Strongswan not starting on 22.1

[jgrande]

I'm unable to get the strongswan service to start on a clean install of 22.1. I checked the generated config files in /usr/local/etc and they're all installation default (checked ipsec, swanctl, strongswan, including the .d folders). As far as I can tell the config files aren't getting generated. Suspecting a bad option, I reset the IPsec config and set up a tunnel with as many defaults as possible, but it still won't start. The only thing I can find in logs is this:

Code: [Select]

2022-01-31T22:29:35-07:00 Notice opnsense plugins_configure ipsec (execute task : ipsec_configure_do(1))
2022-01-31T22:29:35-07:00 Notice opnsense plugins_configure ipsec (1)
2022-01-31T22:29:34-07:00 Notice configctl event @ 1643693374.31 exec: system event config_changed

2022-01-31T22:29:37-07:00 Error configd.py [cf9dc8e9-3ecf-49a4-bd81-3361c4e73102] Script action stderr returned "b"connecting to 'unix:///var/run/charon.vici' failed: No such file or directory\nError: connecting to 'default' URI failed: No such file or directory\nstrongSwan 5.9.4 swanctl\nusage:\n swanctl --stats [--raw|--pretty]\n --help (-h) show u""
2022-01-31T22:29:37-07:00 Notice configd.py [cf9dc8e9-3ecf-49a4-bd81-3361c4e73102] request IPsec status
2022-01-31T22:29:35-07:00 Notice configd.py [d90d7a0a-c063-4a0c-8a7d-49f65784b4f2] IPsec config generation
2022-01-31T22:29:34-07:00 Notice configd.py [fd625239-5795-4d32-a6ed-da6d3c5c1fa4] trigger config changed event

I with I could be more specific but I'm at a loss here. Any help would be appreciated.

[dvs999]

I have the same issue:-

Code: [Select]

2022-02-02T02:52:18 Error configd.py [6816a134-33e6-49aa-a46b-6f6dcd568fb9] Script action stderr returned "b"connecting to 'unix:///var/run/charon.vici' failed: No such file or directory\nError: connecting to 'default' URI failed: No such file or directory\nstrongSwan 5.9.4 swanctl\nusage:\n swanctl --stats [--raw|--pretty]\n --help (-h) show u""

[franco]

It just implies that strongswan isn't creating the socket because it's not running. Does the IPsec log give any hints to this actually? This would be the first place to look at.


Cheers,
Franco

[jgrande]

Unfortunately the IPsec log is completely empty.

[jgrande]

If anyone knows the command to manually start strongswan from the CLI, I could see if I get any errors there.

[jgrande]

I can't find an ipsec/strongswan/charon log in /var/log:
audit           dhcpd           lighttpd        ntpd            qemu-ga.log     routing         userlog         utx.log
configd         filter          ntp             portalauth      resolver        system          utx.lastlogin

Since most of the other services are using config files in the /var tree, I checked everywhere in the /var tree and I can not find any ipsec/strongswan/charon config files at all.

[franco]

Doesn't seem to start at all. Can you run this manually? Here's what happens on my side:

# /usr/local/sbin/ipsec start
no files found matching '/usr/local/etc/strongswan.opnsense.d/*.conf'
Starting strongSwan 5.9.4 IPsec [starter]...
no files found matching '/usr/local/etc/ipsec.opnsense.d/*.conf'
# pgrep charon
74259


Cheers,
Franco

[jgrande]

# /usr/local/sbin/ipsec start
Starting strongSwan 5.9.4 IPsec [starter]...
# pgrep charon
8465

[franco]

Funny, it should have logs as it started now?


Cheers,
Franco

[jgrande]

After a clean install I got logging to work. Now the problem is it does not automatically start and the config files are still empty. For example /usr/local/etc/ipsec.secrets doesn't contain any of the PSKs I entered from web UI.

