Project

General

Profile

Bug #9106

strongSwan 5.7.1 will not start on some 2.4.4/2.4.5 systems, log shows "charon has quit: integrity test of libstrongswan failed"

Added by Jim Pingle over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
IPsec
Target version:
Start date:
11/09/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.4.4
Affected Architecture:
amd64

Description

Some users on 2.4.4 and 2.4.5 snapshots with strongSwan 5.7.1 have found that IPsec is not working.
strongSwan will not start, and the IPsec log shows the following error:

charon has quit: integrity test of libstrongswan failed

See also: https://forum.netgate.com/post/803624

Still gathering information about what this might be. The strongSwan code has a few clues, but we need someone who can reproduce it to increase their logging/debug for "strongSwan lib" to find the specific cause, it appears.

So far we don't have any systems in our labs that can reproduce this condition. If anyone else can reproduce it, please take the following steps:

  • Go to VPN > IPsec, Advanced tab.
  • Under IPsec Logging Controls set strongSwan Lib to Highest, then Save
  • Try to restart IPsec
  • Look in Status > System Logs, IPsec tab for a message about why it failed. Alternately, check clog /var/log/ipsec.log from the shell.

Someone could also try killing charon and then running it again with --debug-lib=3

Keeping this assigned to me in a Feedback state since we need more information before anything can be done to work on a solution.

Associated revisions

Revision cc955fe6 (diff)
Added by Jim Pingle over 2 years ago

Replace '.' in radius name for strongSwan. Fixes #9106

Revision 57ccb98c (diff)
Added by Jim Pingle over 2 years ago

Replace '.' in radius name for strongSwan. Fixes #9106

(cherry picked from commit cc955fe63ad44b5aac66721e54965d9bc13e990c)

Revision 16b78f38 (diff)
Added by Jim Pingle over 2 years ago

Fix previous regex. Issue #9106

Revision 5a78cccc (diff)
Added by Jim Pingle over 2 years ago

Fix previous regex. Issue #9106

(cherry picked from commit 16b78f3879bdf658274caf750c9360ec97bb8f77)

History

#1 Updated by Jim Pingle over 2 years ago

  • Status changed from Feedback to In Progress

At least in one case this is due to charon failing to parse a RADIUS server name containing a period. Apparently this changed in 5.7.0:

Dots are not allowed anymore in section names in swanctl.conf and strongswan.conf.
This mainly affects the configuration of file loggers. If the path for such a log file contains dots
it now has to be configured in the new path setting within the arbitrarily renamed subsection in the
filelog section.

So we'll need to remove the dots from the RADIUS server name. Since we can only have one RADIUS server defined we shouldn't need to worry about a name collision.

#2 Updated by Jim Pingle over 2 years ago

FYI: The error did not show up in the GUI or logs, but when running ipsec start from the command line, the following error was reported:

/usr/local/etc/strongswan.conf:68: syntax error, unexpected ., expecting : or '{' or '=' [.]
invalid config file '/usr/local/etc/strongswan.conf'

#3 Updated by Jim Pingle over 2 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

#4 Updated by Chris Linstruth over 2 years ago

Confirmed that a RADIUS server named radius.name was placed into strongswan.conf named radius_name and charon had no trouble starting.

#5 Updated by Renato Botelho over 2 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF