Why does 'ipsec statusall' not show any connections?
The IKE daemon used by the NetworkManager plugin (charon-nm
) is different than the regular IKE daemon (charon
) that you interact with via the ipsec
script.
Therefore, you won't be able to see the status of connections established via NetworkManager plugin in ipsec statusall
as that will only show you connections and SAs managed by the regular daemon, which are configured in ipsec.conf
.
Related videos on Youtube
sbrattla
Updated on September 18, 2022Comments
-
sbrattla almost 2 years
I've finally been able to get a tunnel between my computer (strongswan) and a Zyxel Zywall 110 up and running.
I'm connecting using certificates, and judging from the logs the actual VPN connection seems to get established.
May 4 14:14:49 user charon-nm: 10[IKE] authentication of 'remote.company.com' with RSA signature successful May 4 14:14:49 user charon-nm: 10[IKE] IKE_SA Company[1] established between 192.168.43.101[C=NO, CN=user]...X.X.X.X[remote.company.com] May 4 14:14:49 user charon-nm: 10[IKE] scheduling rekeying in 35793s May 4 14:14:49 user charon-nm: 10[IKE] maximum IKE_SA lifetime 36393s May 4 14:14:49 user charon-nm: 10[CFG] handling INTERNAL_IP4_NETMASK attribute failed May 4 14:14:49 user charon-nm: 10[IKE] installing new virtual IP 192.168.100.6 May 4 14:14:49 user charon: 14[KNL] 192.168.100.6 appeared on wlan0 May 4 14:14:49 user avahi-daemon[645]: Registering new address record for 192.168.100.6 on wlan0.IPv4. May 4 14:14:49 user charon-nm: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding May 4 14:14:49 user charon-nm: 10[IKE] CHILD_SA Company{1} established with SPIs c71e085c_i 46449091_o and TS 192.168.100.6/32 === X.X.X.X/32 May 4 14:14:49 user NetworkManager[1076]: <info> VPN connection 'Company' (IP4 Config Get) reply received from old-style plugin. May 4 14:14:49 user NetworkManager[1076]: nm_ip4_config_add_nameserver: assertion 'nameserver > 0' failed May 4 14:14:49 user NetworkManager[1076]: nm_ip4_config_add_wins: assertion 'wins > 0' failed May 4 14:14:49 user NetworkManager[1076]: nm_ip4_config_add_wins: assertion 'wins > 0' failed May 4 14:14:49 user NetworkManager[1076]: <info> Tunnel Device: tun0 May 4 14:14:49 user NetworkManager[1076]: <info> IPv4 configuration: May 4 14:14:49 user NetworkManager[1076]: <info> Internal Address: 192.168.100.6 May 4 14:14:49 user NetworkManager[1076]: <info> Internal Prefix: 32 May 4 14:14:49 user NetworkManager[1076]: <info> Internal Point-to-Point Address: 0.0.0.0 May 4 14:14:49 user NetworkManager[1076]: <info> Maximum Segment Size (MSS): 0 May 4 14:14:49 user NetworkManager[1076]: <info> Forbid Default Route: yes May 4 14:14:49 user NetworkManager[1076]: <info> Internal DNS: 192.168.16.2 May 4 14:14:49 user NetworkManager[1076]: <info> DNS Domain: '(none)' May 4 14:14:49 user NetworkManager[1076]: <info> No IPv6 configuration May 4 14:14:49 user charon-nm: 14[KNL] interface tun0 activated May 4 14:14:49 user charon: 07[KNL] interface tun0 activated May 4 14:14:49 user kernel: [15417.710286] brcmsmac bcma0:1: brcms_ops_bss_info_changed: arp filtering: 2 addresses (implement) May 4 14:14:49 user charon-nm: 05[KNL] 192.168.100.6 appeared on tun0 May 4 14:14:49 user charon: 11[KNL] 192.168.100.6 appeared on tun0 May 4 14:14:50 user NetworkManager[1076]: <info> VPN connection 'Company' (IP Config Get) complete.
However, even though the VPN seems to be established it seems that the output of
ipsec statusall
does not agree.Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.19.0-33-generic, x86_64): uptime: 4 hours, since May 04 09:57:53 2016 malloc: sbrk 2568192, mmap 0, used 330496, free 2237696 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 rdrand random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock Listening IP addresses: 192.168.43.101 192.168.100.6 10.0.3.1 192.168.100.6 Connections: Security Associations (0 up, 0 connecting): none
Last, the output of
ip route show
gives me the following.default via 192.168.43.1 dev wlan0 proto static 10.0.3.0/24 dev lxcbr0 proto kernel scope link src 10.0.3.1 192.168.43.0/24 dev wlan0 proto kernel scope link src 192.168.43.101 metric 9
The VPN connection has been configured with Network Manager, and I'm using certificates to establish the connection. I am unable to reach any resources on the network which I've established the VPN connection to.
Am I missing something in the configuration? What could I be missing?