OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • Strongswan not starting on 22.1
« previous next »
  • Print
Pages: [1] 2

Author Topic: Strongswan not starting on 22.1  (Read 5618 times)

jgrande

  • Newbie
  • *
  • Posts: 7
  • Karma: 1
    • View Profile
Strongswan not starting on 22.1
« on: February 01, 2022, 06:59:01 am »
I'm unable to get the strongswan service to start on a clean install of 22.1. I checked the generated config files in /usr/local/etc and they're all installation default (checked ipsec, swanctl, strongswan, including the .d folders). As far as I can tell the config files aren't getting generated. Suspecting a bad option, I reset the IPsec config and set up a tunnel with as many defaults as possible, but it still won't start. The only thing I can find in logs is this:

Code: [Select]
2022-01-31T22:29:35-07:00 Notice opnsense plugins_configure ipsec (execute task : ipsec_configure_do(1))
2022-01-31T22:29:35-07:00 Notice opnsense plugins_configure ipsec (1)
2022-01-31T22:29:34-07:00 Notice configctl event @ 1643693374.31 exec: system event config_changed

2022-01-31T22:29:37-07:00 Error configd.py [cf9dc8e9-3ecf-49a4-bd81-3361c4e73102] Script action stderr returned "b"connecting to 'unix:///var/run/charon.vici' failed: No such file or directory\nError: connecting to 'default' URI failed: No such file or directory\nstrongSwan 5.9.4 swanctl\nusage:\n swanctl --stats [--raw|--pretty]\n --help (-h) show u""
2022-01-31T22:29:37-07:00 Notice configd.py [cf9dc8e9-3ecf-49a4-bd81-3361c4e73102] request IPsec status
2022-01-31T22:29:35-07:00 Notice configd.py [d90d7a0a-c063-4a0c-8a7d-49f65784b4f2] IPsec config generation
2022-01-31T22:29:34-07:00 Notice configd.py [fd625239-5795-4d32-a6ed-da6d3c5c1fa4] trigger config changed event

I with I could be more specific but I'm at a loss here. Any help would be appreciated.
Logged

dvs999

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #1 on: February 02, 2022, 04:01:36 am »
I have the same issue:-
Code: [Select]
2022-02-02T02:52:18 Error configd.py [6816a134-33e6-49aa-a46b-6f6dcd568fb9] Script action stderr returned "b"connecting to 'unix:///var/run/charon.vici' failed: No such file or directory\nError: connecting to 'default' URI failed: No such file or directory\nstrongSwan 5.9.4 swanctl\nusage:\n swanctl --stats [--raw|--pretty]\n --help (-h) show u""
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 14271
  • Karma: 1235
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #2 on: February 02, 2022, 07:36:34 am »
It just implies that strongswan isn't creating the socket because it's not running. Does the IPsec log give any hints to this actually? This would be the first place to look at.


Cheers,
Franco
Logged

jgrande

  • Newbie
  • *
  • Posts: 7
  • Karma: 1
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #3 on: February 03, 2022, 02:52:43 am »
Unfortunately the IPsec log is completely empty.
Logged

jgrande

  • Newbie
  • *
  • Posts: 7
  • Karma: 1
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #4 on: February 03, 2022, 02:57:56 am »
If anyone knows the command to manually start strongswan from the CLI, I could see if I get any errors there.
Logged

jgrande

  • Newbie
  • *
  • Posts: 7
  • Karma: 1
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #5 on: February 03, 2022, 06:07:09 am »
I can't find an ipsec/strongswan/charon log in /var/log:
audit           dhcpd           lighttpd        ntpd            qemu-ga.log     routing         userlog         utx.log
configd         filter          ntp             portalauth      resolver        system          utx.lastlogin

Since most of the other services are using config files in the /var tree, I checked everywhere in the /var tree and I can not find any ipsec/strongswan/charon config files at all.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 14271
  • Karma: 1235
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #6 on: February 03, 2022, 07:34:28 am »
Doesn't seem to start at all. Can you run this manually? Here's what happens on my side:

# /usr/local/sbin/ipsec start
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Starting strongSwan 5.9.4 IPsec [starter]...
no files found matching '/usr/local/etc/ipsec.opnsense.d/*.conf'
# pgrep charon
74259


Cheers,
Franco
Logged

jgrande

  • Newbie
  • *
  • Posts: 7
  • Karma: 1
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #7 on: February 03, 2022, 07:54:22 am »
# /usr/local/sbin/ipsec start
Starting strongSwan 5.9.4 IPsec [starter]...
# pgrep charon
8465
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 14271
  • Karma: 1235
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #8 on: February 03, 2022, 08:25:14 am »
Funny, it should have logs as it started now?


