[Swan] Version 3.30 XFRM implementation

Paul Overton Paul at trustedcyber.co.uk
Wed Feb 19 11:10:49 UTC 2020

Thanks Paul,

Some progress, it seems that the iface-ip= directive is causing the failure to start, if I don't include this directive, and only use  ipsec-interface=yes 
An interface ipsec1 is created and the tunnels are created, but the interface does not have a local IP address. I can add this after though. 

This is the error I get when including the iface-ip= statement:

cannot load config '/etc/ipsec.conf': /etc/ipsec.d/connections.conf:26: syntax error, unexpected STRING [iface-ip]

I have tried adding a number of ipsec interfaces, it would appear the 2 per external interface is the limit. 

Regards Paul

-----Original Message-----
From: Paul Wouters [mailto:paul at nohats.ca] 
Sent: 18 February 2020 17:18
To: Paul Overton <Paul at trustedcyber.co.uk>
Cc: Swan at lists.libreswan.org
Subject: Re: [Swan] Version 3.30 XFRM implementation

On Tue, 18 Feb 2020, Paul Overton wrote:

> I have just updated one of my machines to run Version 3.30 from 3.29.

> I would like to change this to use XFRM, and note the new directives  
> ipsec-interface= and iface-ip=, I have tried using these directives, but Pluto hangs on restart when I try.

We have not experienced that. Can you perhaps get more logs and/or strace output to see what's going on?

> Are there any definitive instructions/examples of the configuration 
> and do I need to preload any of the kernel modules ?

if you run with our init system support, which calls _stackmanager, then it should already load the xfrm_interface.ko module.


More information about the Swan mailing list