Bug #9106
closed
strongSwan 5.7.1 will not start on some 2.4.4/2.4.5 systems, log shows "charon has quit: integrity test of libstrongswan failed"
100%
Description
Some users on 2.4.4 and 2.4.5 snapshots with strongSwan 5.7.1 have found that IPsec is not working.
strongSwan will not start, and the IPsec log shows the following error:
charon has quit: integrity test of libstrongswan failed
See also: https://forum.netgate.com/post/803624
Still gathering information about what this might be. The strongSwan code has a few clues, but we need someone who can reproduce it to increase their logging/debug for "strongSwan lib" to find the specific cause, it appears.
- It could be a file/filesystem issue where it cannot find the checksum for libstrongswan, or the file size/checksum does not match the expected value ().
- It could be that it cannot find the libstrongswan library, which means we might need to run
ldconfigwhen starting charon
So far we don't have any systems in our labs that can reproduce this condition. If anyone else can reproduce it, please take the following steps:
- Go to VPN > IPsec, Advanced tab.
- Under IPsec Logging Controls set strongSwan Lib to Highest, then Save
- Try to restart IPsec
- Look in Status > System Logs, IPsec tab for a message about why it failed. Alternately, check
clog /var/log/ipsec.logfrom the shell.
Someone could also try killing charon and then running it again with --debug-lib=3
Keeping this assigned to me in a Feedback state since we need more information before anything can be done to work on a solution.
Updated by Jim Pingle over 5 years ago
- Status changed from Feedback to In Progress
At least in one case this is due to charon failing to parse a RADIUS server name containing a period. Apparently this changed in 5.7.0:
Dots are not allowed anymore in section names in swanctl.conf and strongswan.conf.
This mainly affects the configuration of file loggers. If the path for such a log file contains dots
it now has to be configured in the new path setting within the arbitrarily renamed subsection in the
filelog section.
So we'll need to remove the dots from the RADIUS server name. Since we can only have one RADIUS server defined we shouldn't need to worry about a name collision.
Updated by Jim Pingle over 5 years ago
FYI: The error did not show up in the GUI or logs, but when running ipsec start from the command line, the following error was reported:
/usr/local/etc/strongswan.conf:68: syntax error, unexpected ., expecting : or '{' or '=' [.]
invalid config file '/usr/local/etc/strongswan.conf'
Updated by Jim Pingle over 5 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset cc955fe63ad44b5aac66721e54965d9bc13e990c.
Updated by Chris Linstruth over 5 years ago
Confirmed that a RADIUS server named radius.name was placed into strongswan.conf named radius_name and charon had no trouble starting.
Updated by Renato Botelho over 5 years ago
- Status changed from Feedback to Resolved