Strongswan, Ubuntu 22.04: Can't start connection after reboot, although configuration is loaded

unix_man666

2/8/24, 9:58 PM

I am using two LXD-Containers (on both servers) for connecting between them.

Everything runs fine, using iptables for NATing ports.

But there is one problem: When restarting one of the servers (just a small machine) the connection can't be established automatically sometimes. The configuration is loaded (checked with swanctl -L, yes I am using the swanctl-interface).

But I get received NO_PROPOSAL_CHOSEN notify error on the host, to which I am connecting to.

On the host, which tries to initiate the connection, it says no IKE config found for $IP1...$IP2, sending NO_PROPOSAL_CHOSEN

After restarting strongswan, the connection can be established.

Both hosts are running Ubuntu 22.04 with LXD-Containers with Strongswan, Swanctl 5.9.5.

Can somebody please assist? Thank you in advance!

642

1 + 1

ubuntu

systemd

strongswan

ecdsa

2/9/24, 8:17 AM

You wrote "On the host, which tries to initiate the connection", are you sure? Because that message is one that's logged on a responder, not an initiator. And on the responder it would indicate that the config is not loaded or the IKE version or IPs don't match (a possible reason could also be that two IKE daemons are running). Please post configs and logs of both ends.

Score:0

Server

unix_man666

2/9/24, 7:22 PM

ecdsa, you are my hero!

After having wasted hours in investigating, your answer helped:

I just wanted to collect the logs for answering you. Within that I observed:

Host1:

Feb  9 19:47:03 strongswan charon: 08[NET] received packet: from
Feb  9 19:47:03 strongswan charon: 08[ENC] parsed IKE_SA_INIT request
Feb  9 19:47:03 strongswan charon: 08[IKE] no IKE config found for

..and so on

Host2:

Feb  9 19:45:33 strongswan charon-systemd[1796]: generating IKE_SA_INIT request 0
Feb  9 19:45:33 strongswan charon-systemd[1796]: sending packet: from 
Feb  9 19:45:36 strongswan charon-systemd[1796]: sending keep alive to

...and so on

What I want stress out: There are two different daemons running on the hosts.

On Host1 there was running both the service "ipsec.service" and "strongswan.service" The ipsec.service is used for the old stroke-interface:

root@strongswan:~# systemctl status ipsec
○ strongswan-starter.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf

Disabling this service solved the problem:

root@strongswan:~# systemctl disable ipsec

Like you mentioned, both daemons were started on boot and ran in rivalry. So sometimes, after booting the stroke-dameon catched the connection, and sometimes the swanctl-daemon did it.

Thank you so much!

I hope, my answer helps others who are fiddeling around with that :)

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Strongswan, Ubuntu 22.04: Can't start connection after reboot, although configuration is loaded

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.