Cheers,
Franco
Logged

jgrande

  • Newbie
  • *
  • Posts: 7
  • Karma: 1
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #9 on: February 05, 2022, 08:45:38 pm »
After a clean install I got logging to work. Now the problem is it does not automatically start and the config files are still empty. For example /usr/local/etc/ipsec.secrets doesn't contain any of the PSKs I entered from web UI.

Code: [Select]
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="25"] 00[DMN] Starting IKE charon daemon (strongSwan 5.9.4, FreeBSD 13.0-STABLE, amd64)
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="26"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="27"] 00[NET] installing IKE bypass policy failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="28"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="29"] 00[NET] installing IKE bypass policy failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="30"] 00[KNL] unable to set UDP_ENCAP: Invalid argument
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="31"] 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="32"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="33"] 00[NET] installing IKE bypass policy failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="34"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="35"] 00[NET] installing IKE bypass policy failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="36"] 00[KNL] unable to set UDP_ENCAP: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="37"] 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="38"] 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="39"] 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="40"] 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="41"] 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="42"] 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="43"] 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="44"] 00[CFG] loaded 0 RADIUS server configurations
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="45"] 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="46"] 00[JOB] spawning 16 worker threads

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.4, FreeBSD 13.0-STABLE, amd64):
  uptime: 7 seconds, since Feb 05 12:30:39 2022
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
  192.168.1.1
  162.x.y.z
Connections:
Security Associations (0 up, 0 connecting):
  none
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 14271
  • Karma: 1235
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #10 on: February 07, 2022, 11:20:04 am »
Just a guess:

https://github.com/opnsense/changelog/blob/70cd791f0528f26d2e804601f1eb6f55c384d3b7/community/22.1/22.1#L191


Cheers,
Franco
Logged

lirees

  • Newbie
  • *
  • Posts: 19
  • Karma: 0
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #11 on: March 13, 2022, 11:45:10 am »
i have the same problem, i have try to install opnsense from scratch but the error persist

have you solved ?

thanks
Logged

schnipp

  • Sr. Member
  • ****
  • Posts: 326
  • Karma: 18
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #12 on: March 13, 2022, 01:08:53 pm »
Please, don't check the file "/var/log/ipsec.log", this is not used anymore. Instead, have a look into the directory "/var/log/ipsec".
Logged
OPNsense 23.1.5_4-amd64

proctor

  • Newbie
  • *
  • Posts: 28
  • Karma: 1
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #13 on: March 26, 2022, 12:11:36 pm »
Quote from: franco on February 07, 2022, 11:20:04 am
Just a guess:

https://github.com/opnsense/changelog/blob/70cd791f0528f26d2e804601f1eb6f55c384d3b7/community/22.1/22.1#L191

Could you please explain more detailed, or point me to the right direction for a solution? - Thanks a lot! ::)

I have a couple of running opnsense, last updated today to 22.1.4_1 with no issue on this. Today i also set up a new device with 22.1.4_1 and imported a base config with no ipsec peers. While trying to set up the first peer, i recognized, there is no service strongswan running. If i start ipsec at commandline, i get the following log:

Code: [Select]
# /var/log/ipsec/ipsec_20220326.log
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="1"] 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, FreeBSD 13.0-STABLE, amd64)
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="2"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="3"] 00[NET] installing IKE bypass policy failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="4"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="5"] 00[NET] installing IKE bypass policy failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="6"] 00[KNL] unable to set UDP_ENCAP: Invalid argument
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="7"] 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="8"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="9"] 00[NET] installing IKE bypass policy failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="10"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="11"] 00[NET] installing IKE bypass policy failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="12"] 00[KNL] unable to set UDP_ENCAP: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="13"] 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="14"] 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="15"] 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="16"] 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="17"] 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="18"] 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="19"] 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="20"] 00[CFG] loaded 0 RADIUS server configurations
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="21"] 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="22"] 00[JOB] spawning 16 worker threads

and the following status info:

Code: [Select]
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, FreeBSD 13.0-STABLE, amd64):
  uptime: 22 seconds, since Mar 26 11:51:28 2022
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
  192.168.1.1
  217.110.x.x
  10.4.0.129
  10.0.1.129
  10.4.4.1
Connections:
Security Associations (0 up, 0 connecting):
  none
« Last Edit: March 26, 2022, 12:27:45 pm by proctor »
Logged

proctor

  • Newbie
  • *
  • Posts: 28
  • Karma: 1
    • View Profile
Re: Strongswan not starting on 22.1
« Reply #14 on: March 29, 2022, 12:55:57 pm »
Quote
Today i also set up a new device with 22.1.4_1 and imported a base config with no ipsec peers. While trying to set up the first peer, i recognized, there is no service strongswan running.

Shame on me. - Enable IPsec was not checked...
Logged

  • Print
Pages: [1] 2
« previous next »
  • OPNsense Forum »
  • Archive »
  • 22.1 Legacy Series »
  • Strongswan not starting on 22.1
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2