systemctl strongswan.service should be disabled (or not ?)
https://github.com/vyos/vyos-build/blob/e62acee962eb857267047a5fffa8d3f182eab359/data/live-build-config/hooks/live/18-enable-disable_services.chroot#L53
https://github.com/strongswan/strongswan/discussions/1390
But we get it started/active.
vyos@r14:~$ sudo systemctl status strongswan.service ● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; vendor preset: enabled) Active: active (running) since Sun 2023-01-08 15:10:21 EET; 14min ago Process: 5504 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS) Process: 5989 ExecReload=/usr/sbin/swanctl --reload (code=exited, status=0/SUCCESS) Process: 5994 ExecReload=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS) Main PID: 5487 (charon-systemd) Status: "charon-systemd running, strongSwan 5.9.8, Linux 5.15.86-amd64-vyos, x86_64" Tasks: 17 (limit: 9401) Memory: 4.1M CPU: 101ms CGroup: /system.slice/strongswan.service └─5487 /usr/sbin/charon-systemd
It overlaps with our started service via CLI:
vyos@r14:~$ ps ax | grep charon 5487 ? Ssl 0:00 /usr/sbin/charon-systemd 7437 ? Ss 0:00 /usr/lib/ipsec/starter --daemon charon 7438 ? Ssl 0:00 /usr/lib/ipsec/charon --use-syslog 7482 pts/0 S+ 0:00 grep charon
It causes IPsec doesn't work and Phase1 cannot be established.
Jan 08 15:17:57 r14 ipsec_starter[7424]: Starting strongSwan 5.9.8 IPsec [starter]... Jan 08 15:17:57 r14 sudo[7423]: pam_unix(sudo:session): session closed for user root Jan 08 15:17:57 r14 charon[7438]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.8, Linux 5.15.86-amd64-vyos, x86_64) Jan 08 15:17:57 r14 charon[7438]: 00[CFG] PKCS11 module '<name>' lacks library path Jan 08 15:17:57 r14 charon[7438]: 00[PTS] TPM 2.0 - could not load "libtss2-tcti-tabrmd.so.0" Jan 08 15:17:57 r14 charon[7438]: 00[LIB] plugin 'tpm': failed to load - tpm_plugin_create returned NULL Jan 08 15:17:57 r14 charon[7438]: 00[NET] unable to bind socket: Address already in use Jan 08 15:17:57 r14 charon[7438]: 00[NET] could not open IPv6 socket, IPv6 disabled Jan 08 15:17:57 r14 charon[7438]: 00[NET] unable to bind socket: Address already in use Jan 08 15:17:57 r14 charon[7438]: 00[NET] could not open IPv4 socket, IPv4 disabled Jan 08 15:17:57 r14 charon[7438]: 00[NET] could not create any sockets Jan 08 15:17:57 r14 charon[7438]: 00[NET] using forecast interface eth0 Jan 08 15:17:57 r14 charon[7438]: 00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250 Jan 08 15:17:57 r14 charon[7438]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Jan 08 15:17:57 r14 charon[7438]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Jan 08 15:17:57 r14 charon[7438]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Jan 08 15:17:57 r14 charon[7438]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Jan 08 15:17:57 r14 charon[7438]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Jan 08 15:17:57 r14 charon[7438]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Jan 08 15:17:57 r14 charon[7438]: 00[CFG] loaded 0 RADIUS server configurations Jan 08 15:17:57 r14 charon[7438]: 00[CFG] HA config misses local/remote address Jan 08 15:17:57 r14 charon[7438]: 00[LIB] loaded plugins: charon test-vectors pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark forecast stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire addrblock counters Jan 08 15:17:57 r14 charon[7438]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Jan 08 15:17:57 r14 charon[7438]: 00[JOB] spawning 16 worker threads Jan 08 15:17:57 r14 charon[7438]: 03[NET] no socket implementation registered, receiving failed Jan 08 15:17:57 r14 ipsec_starter[7437]: charon (7438) started