Project

General

Profile

Actions

Bug #9106

closed

strongSwan 5.7.1 will not start on some 2.4.4/2.4.5 systems, log shows "charon has quit: integrity test of libstrongswan failed"

Added by Jim Pingle about 3 years ago. Updated about 3 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
IPsec
Target version:
Start date:
11/09/2018
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.4.4
Affected Architecture:
amd64

Description

Some users on 2.4.4 and 2.4.5 snapshots with strongSwan 5.7.1 have found that IPsec is not working.
strongSwan will not start, and the IPsec log shows the following error:

charon has quit: integrity test of libstrongswan failed

See also: https://forum.netgate.com/post/803624

Still gathering information about what this might be. The strongSwan code has a few clues, but we need someone who can reproduce it to increase their logging/debug for "strongSwan lib" to find the specific cause, it appears.

So far we don't have any systems in our labs that can reproduce this condition. If anyone else can reproduce it, please take the following steps:

  • Go to VPN > IPsec, Advanced tab.
  • Under IPsec Logging Controls set strongSwan Lib to Highest, then Save
  • Try to restart IPsec
  • Look in Status > System Logs, IPsec tab for a message about why it failed. Alternately, check clog /var/log/ipsec.log from the shell.

Someone could also try killing charon and then running it again with --debug-lib=3

Keeping this assigned to me in a Feedback state since we need more information before anything can be done to work on a solution.

Actions #1

Updated by Jim Pingle about 3 years ago

  • Status changed from Feedback to In Progress

At least in one case this is due to charon failing to parse a RADIUS server name containing a period. Apparently this changed in 5.7.0:

Dots are not allowed anymore in section names in swanctl.conf and strongswan.conf.
This mainly affects the configuration of file loggers. If the path for such a log file contains dots
it now has to be configured in the new path setting within the arbitrarily renamed subsection in the
filelog section.

So we'll need to remove the dots from the RADIUS server name. Since we can only have one RADIUS server defined we shouldn't need to worry about a name collision.

Actions #2

Updated by Jim Pingle about 3 years ago

FYI: The error did not show up in the GUI or logs, but when running ipsec start from the command line, the following error was reported:

/usr/local/etc/strongswan.conf:68: syntax error, unexpected ., expecting : or '{' or '=' [.]
invalid config file '/usr/local/etc/strongswan.conf'
Actions #3

Updated by Jim Pingle about 3 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Chris Linstruth about 3 years ago

Confirmed that a RADIUS server named radius.name was placed into strongswan.conf named radius_name and charon had no trouble starting.

Actions #5

Updated by Renato Botelho about 3 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF