Discussion:
[strongSwan] openvz vps error on strongwan kernel-libipsec
jeffrey buan
2015-07-08 23:47:18 UTC
Permalink
I manage to put my ipsec/xauth-psk server on my vps.client connects.can
ping server but not internet,even with iptables -snat..then I read about
compiling strongwan on with kernel-libipsec but cant run it
successfully..here;s my log
0[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux
2.6.32-042stab093.4, x86_64)
00[LIB] failed to open /dev/net/tun: Operation not permitted
00[KNL] failed to create TUN device
00[LIB] plugin 'kernel-libipsec': failed to load -
kernel_libipsec_plugin_create returned NULL
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded IKE secret for 176.126.243.160 %any
00[CFG] loaded EAP secret for jef
00[CFG] loaded EAP secret for lei
00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default
stroke updown xauth-generic
00[JOB] spawning 16 worker threads
08[DMN] thread 8 received 11
09[DMN] thread 9 received 11
10[DMN] thread 10 received 11
08[LIB] dumping 7 stack frame addresses:
08[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f773f463000
[0x7f773f473340]
09[LIB] dumping 7 stack frame addresses:
09[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f773f463000
[0x7f773f473340]
10[LIB] dumping 7 stack frame addresses:
10[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f773f463000
[0x7f773f473340]
12[CFG] received stroke: add connection 'ios'
12[CFG] left nor right host is our side, assuming left=local
12[CFG] adding virtual IP address pool 10.7.0.2/24
12[CFG] added configuration 'ios'
09[LIB] -> ??:?
09[LIB] /usr/local/lib/ipsec/libipsec.so.0 @ 0x7f773b092000
[0x7f773b095c7b]
08[LIB] -> ??:?
08[LIB] /usr/local/lib/ipsec/libipsec.so.0 @ 0x7f773b092000
[0x7f773b0951ae]
10[LIB] -> ??:?
10[LIB] /usr/local/lib/ipsec/libipsec.so.0 @ 0x7f773b092000
[0x7f773b09603b]
08[LIB] ->
/usr/src/strongswan/strongswan-5.3.2/src/libipsec/ipsec_event_relay.c:114
08[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x7f773fb06000
[0x7f773fb3341e]
09[LIB] ->
/usr/src/strongswan/strongswan-5.3.2/src/libipsec/ipsec_processor.c:99
09[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x7f773fb06000
[0x7f773fb3341e]
10[LIB] ->
/usr/src/strongswan/strongswan-5.3.2/src/libipsec/ipsec_processor.c:196
10[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x7f773fb06000
[0x7f773fb3341e]
08[LIB] ->
/usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/processing/jobs/callback_job.c:78
08[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x7f773fb06000
[0x7f773fb33cb2]
09[LIB] ->
/usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/processing/jobs/callback_job.c:78
09[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x7f773fb06000
[0x7f773fb33cb2]
10[LIB] ->
/usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/processing/jobs/callback_job.c:78
10[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x7f773fb06000
[0x7f773fb33cb2]
08[LIB] ->
/usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/processing/processor.c:235
08[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x7f773fb06000
[0x7f773fb436c8]
10[LIB] ->
/usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/processing/processor.c:235
10[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x7f773fb06000
[0x7f773fb436c8]
09[LIB] ->
/usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/processing/processor.c:235
09[LIB] /usr/local/lib/ipsec/libstrongswan.so.0 @ 0x7f773fb06000
[0x7f773fb436c8]
08[LIB] ->
/usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/threading/thread.c:304
(discriminator 2)
08[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f773f463000
[0x7f773f46b182]
10[LIB] ->
/usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/threading/thread.c:304
(discriminator 2)
10[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f773f463000
[0x7f773f46b182]
09[LIB] ->
/usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/threading/thread.c:304
(discriminator 2)
09[LIB] /lib/x86_64-linux-gnu/libpthread.so.0 @ 0x7f773f463000
[0x7f773f46b182]
08[LIB] -> ??:?
08[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f773f09e000 (clone+0x6d)
[0x7f773f19847d]
10[LIB] -> ??:?
10[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f773f09e000 (clone+0x6d)
[0x7f773f19847d]
09[LIB] -> ??:?
09[LIB] /lib/x86_64-linux-gnu/libc.so.6 @ 0x7f773f09e000 (clone+0x6d)
[0x7f773f19847d]
08[LIB] -> ??:?
10[LIB] -> ??:?
09[LIB] -> ??:?