after 20 ms Jan 08 15:18:00 r14 sudo[7456]: vyos : TTY=pts/1 ; PWD=/home/vyos ; USER=root ; COMMAND=/usr/sbin/swanctl -q Jan 08 15:18:00 r14 sudo[7456]: pam_unix(sudo:session): session opened for user root(uid=0) by vyos(uid=1003) Jan 08 15:18:00 r14 charon[7438]: 15[CFG] loaded IKE shared key with id 'ike_OFFICE-B' for: '192.0.2.1', '192.0.2.2', '192.0.2.1', '192.0.2.2' Jan 08 15:18:00 r14 charon[7438]: 07[CFG] loaded IKE shared key with id 'ike_OFFICE-C' for: '203.0.113.1', '203.0.113.2', '203.0.113.1', '203.0.113.2' Jan 08 15:18:00 r14 charon[7438]: 13[CFG] added vici connection: OFFICE-B Jan 08 15:18:00 r14 charon[7438]: 13[CFG] initiating 'OFFICE-B-tunnel-0' Jan 08 15:18:00 r14 charon[7438]: 13[IKE] <OFFICE-B|1> initiating Main Mode IKE_SA OFFICE-B[1] to 192.0.2.2 Jan 08 15:18:00 r14 charon[7438]: 13[ENC] <OFFICE-B|1> generating ID_PROT request 0 [ SA V V V V V ] Jan 08 15:18:00 r14 charon[7438]: 13[NET] <OFFICE-B|1> sending packet: from 192.0.2.1 to 192.0.2.2[500] (180 bytes) Jan 08 15:18:00 r14 charon[7438]: 04[NET] no socket implementation registered, sending failed Jan 08 15:18:00 r14 charon[7438]: 16[CFG] added vici connection: OFFICE-C Jan 08 15:18:00 r14 charon[7438]: 16[CFG] initiating 'OFFICE-C-tunnel-0' Jan 08 15:18:00 r14 charon[7438]: 16[IKE] <OFFICE-C|2> initiating Main Mode IKE_SA OFFICE-C[2] to 203.0.113.2 Jan 08 15:18:00 r14 charon[7438]: 16[ENC] <OFFICE-C|2> generating ID_PROT request 0 [ SA V V V V V ] Jan 08 15:18:00 r14 charon[7438]: 16[NET] <OFFICE-C|2> sending packet: from 203.0.113.1 to 203.0.113.2[500] (180 bytes) Jan 08 15:18:00 r14 charon[7438]: 04[NET] no socket implementation registered, sending failed Jan 08 15:18:00 r14 sudo[7456]: pam_unix(sudo:session): session closed for user root Jan 08 15:18:04 r14 charon[7438]: 09[IKE] <OFFICE-B|1> sending retransmit 1 of request message ID 0, seq 1 Jan 08 15:18:04 r14 charon[7438]: 09[NET] <OFFICE-B|1> sending packet: from 192.0.2.1 to 192.0.2.2[500] (180 bytes) Jan 08 15:18:04 r14 charon[7438]: 04[NET] no socket implementation registered, sending failed Jan 08 15:18:04 r14 charon[7438]: 11[IKE] <OFFICE-C|2> sending retransmit 1 of request message ID 0, seq 1 Jan 08 15:18:04 r14 charon[7438]: 11[NET] <OFFICE-C|2> sending packet: from 203.0.113.1 to 203.0.113.2[500] (180 bytes) Jan 08 15:18:04 r14 charon[7438]: 04[NET] no socket implementation registered, sending failed
Output:
vyos@r14:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ------------ ------- -------- -------------- ---------------- ---------------- ----------- ---------- vyos@r14:~$ vyos@r14:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 203.0.113.2 203.0.113.1 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ down IKEv1 n/a n/a n/a no 0 0 Peer ID / IP Local ID / IP ------------ ------------- 192.0.2.2 192.0.2.1 State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time ----- ------ ------- ---- --------- ----- ------ ------ down IKEv1 n/a n/a n/a no 0 0
Stop service and fix the issue:
vyos@r14:~$ sudo systemctl stop strongswan.service vyos@r14:~$ ps ax | grep charon 7625 ? Ss 0:00 /usr/lib/ipsec/starter --daemon charon 7626 ? Ssl 0:00 /usr/lib/ipsec/charon --use-syslog 8182 pts/0 S+ 0:00 grep charon vyos@r14:~$ vyos@r14:~$ show vpn ipsec sa Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal ----------------- ------- -------- -------------- ---------------- ---------------- ----------- --------------------------------------- OFFICE-B-tunnel-0 up 2s 0B/0B 0/0 192.0.2.2 192.0.2.2 AES_CBC_256/HMAC_SHA2_256_128/MODP_1024 OFFICE-C-tunnel-0 up 2s 0B/0B 0/0 203.0.113.2 203.0.113.2 AES_CBC_256/HMAC_SHA2_256_128/MODP_1024 vyos@r14:~$