strongswan ipsec fails to finish connection (hangs after installing DNS server via resolvconf)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
strongSwan |
New
|
Undecided
|
Unassigned | ||
bind9 (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
resolvconf (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
strongswan (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
as a continuation of https:/
--
this bug report is for the stuck VPN connection issue
Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10.
ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage
A while ago I upgrade to 18.04 LTS and had consistent issues with strongswan ipsec connectivity VPN.
```
sudo ipsec up <CONNECTION_NAME>
... all the goods happen ...
but near the end:
IKE_SA <CONNECTION_
scheduling reauthentication in 56358s
maximum IKE_SA lifetime 56538s
installing DNS server 192.168.194.20 via resolvconf
installing DNS server 192.168.196.20 via resolvconf
<<HANGS FOREVER>>
```
while in this state, we see:
```
sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64):
uptime: 6 minutes, since Aug 09 10:03:04 2018
malloc: sbrk 3403776, mmap 532480, used 1301456, free 2102320
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-
Listening IP addresses:
1.0.0.6
192.168.130.9
192.168.140.17
192.168.130.14
192.168.140.2
192.168.130.13
192.168.130.15
192.168.130.16
192.168.130.8
172.17.0.1
192.168.122.1
Connections:
<SITE_
<SITE_
<SITE_
<SITE_
<SITE_SNIPPED>
<SITE_SNIPPED>
<SITE_SNIPPED>
<SITE_SNIPPED>
Routed Connections:
<SITE_SNIPPED>
<SITE_SNIPPED>
<SITE_
<SITE_
Security Associations (0 up, 0 connecting):
none
```
here are the logs (post-restart of strongswan service)
journalctl --system -u strongswan
```
Aug 09 10:03:05 <HOSTNAME_SNIPPED> systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: Starting strongSwan 5.6.2 IPsec [starter]...
Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64)
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] PKCS11 module '<name>' lacks library path
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] disabling load-tester plugin, not configured
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] plugin 'load-tester': failed to load - load_tester_
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create IPv4 routing table rule
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create IPv6 routing table rule
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] dnscert plugin is disabled
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] ipseckey plugin is disabled
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] attr-sql plugin: database URI not set
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ca certificates from '/etc/ipsec.
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2" from '/etc/ipsec.
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading aa certificates from '/etc/ipsec.
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading attribute certificates from '/etc/ipsec.
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading secrets from '/etc/ipsec.
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded EAP secret for <USER_SNIPPED>
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] sql plugin: database URI not set
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] opening triplet file /etc/ipsec.
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] eap-simaka-sql database URI missing
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded 0 RADIUS server configurations
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] HA config misses local/remote address
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] no threshold configured for systime-fix, disabled
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] coupling file path unspecified
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pk
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[JOB] spawning 16 worker threads
Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: charon (10474) started after 40 ms
Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[
```
---
and when I try to connect:
```
Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] received stroke: add connection '<SITE_
Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] CA certificate "/etc/ipsec.
Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] added configuration '<SITE_
Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 07[CFG] received stroke: route '<SITE_
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it
Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[
Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[
Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] received stroke: add connection '<SITE_
Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] CA certificate "/etc/ipsec.
Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] added configuration '<SITE_
Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 14[CFG] received stroke: route '<SITE_
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it
Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[
Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[
```
Hi Fermulator,
while I regularly pick up new strongswan versions I'm not enough of an expert to give good suggestions on what the reason might be.
But fortunately there are often a few community members here using strongswan that can chime in.
Never the less for a technical discussion on the very low details of your connection hang an upstream issue report might be useful.
I'd ask you to report the ID you get here so that we can link it and follow the discussion.
Also include as much of your setup (simplified and stripped of confidential things) to the bug here and there. As it would help a lot if we'd get it to a list of steps to locally reproduce the issue.
Version-wise you said 17.10 was good but in 18.04 it is showing this behavior.
In terms of versions that would be 5.5.1 -> 5.6.2 - maybe that rings a bell for upstream?