10[DMN] killing ourself, received critical signal
Zhuyj
2015-07-09 01:29:01 UTC
Permalink
Root run

·¢×ÔÎÒµÄ iPhone
I manage to put my ipsec/xauth-psk server on my vps.client connects.can ping server but not internet,even with iptables -snat..then I read about compiling strongwan on with kernel-libipsec but cant run it successfully..here;s my log
0[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 2.6.32-042stab093.4, x86_64)
00[LIB] failed to open /dev/net/tun: Operation not permitted
00[KNL] failed to create TUN device
00[LIB] plugin 'kernel-libipsec': failed to load - kernel_libipsec_plugin_create returned NULL
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded IKE secret for 176.126.243.160 %any
00[CFG] loaded EAP secret for jef
00[CFG] loaded EAP secret for lei
00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
00[JOB] spawning 16 worker threads
08[DMN] thread 8 received 11
09[DMN] thread 9 received 11
10[DMN] thread 10 received 11
12[CFG] received stroke: add connection 'ios'
12[CFG] left nor right host is our side, assuming left=local
12[CFG] adding virtual IP address pool 10.7.0.2/24
12[CFG] added configuration 'ios'
09[LIB] -> ??:?
08[LIB] -> ??:?
10[LIB] -> ??:?
08[LIB] -> /usr/src/strongswan/strongswan-5.3.2/src/libipsec/ipsec_event_relay.c:114
09[LIB] -> /usr/src/strongswan/strongswan-5.3.2/src/libipsec/ipsec_processor.c:99
10[LIB] -> /usr/src/strongswan/strongswan-5.3.2/src/libipsec/ipsec_processor.c:196
08[LIB] -> /usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/processing/jobs/callback_job.c:78
09[LIB] -> /usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/processing/jobs/callback_job.c:78
10[LIB] -> /usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/processing/jobs/callback_job.c:78
08[LIB] -> /usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/processing/processor.c:235
10[LIB] -> /usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/processing/processor.c:235
09[LIB] -> /usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/processing/processor.c:235
08[LIB] -> /usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/threading/thread.c:304 (discriminator 2)
10[LIB] -> /usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/threading/thread.c:304 (discriminator 2)
09[LIB] -> /usr/src/strongswan/strongswan-5.3.2/src/libstrongswan/threading/thread.c:304 (discriminator 2)
08[LIB] -> ??:?
10[LIB] -> ??:?
09[LIB] -> ??:?
08[LIB] -> ??:?
10[LIB] -> ??:?
09[LIB] -> ??:?
10[DMN] killing ourself, received critical signal
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
jeffrey buan
2015-07-09 04:43:18 UTC
Permalink
im on root already
***@1082-6449-2605:~# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.3.2 IPsec [starter]...
Tobias Brunner
2015-07-09 08:27:19 UTC
Permalink
Hi,
Post by jeffrey buan
00[LIB] failed to open /dev/net/tun: Operation not permitted
00[KNL] failed to create TUN device
Looks like your user or VPS is not allowed to create TUN devices,
kernel-libipsec won't work without this.
Post by jeffrey buan
08[DMN] thread 8 received 11
09[DMN] thread 9 received 11
10[DMN] thread 10 received 11
These threads all cause a segmentation fault when they try to access
their respective blocking queue instance. Perhaps your build is
inconsistent (e.g. an older version of libstrongswan mixed with a newer
build of libipsec). You could try running strongSwan in GDB (e.g. via
`ipsec start --attach-gdb`) to find out more. Also try uninstalling any
previously installed versions of strongSwan.

Regards,
Tobias
jeffrey buan
2015-07-09 08:49:52 UTC
Permalink
Hi Tobias
Thanks that did it..forgot to enable tun on my vps panel and now it works
great..
One more question.I can connect my ios devices with user/pass without
importing cert/pem and its more convenient to me and my family
If I want to add some users using windows with user/password auth only
is there a way i can add l2pt/ipsec on ipsec.conf??
Hi Dan,
After doing some research it looks like I need to use the libipsec
plugin.
Is that correct?
Not necessarily (it's usually preferable to use the kernel's IPsec
stack). Perhaps you just need to load some missing kernel module (see
[1]) or change your ESP proposal because the kernel perhaps does not
support one of the negotiated algorithms.
I see two configuration options: --enable-kernel-libipsec and the
--enable-libipsec.
What's the difference and are they configured differently?
libipsec is the actual userland IPsec implementation, the
kernel-libipsec plugin is the middleware between IKE daemon and
libipsec. Enabling kernel-libipsec automatically enables libipsec.
Regards,
Tobias
[1] https://wiki.strongswan.org/projects/strongswan/wiki/KernelModules
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users
Loading...