Ubuntu
strongswan package

Bug #1786261
Activity log

Activity log for bug #1786261

Date	Who	What changed	Old value	New value	Message
2018-08-09 14:12:29	fermulator	bug			added bug
2018-08-09 14:13:12	fermulator	description	as a continuation of #1786250 ... (that bug can be focused on the apparmor profile issue in Ubuntu + strongswan) -- this bug report is for the stuck VPN connection issue Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10. ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage A while ago I upgrade to 18.04 LTS and had consistent issues with strongswan ipsec connectivity VPN. ``` sudo ipsec up <CONNECTION_NAME> ... all the goods happen ... but near the end: IKE_SA <CONNECTION_NAME>[1] established between 1.0.0.6[<USER_SNIPPED>]...64.7.137.180[OU=Domain Control Validated, CN=<SNIPPED_HOST>.com] scheduling reauthentication in 56358s maximum IKE_SA lifetime 56538s installing DNS server 192.168.194.20 via resolvconf installing DNS server 192.168.196.20 via resolvconf <<HANGS FOREVER>> ``` while in this state, we see: ``` sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64): uptime: 6 minutes, since Aug 09 10:03:04 2018 malloc: sbrk 3403776, mmap 532480, used 1301456, free 2102320 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Listening IP addresses: 1.0.0.6 192.168.130.9 192.168.140.17 192.168.130.14 192.168.140.2 192.168.130.13 192.168.130.15 192.168.130.16 192.168.130.8 172.17.0.1 192.168.122.1 Connections: <SITE_SNIPPED>primary: %any...<SITE_SNIPPED>primary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>primary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>primary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>primary: child: 192.168.140.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear <SITE_SNIPPED>secondary: %any...<SITE_SNIPPED>secondary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>secondary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>secondary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>secondary: child: 192.168.130.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear Routed Connections: <SITE_SNIPPED>secondary{2}: ROUTED, TUNNEL, reqid 2 <SITE_SNIPPED>secondary{2}: 192.168.130.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 <SITE_SNIPPED>primary{1}: ROUTED, TUNNEL, reqid 1 <SITE_SNIPPED>primary{1}: 192.168.140.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 Security Associations (0 up, 0 connecting): none ``` here are the logs (post-restart of strongswan service) Aug 09 10:03:05 <HOSTNAME_SNIPPED> systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf. Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: Starting strongSwan 5.6.2 IPsec [starter]... Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[10448]: Starting strongSwan 5.6.2 IPsec [starter]... Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64) Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] PKCS11 module '<name>' lacks library path Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] disabling load-tester plugin, not configured Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create IPv4 routing table rule Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create IPv6 routing table rule Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] dnscert plugin is disabled Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] ipseckey plugin is disabled Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] attr-sql plugin: database URI not set Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2" from '/etc/ipsec.d/cacerts/<SNIPPED>-wildca Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded EAP secret for <USER_SNIPPED> Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] sql plugin: database URI not set Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] eap-simaka-sql database URI missing Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded 0 RADIUS server configurations Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] HA config misses local/remote address Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] no threshold configured for systime-fix, disabled Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] coupling file path unspecified Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pk Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[JOB] spawning 16 worker threads Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: charon (10474) started after 40 ms Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[10448]: charon (10474) started after 40 ms --- and when I try to connect: Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] received stroke: add connection '<SITE_SNIPPED>primary' Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] CA certificate "/etc/ipsec.d/cacerts/<SNIPPED>-wildcard.pem" not found, discarding CA constraint Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] added configuration '<SITE_SNIPPED>primary' Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 07[CFG] received stroke: route '<SITE_SNIPPED>primary' Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_SNIPPED>primary' routed Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]: '<SITE_SNIPPED>primary' routed Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]: Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] received stroke: add connection '<SITE_SNIPPED>secondary' Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] CA certificate "/etc/ipsec.d/cacerts/<SNIPPED>-wildcard.pem" not found, discarding CA constraint Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] added configuration '<SITE_SNIPPED>secondary' Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 14[CFG] received stroke: route '<SITE_SNIPPED>secondary' Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_SNIPPED>secondary' routed Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[10448]: '<SITE_SNIPPED>secondary' routed Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[10448]:	as a continuation of https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786250 ... (that bug can be focused on the apparmor profile issue in Ubuntu + strongswan) -- this bug report is for the stuck VPN connection issue Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10. ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage A while ago I upgrade to 18.04 LTS and had consistent issues with strongswan ipsec connectivity VPN. ``` sudo ipsec up <CONNECTION_NAME> ... all the goods happen ... but near the end: IKE_SA <CONNECTION_NAME>[1] established between 1.0.0.6[<USER_SNIPPED>]...64.7.137.180[OU=Domain Control Validated, CN=<SNIPPED_HOST>.com] scheduling reauthentication in 56358s maximum IKE_SA lifetime 56538s installing DNS server 192.168.194.20 via resolvconf installing DNS server 192.168.196.20 via resolvconf <<HANGS FOREVER>> ``` while in this state, we see: ``` sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64): uptime: 6 minutes, since Aug 09 10:03:04 2018 malloc: sbrk 3403776, mmap 532480, used 1301456, free 2102320 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Listening IP addresses: 1.0.0.6 192.168.130.9 192.168.140.17 192.168.130.14 192.168.140.2 192.168.130.13 192.168.130.15 192.168.130.16 192.168.130.8 172.17.0.1 192.168.122.1 Connections: <SITE_SNIPPED>primary: %any...<SITE_SNIPPED>primary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>primary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>primary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>primary: child: 192.168.140.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear <SITE_SNIPPED>secondary: %any...<SITE_SNIPPED>secondary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>secondary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>secondary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>secondary: child: 192.168.130.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear Routed Connections: <SITE_SNIPPED>secondary{2}: ROUTED, TUNNEL, reqid 2 <SITE_SNIPPED>secondary{2}: 192.168.130.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 <SITE_SNIPPED>primary{1}: ROUTED, TUNNEL, reqid 1 <SITE_SNIPPED>primary{1}: 192.168.140.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 Security Associations (0 up, 0 connecting): none ``` here are the logs (post-restart of strongswan service) Aug 09 10:03:05 <HOSTNAME_SNIPPED> systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf. Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: Starting strongSwan 5.6.2 IPsec [starter]... Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[10448]: Starting strongSwan 5.6.2 IPsec [starter]... Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64) Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] PKCS11 module '<name>' lacks library path Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] disabling load-tester plugin, not configured Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create IPv4 routing table rule Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create IPv6 routing table rule Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] dnscert plugin is disabled Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] ipseckey plugin is disabled Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] attr-sql plugin: database URI not set Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2" from '/etc/ipsec.d/cacerts/<SNIPPED>-wildca Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded EAP secret for <USER_SNIPPED> Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] sql plugin: database URI not set Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] eap-simaka-sql database URI missing Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded 0 RADIUS server configurations Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] HA config misses local/remote address Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] no threshold configured for systime-fix, disabled Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] coupling file path unspecified Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pk Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[JOB] spawning 16 worker threads Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: charon (10474) started after 40 ms Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[10448]: charon (10474) started after 40 ms --- and when I try to connect: Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] received stroke: add connection '<SITE_SNIPPED>primary' Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] CA certificate "/etc/ipsec.d/cacerts/<SNIPPED>-wildcard.pem" not found, discarding CA constraint Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] added configuration '<SITE_SNIPPED>primary' Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 07[CFG] received stroke: route '<SITE_SNIPPED>primary' Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_SNIPPED>primary' routed Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]: '<SITE_SNIPPED>primary' routed Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]: Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] received stroke: add connection '<SITE_SNIPPED>secondary' Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] CA certificate "/etc/ipsec.d/cacerts/<SNIPPED>-wildcard.pem" not found, discarding CA constraint Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] added configuration '<SITE_SNIPPED>secondary' Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 14[CFG] received stroke: route '<SITE_SNIPPED>secondary' Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_SNIPPED>secondary' routed Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[10448]: '<SITE_SNIPPED>secondary' routed Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[10448]:
2018-08-09 14:22:39	fermulator	description	as a continuation of https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786250 ... (that bug can be focused on the apparmor profile issue in Ubuntu + strongswan) -- this bug report is for the stuck VPN connection issue Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10. ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage A while ago I upgrade to 18.04 LTS and had consistent issues with strongswan ipsec connectivity VPN. ``` sudo ipsec up <CONNECTION_NAME> ... all the goods happen ... but near the end: IKE_SA <CONNECTION_NAME>[1] established between 1.0.0.6[<USER_SNIPPED>]...64.7.137.180[OU=Domain Control Validated, CN=<SNIPPED_HOST>.com] scheduling reauthentication in 56358s maximum IKE_SA lifetime 56538s installing DNS server 192.168.194.20 via resolvconf installing DNS server 192.168.196.20 via resolvconf <<HANGS FOREVER>> ``` while in this state, we see: ``` sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64): uptime: 6 minutes, since Aug 09 10:03:04 2018 malloc: sbrk 3403776, mmap 532480, used 1301456, free 2102320 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Listening IP addresses: 1.0.0.6 192.168.130.9 192.168.140.17 192.168.130.14 192.168.140.2 192.168.130.13 192.168.130.15 192.168.130.16 192.168.130.8 172.17.0.1 192.168.122.1 Connections: <SITE_SNIPPED>primary: %any...<SITE_SNIPPED>primary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>primary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>primary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>primary: child: 192.168.140.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear <SITE_SNIPPED>secondary: %any...<SITE_SNIPPED>secondary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>secondary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>secondary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>secondary: child: 192.168.130.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear Routed Connections: <SITE_SNIPPED>secondary{2}: ROUTED, TUNNEL, reqid 2 <SITE_SNIPPED>secondary{2}: 192.168.130.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 <SITE_SNIPPED>primary{1}: ROUTED, TUNNEL, reqid 1 <SITE_SNIPPED>primary{1}: 192.168.140.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 Security Associations (0 up, 0 connecting): none ``` here are the logs (post-restart of strongswan service) Aug 09 10:03:05 <HOSTNAME_SNIPPED> systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf. Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: Starting strongSwan 5.6.2 IPsec [starter]... Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[10448]: Starting strongSwan 5.6.2 IPsec [starter]... Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64) Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] PKCS11 module '<name>' lacks library path Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] disabling load-tester plugin, not configured Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create IPv4 routing table rule Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create IPv6 routing table rule Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] dnscert plugin is disabled Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] ipseckey plugin is disabled Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] attr-sql plugin: database URI not set Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2" from '/etc/ipsec.d/cacerts/<SNIPPED>-wildca Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded EAP secret for <USER_SNIPPED> Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] sql plugin: database URI not set Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] eap-simaka-sql database URI missing Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded 0 RADIUS server configurations Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] HA config misses local/remote address Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] no threshold configured for systime-fix, disabled Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] coupling file path unspecified Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pk Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[JOB] spawning 16 worker threads Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: charon (10474) started after 40 ms Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[10448]: charon (10474) started after 40 ms --- and when I try to connect: Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] received stroke: add connection '<SITE_SNIPPED>primary' Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] CA certificate "/etc/ipsec.d/cacerts/<SNIPPED>-wildcard.pem" not found, discarding CA constraint Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] added configuration '<SITE_SNIPPED>primary' Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 07[CFG] received stroke: route '<SITE_SNIPPED>primary' Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_SNIPPED>primary' routed Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]: '<SITE_SNIPPED>primary' routed Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]: Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] received stroke: add connection '<SITE_SNIPPED>secondary' Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] CA certificate "/etc/ipsec.d/cacerts/<SNIPPED>-wildcard.pem" not found, discarding CA constraint Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] added configuration '<SITE_SNIPPED>secondary' Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 14[CFG] received stroke: route '<SITE_SNIPPED>secondary' Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_SNIPPED>secondary' routed Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[10448]: '<SITE_SNIPPED>secondary' routed Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[10448]:	as a continuation of https://bugs.launchpad.net/ubuntu/+source/strongswan/+bug/1786250 ... (that bug can be focused on the apparmor profile issue in Ubuntu + strongswan) -- this bug report is for the stuck VPN connection issue Used to work fine in Ubuntu 16.04 LTS, and Ubuntu 17.10. ii strongswan 5.6.2-1ubuntu2 all IPsec VPN solution metapackage A while ago I upgrade to 18.04 LTS and had consistent issues with strongswan ipsec connectivity VPN. ``` sudo ipsec up <CONNECTION_NAME> ... all the goods happen ... but near the end: IKE_SA <CONNECTION_NAME>[1] established between 1.0.0.6[<USER_SNIPPED>]...64.7.137.180[OU=Domain Control Validated, CN=<SNIPPED_HOST>.com] scheduling reauthentication in 56358s maximum IKE_SA lifetime 56538s installing DNS server 192.168.194.20 via resolvconf installing DNS server 192.168.196.20 via resolvconf <<HANGS FOREVER>> ``` while in this state, we see: ``` sudo ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64): uptime: 6 minutes, since Aug 09 10:03:04 2018 malloc: sbrk 3403776, mmap 532480, used 1301456, free 2102320 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters Listening IP addresses: 1.0.0.6 192.168.130.9 192.168.140.17 192.168.130.14 192.168.140.2 192.168.130.13 192.168.130.15 192.168.130.16 192.168.130.8 172.17.0.1 192.168.122.1 Connections: <SITE_SNIPPED>primary: %any...<SITE_SNIPPED>primary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>primary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>primary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>primary: child: 192.168.140.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear <SITE_SNIPPED>secondary: %any...<SITE_SNIPPED>secondary.<SNIPPED>.com IKEv2, dpddelay=30s <SITE_SNIPPED>secondary: local: [<USER_SNIPPED>] uses EAP_MSCHAPV2 authentication <SITE_SNIPPED>secondary: remote: [OU=Domain Control Validated, CN=<SNIPPED>.com] uses public key authentication <SITE_SNIPPED>secondary: child: 192.168.130.0/24 === 192.168.128.0/17 10.0.0.0/8 172.16.0.0/12 TUNNEL, dpdaction=clear Routed Connections: <SITE_SNIPPED>secondary{2}: ROUTED, TUNNEL, reqid 2 <SITE_SNIPPED>secondary{2}: 192.168.130.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 <SITE_SNIPPED>primary{1}: ROUTED, TUNNEL, reqid 1 <SITE_SNIPPED>primary{1}: 192.168.140.0/24 === 10.0.0.0/8 172.16.0.0/12 192.168.128.0/17 Security Associations (0 up, 0 connecting): none ``` here are the logs (post-restart of strongswan service) journalctl --system -u strongswan ``` Aug 09 10:03:05 <HOSTNAME_SNIPPED> systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf. Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: Starting strongSwan 5.6.2 IPsec [starter]... Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[10448]: Starting strongSwan 5.6.2 IPsec [starter]... Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-29-generic, x86_64) Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] PKCS11 module '<name>' lacks library path Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] disabling load-tester plugin, not configured Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create IPv4 routing table rule Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[KNL] unable to create IPv6 routing table rule Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] dnscert plugin is disabled Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] ipseckey plugin is disabled Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] attr-sql plugin: database URI not set Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded ca certificate "C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2" from '/etc/ipsec.d/cacerts/<SNIPPED>-wildca Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading crls from '/etc/ipsec.d/crls' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loading secrets from '/etc/ipsec.secrets' Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded EAP secret for <USER_SNIPPED> Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] sql plugin: database URI not set Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] opening triplet file /etc/ipsec.d/triplets.dat failed: No such file or directory Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] eap-simaka-sql database URI missing Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] loaded 0 RADIUS server configurations Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] HA config misses local/remote address Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] no threshold configured for systime-fix, disabled Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[CFG] coupling file path unspecified Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pk Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[LIB] dropped capabilities, running as uid 0, gid 0 Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 00[JOB] spawning 16 worker threads Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec[10448]: charon (10474) started after 40 ms Aug 09 10:03:05 <HOSTNAME_SNIPPED> ipsec_starter[10448]: charon (10474) started after 40 ms ``` --- and when I try to connect: ``` Aug 09 10:03:05 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] received stroke: add connection '<SITE_SNIPPED>primary' Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] CA certificate "/etc/ipsec.d/cacerts/<SNIPPED>-wildcard.pem" not found, discarding CA constraint Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 04[CFG] added configuration '<SITE_SNIPPED>primary' Aug 09 10:03:15 <HOSTNAME_SNIPPED> charon[10474]: 07[CFG] received stroke: route '<SITE_SNIPPED>primary' Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_SNIPPED>primary' routed Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 07[KNL] policy already exists, try to update it Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]: '<SITE_SNIPPED>primary' routed Aug 09 10:03:20 <HOSTNAME_SNIPPED> ipsec_starter[10448]: Aug 09 10:03:20 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] received stroke: add connection '<SITE_SNIPPED>secondary' Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] CA certificate "/etc/ipsec.d/cacerts/<SNIPPED>-wildcard.pem" not found, discarding CA constraint Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 12[CFG] added configuration '<SITE_SNIPPED>secondary' Aug 09 10:03:25 <HOSTNAME_SNIPPED> charon[10474]: 14[CFG] received stroke: route '<SITE_SNIPPED>secondary' Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec[10448]: '<SITE_SNIPPED>secondary' routed Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> charon[10474]: 14[KNL] policy already exists, try to update it Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[10448]: '<SITE_SNIPPED>secondary' routed Aug 09 10:03:30 <HOSTNAME_SNIPPED> ipsec_starter[10448]: ```
2018-08-10 08:07:26	Christian Ehrhardt 	bug			added subscriber  Christian Ehrhardt 
2018-08-16 01:15:16	Erich E. Hoover	bug			added subscriber Erich E. Hoover
2018-08-16 05:11:33	Christian Ehrhardt 	bug task added		strongswan
2018-08-20 13:33:23	Christian Ehrhardt 	bug task added		bind9 (Ubuntu)
2018-08-20 13:34:13	Christian Ehrhardt 	bug task added		resolvconf (Ubuntu)
2018-08-20 15:35:49	Erich E. Hoover	marked as duplicate		1752411

Ubuntustrongswan package

Activity log for bug #1786261

Ubuntu
strongswan package