No outputs from command 'ip xfrm state' to show strongswan status

Question

[root@vrouter-ovs ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-327.36.3.el7.x86_64, x86_64):
uptime: 5 hours, since Jul 26 01:22:51 2017
malloc: sbrk 1699840, mmap 0, used 536928, free 1162912
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-libipsec kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Listening IP addresses:
192.168.220.155
10.10.64.155
172.16.2.1
Connections:
   gz-bj:  10.10.64.155...10.10.64.156  IKEv2, dpddelay=30s
   gz-bj:   local:  [10.10.64.155] uses pre-shared key authentication
   gz-bj:   remote: [10.10.64.156] uses pre-shared key authentication
   gz-bj:   child:  172.16.2.0/24 === 10.11.11.0/24 TUNNEL, dpdaction=hold
Routed Connections:
   gz-bj{3}:  ROUTED, TUNNEL, reqid 1
   gz-bj{3}:   172.16.2.0/24 === 10.11.11.0/24
Security Associations (1 up, 0 connecting):
   gz-bj[7]: ESTABLISHED 27 minutes ago, 10.10.64.155[10.10.64.155]...10.10.64.156[10.10.64.156]
   gz-bj[7]: IKEv2 SPIs: 88bb0cc94a980fa6_i ed5a61b03f1fd433_r*, pre-shared key reauthentication in 30 minutes
   gz-bj[7]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
   gz-bj{8}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 40d2fe06_i 9afad142_o
   gz-bj{8}:  AES_CBC_128/HMAC_SHA1_96, 136752 bytes_i (1628 pkts, 1s ago), 136752 bytes_o (1628 pkts, 1s ago), rekeying in 29 minutes
   gz-bj{8}:   172.16.2.0/24 === 10.11.11.0/24

[root@vrouter-ovs ~]# ip xfrm state

kernel: 3.10.0-327.36.3.el7.x86_64 – Jeremy Jul 25 '17 at 14:42 — Jeremy, Jul 25 '17 at 14:42
Linux strongSwan U5.5.3/K3.10.0-327.36.3.el7.x86_64 – Jeremy Jul 25 '17 at 14:44 — Jeremy, Jul 25 '17 at 14:44

score 0 · Answer 1 · answered Jul 27 '17 at 09:51

You have the kernel-libipsec plugin enabled, which handles IPsec in userland and not the Linux kernel. It's not recommended to use it on security gateways (check the notes on the linked page). The kernel-netlink plugin is the one that installs IPsec SAs and policies in the kernel.

If you built strongSwan yourself, just disable that plugin (i.e. don't add --enable-kernel-libipsec to the configure options (use make clean before rebuilding). You can also disable the plugin via strongswan.conf or the included config snippet in strongswan.d (i.e. set load = no in /etc/strongswan.d/charon/kernel-libipsec.conf), see plugin load options for details.

No outputs from command 'ip xfrm state' to show strongswan status

1 Answers1