan 5.9.4 swanctl\nusage:\n swanctl --stats [--raw|--pretty]\n --help (-h) show u""
-
It just implies that strongswan isn't creating the socket because it's not running. Does the IPsec log give any hints to this actually? This would be the first place to look at.
Cheers,
Franco
-
Unfortunately the IPsec log is completely empty.
-
If anyone knows the command to manually start strongswan from the CLI, I could see if I get any errors there.
-
I can't find an ipsec/strongswan/charon log in /var/log:
audit dhcpd lighttpd ntpd qemu-ga.log routing userlog utx.log
configd filter ntp portalauth resolver system utx.lastlogin
Since most of the other services are using config files in the /var tree, I checked everywhere in the /var tree and I can not find any ipsec/strongswan/charon config files at all.
-
Doesn't seem to start at all. Can you run this manually? Here's what happens on my side:
# /usr/local/sbin/ipsec start
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Starting strongSwan 5.9.4 IPsec [starter]...
no files found matching '/usr/local/etc/ipsec.opnsense.d/*.conf'
# pgrep charon
74259
Cheers,
Franco
-
# /usr/local/sbin/ipsec start
Starting strongSwan 5.9.4 IPsec [starter]...
# pgrep charon
8465
-
Funny, it should have logs as it started now?
Cheers,
Franco
-
After a clean install I got logging to work. Now the problem is it does not automatically start and the config files are still empty. For example /usr/local/etc/ipsec.secrets doesn't contain any of the PSKs I entered from web UI.
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="25"] 00[DMN] Starting IKE charon daemon (strongSwan 5.9.4, FreeBSD 13.0-STABLE, amd64)
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="26"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="27"] 00[NET] installing IKE bypass policy failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="28"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="29"] 00[NET] installing IKE bypass policy failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="30"] 00[KNL] unable to set UDP_ENCAP: Invalid argument
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="31"] 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="32"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="33"] 00[NET] installing IKE bypass policy failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="34"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="35"] 00[NET] installing IKE bypass policy failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="36"] 00[KNL] unable to set UDP_ENCAP: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="37"] 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="38"] 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="39"] 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="40"] 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="41"] 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="42"] 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="43"] 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="44"] 00[CFG] loaded 0 RADIUS server configurations
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="45"] 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="46"] 00[JOB] spawning 16 worker threads
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.4, FreeBSD 13.0-STABLE, amd64):
uptime: 7 seconds, since Feb 05 12:30:39 2022
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
192.168.1.1
162.x.y.z
Connections:
Security Associations (0 up, 0 connecting):
none
-
Just a guess:
https://github.com/opnsense/changelog/blob/70cd791f0528f26d2e804601f1eb6f55c384d3b7/community/22.1/22.1#L191
Cheers,
Franco
-
i have the same problem, i have try to install opnsense from scratch but the error persist
have you solved ?
thanks
-
Please, don't check the file "/var/log/ipsec.log", this is not used anymore. Instead, have a look into the directory "/var/log/ipsec".
-
Just a guess:
https://github.com/opnsense/changelog/blob/70cd791f0528f26d2e804601f1eb6f55c384d3b7/community/22.1/22.1#L191
Could you please explain more detailed, or point me to the right direction for a solution? - Thanks a lot! ::)
I have a couple of running opnsense, last updated today to 22.1.4_1 with no issue on this. Today i also set up a new device with 22.1.4_1 and imported a base config with no ipsec peers. While trying to set up the first peer, i recognized, there is no service strongswan running. If i start ipsec at commandline, i get the following log:
# /var/log/ipsec/ipsec_20220326.log
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="1"] 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, FreeBSD 13.0-STABLE, amd64)
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="2"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="3"] 00[NET] installing IKE bypass policy failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="4"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="5"] 00[NET] installing IKE bypass policy failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="6"] 00[KNL] unable to set UDP_ENCAP: Invalid argument
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="7"] 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="8"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="9"] 00[NET] installing IKE bypass policy failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="10"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="11"] 00[NET] installing IKE bypass policy failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="12"] 00[KNL] unable to set UDP_ENCAP: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="13"] 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="14"] 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="15"] 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="16"] 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="17"] 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="18"] 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="19"] 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="20"] 00[CFG] loaded 0 RADIUS server configurations
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="21"] 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="22"] 00[JOB] spawning 16 worker threads
and the following status info:
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, FreeBSD 13.0-STABLE, amd64):
uptime: 22 seconds, since Mar 26 11:51:28 2022
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
192.168.1.1
217.110.x.x
10.4.0.129
10.0.1.129
10.4.4.1
Connections:
Security Associations (0 up, 0 connecting):
none
-
Today i also set up a new device with 22.1.4_1 and imported a base config with no ipsec peers. While trying to set up the first peer, i recognized, there is no service strongswan running.
Shame on me. - Enable IPsec was not checked...
-
Hi,
any solution to this? i just created a new opnsense install and trying to setup a s2s ipsec connection. Starting ipsec by hand tells me there is not configuration file in "/usr/local/etc/strongswan.oipensense.d/*.conf". Log is completly empty.
I checked ciphers and i use aes-gcm-256 and sha256, that should be supported on FreeBSD 13.x. This connection was created on the latest version of OPNsense.
-
Any update on this? I upgraded to 22.1 but the IPsec UI is not writing any configuration files.
As a result my connection cannot offer a proposal during the INIT phase.
-
For future readers, my issue was related to IPsec being used with CARP interfaces. This has been patched and in the next release cycle.
https://github.com/opnsense/core/commit/4080345a597fbc55c02256996f7ba3ccee78ae49
-
Shame on me. - Enable IPsec was not checked...
The web designer is culpable here. I, having the same problem you were, just spent almost an hour looking for this check box. It's at the bottom of the "tunnel settings" page which isn't at all obvious.
-
Shame on me. - Enable IPsec was not checked...
Hi !
I was creating an IPSec macOS Mobile setup*, and the same shame : forgot to turn it on ;-)
*https://github.com/thomergil/opnsense-ipsec-vpn