Code: [Select]

<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="25"] 00[DMN] Starting IKE charon daemon (strongSwan 5.9.4, FreeBSD 13.0-STABLE, amd64)
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="26"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="27"] 00[NET] installing IKE bypass policy failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="28"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="29"] 00[NET] installing IKE bypass policy failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="30"] 00[KNL] unable to set UDP_ENCAP: Invalid argument
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="31"] 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="32"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="33"] 00[NET] installing IKE bypass policy failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="34"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="35"] 00[NET] installing IKE bypass policy failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="36"] 00[KNL] unable to set UDP_ENCAP: Protocol not available
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="37"] 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="38"] 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="39"] 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="40"] 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="41"] 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="42"] 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="43"] 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="44"] 00[CFG] loaded 0 RADIUS server configurations
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="45"] 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
<30>1 2022-02-05T11:52:14-07:00 gw.home.jxa.ca charon 62682 - [meta sequenceId="46"] 00[JOB] spawning 16 worker threads

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.4, FreeBSD 13.0-STABLE, amd64):
  uptime: 7 seconds, since Feb 05 12:30:39 2022
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
  192.168.1.1
  162.x.y.z
Connections:
Security Associations (0 up, 0 connecting):
  none


[franco]

Just a guess:

https://github.com/opnsense/changelog/blob/70cd791f0528f26d2e804601f1eb6f55c384d3b7/community/22.1/22.1#L191


Cheers,
Franco

[lirees]

i have the same problem, i have try to install opnsense from scratch but the error persist

have you solved ?

thanks

[schnipp]

Please, don't check the file "/var/log/ipsec.log", this is not used anymore. Instead, have a look into the directory "/var/log/ipsec".

[proctor]

Just a guess:

https://github.com/opnsense/changelog/blob/70cd791f0528f26d2e804601f1eb6f55c384d3b7/community/22.1/22.1#L191

Could you please explain more detailed, or point me to the right direction for a solution? - Thanks a lot!

I have a couple of running opnsense, last updated today to 22.1.4_1 with no issue on this. Today i also set up a new device with 22.1.4_1 and imported a base config with no ipsec peers. While trying to set up the first peer, i recognized, there is no service strongswan running. If i start ipsec at commandline, i get the following log:

Code: [Select]

# /var/log/ipsec/ipsec_20220326.log
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="1"] 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, FreeBSD 13.0-STABLE, amd64)
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="2"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="3"] 00[NET] installing IKE bypass policy failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="4"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="5"] 00[NET] installing IKE bypass policy failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="6"] 00[KNL] unable to set UDP_ENCAP: Invalid argument
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="7"] 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="8"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="9"] 00[NET] installing IKE bypass policy failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="10"] 00[KNL] unable to set IPSEC_POLICY on socket: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="11"] 00[NET] installing IKE bypass policy failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="12"] 00[KNL] unable to set UDP_ENCAP: Protocol not available
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="13"] 00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="14"] 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="15"] 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="16"] 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="17"] 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="18"] 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="19"] 00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="20"] 00[CFG] loaded 0 RADIUS server configurations
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="21"] 00[LIB] loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
<30>1 2022-03-26T11:30:16+01:00 GW04A.occami.infra charon 71319 - [meta sequenceId="22"] 00[JOB] spawning 16 worker threads

and the following status info:

Code: [Select]

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, FreeBSD 13.0-STABLE, amd64):
  uptime: 22 seconds, since Mar 26 11:51:28 2022
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf curve25519 xcbc cmac hmac gcm drbg attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam whitelist addrblock counters
Listening IP addresses:
  192.168.1.1
  217.110.x.x
  10.4.0.129
  10.0.1.129
  10.4.4.1
Connections:
Security Associations (0 up, 0 connecting):
  none


[proctor]

Today i also set up a new device with 22.1.4_1 and imported a base config with no ipsec peers. While trying to set up the first peer, i recognized, there is no service strongswan running.

Shame on me. - Enable IPsec was not checked...