IPsec (strongswan v5.6.3) daemon not starting

Installing and Using OpenWrt Network and Wireless Configuration
1

I have installed and configured IPsec in my OpenWrt router but the IPsec daemon is not starting. Below are the logs.

logread command output:

Mon Dec 14 11:56:53 2020 authpriv.info ipsec_starter[2116]: charon too long to start... - kill kill
Mon Dec 14 11:56:53 2020 authpriv.info ipsec_starter[2116]: connecting to 'unix:///var/run/charon.ctl' failed: No such file or directory
Mon Dec 14 11:56:53 2020 authpriv.info ipsec_starter[2116]: failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Mon Dec 14 11:56:53 2020 authpriv.info ipsec_starter[2116]: connecting to 'unix:///var/run/charon.ctl' failed: No such file or directory
Mon Dec 14 11:56:53 2020 authpriv.info ipsec_starter[2116]: failed to connect to stroke socket 'unix:///var/run/charon.ctl'
Mon Dec 14 11:56:54 2020 authpriv.info ipsec_starter[2116]: charon has died -- restart scheduled (5sec)
Mon Dec 14 11:56:59 2020 daemon.info : 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.171, mips)
Mon Dec 14 11:56:59 2020 daemon.info : 00[CFG] PKCS11 module '<name>' lacks library path
Mon Dec 14 11:57:03 2020 kern.notice kernel: [   82.842685] random: crng init done
Mon Dec 14 11:57:09 2020 authpriv.info ipsec_starter[2116]: charon too long to start... - kill kill
Mon Dec 14 11:57:09 2020 authpriv.info ipsec_starter[2116]: charon has died -- restart scheduled (5sec)
Mon Dec 14 11:57:14 2020 daemon.info : 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.171, mips)
Mon Dec 14 11:57:14 2020 daemon.info : 00[CFG] PKCS11 module '<name>' lacks library path
Mon Dec 14 11:57:24 2020 authpriv.info ipsec_starter[2116]: charon too long to start... - kill kill
Mon Dec 14 11:57:25 2020 authpriv.info ipsec_starter[2116]: charon has died -- restart scheduled (5sec)
Mon Dec 14 11:57:30 2020 daemon.info : 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.171, mips)
Mon Dec 14 11:57:30 2020 daemon.info : 00[CFG] PKCS11 module '<name>' lacks library path
Mon Dec 14 11:57:40 2020 authpriv.info ipsec_starter[2116]: charon too long to start... - kill kill
Mon Dec 14 11:57:40 2020 authpriv.info ipsec_starter[2116]: charon has died -- restart scheduled (5sec)
Mon Dec 14 11:57:44 2020 authpriv.info dropbear[2942]: Child connection from 192.168.1.150:55458
Mon Dec 14 11:57:45 2020 daemon.info : 00[DMN] Starting IKE charon daemon (strongSwan 5.6.3, Linux 4.14.171, mips)
Mon Dec 14 11:57:45 2020 daemon.info : 00[CFG] PKCS11 module '<name>' lacks library path

Below is /etc/ipsec.conf file

conn primary_vpn
        aggressive=yes
        type=tunnel
        left=%any
        right=200.101.30.11
        leftsubnet=192.168.1.0/24
        rightsubnet=172.31.0.0/22
        authby=secret
        auto=start
        keyexchange=ikev2
        ike=3des-sha1-modp1024
        esp=3des-sha1-modp1024
        ikelifetime=24h
        lifetime=8h
        forceencaps=yes
        dpdaction=restart
        dpddelay=3s
        dpdtimeout=9s

Below is the /etc/ipsec.conf file

200.101.30.11 %any : PSK "test@123"

Below is the /etc/strongswan.conf file

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

Please help us to figure this out.
Thanks in advance

2 
Mon Dec 14 11:56:53 2020 authpriv.info ipsec_starter[2116]: charon too long to start... - kill kill

Charon startup via starter, as used in OpenWrt, has a hard-coded time limit of 10 seconds. When the limit is reached before the daemon is fully initialized, starter gives up and terminates charon (see the source code).

If you can start strongswan manually like this:

  • /etc/init.d/ipsec stop
  • let the device sit idle for 10..20 seconds
  • /etc/init.d/ipsec start

the router's CPU or storage might simply be too slow.

I am not sure if OpenWrt starts services in parallel, and if so, how they could be serialized.
Perhaps other daemons are trying to start at the same time, competing for resources.

What is your router model and OpenWrt version?

1 Like
3

You can try to set up RNG to mitigate low entropy issues:
https://openwrt.org/docs/guide-user/services/rng

4

I have ZBT WE826-E router

6

Not working.

7

Actually, my CPU was going to 100 percent that's why my IPsec was not starting.
When I killed some processes my IPsec gets started.
@mpa Thanks for your help

8

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.