Why does 'ipsec statusall' not show any connections?

vpn ubuntu-14.04 ipsec strongswan

6,059

The IKE daemon used by the NetworkManager plugin (charon-nm) is different than the regular IKE daemon (charon) that you interact with via the ipsec script.

Therefore, you won't be able to see the status of connections established via NetworkManager plugin in ipsec statusall as that will only show you connections and SAs managed by the regular daemon, which are configured in ipsec.conf.

6,059

sbrattla

Updated on September 18, 2022

Comments

sbrattla almost 2 years

I've finally been able to get a tunnel between my computer (strongswan) and a Zyxel Zywall 110 up and running.

I'm connecting using certificates, and judging from the logs the actual VPN connection seems to get established.

May  4 14:14:49 user charon-nm: 10[IKE] authentication of 'remote.company.com' with RSA signature successful
May  4 14:14:49 user charon-nm: 10[IKE] IKE_SA Company[1] established between 192.168.43.101[C=NO, CN=user]...X.X.X.X[remote.company.com]
May  4 14:14:49 user charon-nm: 10[IKE] scheduling rekeying in 35793s
May  4 14:14:49 user charon-nm: 10[IKE] maximum IKE_SA lifetime 36393s
May  4 14:14:49 user charon-nm: 10[CFG] handling INTERNAL_IP4_NETMASK attribute failed
May  4 14:14:49 user charon-nm: 10[IKE] installing new virtual IP 192.168.100.6
May  4 14:14:49 user charon: 14[KNL] 192.168.100.6 appeared on wlan0
May  4 14:14:49 user avahi-daemon[645]: Registering new address record for 192.168.100.6 on wlan0.IPv4.
May  4 14:14:49 user charon-nm: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
May  4 14:14:49 user charon-nm: 10[IKE] CHILD_SA Company{1} established with SPIs c71e085c_i 46449091_o and TS 192.168.100.6/32 === X.X.X.X/32 
May  4 14:14:49 user NetworkManager[1076]: <info> VPN connection 'Company' (IP4 Config Get) reply received from old-style plugin.
May  4 14:14:49 user NetworkManager[1076]: nm_ip4_config_add_nameserver: assertion 'nameserver > 0' failed
May  4 14:14:49 user NetworkManager[1076]: nm_ip4_config_add_wins: assertion 'wins > 0' failed
May  4 14:14:49 user NetworkManager[1076]: nm_ip4_config_add_wins: assertion 'wins > 0' failed
May  4 14:14:49 user NetworkManager[1076]: <info> Tunnel Device: tun0
May  4 14:14:49 user NetworkManager[1076]: <info> IPv4 configuration:
May  4 14:14:49 user NetworkManager[1076]: <info>   Internal Address: 192.168.100.6
May  4 14:14:49 user NetworkManager[1076]: <info>   Internal Prefix: 32
May  4 14:14:49 user NetworkManager[1076]: <info>   Internal Point-to-Point Address: 0.0.0.0
May  4 14:14:49 user NetworkManager[1076]: <info>   Maximum Segment Size (MSS): 0
May  4 14:14:49 user NetworkManager[1076]: <info>   Forbid Default Route: yes
May  4 14:14:49 user NetworkManager[1076]: <info>   Internal DNS: 192.168.16.2
May  4 14:14:49 user NetworkManager[1076]: <info>   DNS Domain: '(none)'
May  4 14:14:49 user NetworkManager[1076]: <info> No IPv6 configuration
May  4 14:14:49 user charon-nm: 14[KNL] interface tun0 activated
May  4 14:14:49 user charon: 07[KNL] interface tun0 activated
May  4 14:14:49 user kernel: [15417.710286] brcmsmac bcma0:1: brcms_ops_bss_info_changed: arp filtering: 2 addresses (implement)
May  4 14:14:49 user charon-nm: 05[KNL] 192.168.100.6 appeared on tun0
May  4 14:14:49 user charon: 11[KNL] 192.168.100.6 appeared on tun0
May  4 14:14:50 user NetworkManager[1076]: <info> VPN connection 'Company' (IP Config Get) complete.

However, even though the VPN seems to be established it seems that the output of ipsec statusall does not agree.

Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.19.0-33-generic, x86_64):
  uptime: 4 hours, since May 04 09:57:53 2016
  malloc: sbrk 2568192, mmap 0, used 330496, free 2237696
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
Listening IP addresses:
  192.168.43.101
  192.168.100.6
  10.0.3.1
  192.168.100.6
Connections:
Security Associations (0 up, 0 connecting):
  none

Last, the output of ip route show gives me the following.

default via 192.168.43.1 dev wlan0  proto static 
10.0.3.0/24 dev lxcbr0  proto kernel  scope link  src 10.0.3.1 
192.168.43.0/24 dev wlan0  proto kernel  scope link  src 192.168.43.101  metric 9

The VPN connection has been configured with Network Manager, and I'm using certificates to establish the connection. I am unable to reach any resources on the network which I've established the VPN connection to.

Am I missing something in the configuration? What could I be missing?