Modify

Opened 7 years ago

Closed 6 years ago

Last modified 4 years ago

#9508 closed defect (fixed)

strongswan4: plugin pgp fails to load, tears charon down, error about missing hash function (Camellia)

Reported by: anonymous Owned by: nico
Priority: normal Milestone: Barrier Breaker 14.07
Component: packages Version: Trunk
Keywords: strongswan4 charon Camellia pgp plugin Cc:

Description

Hi again!

I discovered another glitch in r27096 's strongswan4 (upstream's 4.5.2 version) implementation.

Building an image for my tp-link WR-1043ND, I selected the metapackage strongswan4-full in menuconfig. The build was ok, I flashed it to the router and tried to start up charon (pluto disabled in ipsec.conf).

However, charon did not come up and the log said it could not load the camellia hash function and working thread number 10 of 16 had died (number varies).

I cross-checked the number of the dead thread with the list of plugins that got autoloaded and found out that the "pgp" plugin was the one causing the trouble. Deactivating it, charon loaded fine, albeit still logging the error of the Camellia cipher missing.

Please note that I did not try and establish a key exchange or a SA for I did not have my laptop at hand.

I just wanted to notice you that strongswan still seems to have issues. I will provide excerpts of the log next week when I get home again. I don't know if this would be something to ask upstream about...?!

So long & thanks.
Simon

And on a side note: Debugging errors in strongswan's setup is a PITA. Maybe upstream could be bugged to provide understandable error messages in the logs...

Attachments (0)

Change History (5)

comment:1 Changed 7 years ago by lars@…

I think this is a known issue with upstream and it is on the roadmap:

http://wiki.strongswan.org/issues/128

I believe the default for autoloading plugins is problematic with the strongswan4-full meta package becuase some of the plugins are overlapping. Therefore an explicit load directive in strongswan.conf is necessary, however as described in the above link this is not a straightforward process. I think the problem and possible solutions can be summarized as follows:

Issue: The update to strongswan4 version 4.5.2 switched to using configuration files from upstream sources. This configuration works fine for the default and minimal meta packages, but not the full meta package. The reason is that plugins are now loaded automatically, but due to upstream limitations this currently does not handle conflicts.

Solutions:

A) drop strongswan4-full meta package

B) provide a different strongswan.conf for strongswan4-full package

C) wontfix

I vote for C or A. This is more of an upstream issue and will likely be addressed in the future. In practice the strongswan4-full meta package doesn't make much sense. In my opinion it is better to start with the default or minimal meta package and then install additional plugins as needed.

If C) then perhaps a page on the wiki could be used to clarify the situation.

comment:2 Changed 7 years ago by anonymous

Thanks for your answer, I read that upstream wiki entry too - just a short time after opening this ticket here. :-)
My reasoning behind installing strongswan4-full was "well, I don't know where my experiments may lead me so it can't hurt to have all plugins there just in case I need them". Of course, now I know about the trouble that brings.

Dropping the strongswan4-full metapackage seems like a good way to avoid tickets such as mine. ;-) As well as explicitly stating that strongswan4-default is the recommended set (in the package help texts in make menuconfig as well as in the package description) and that any other combination of plugins is *really* experts only for the reasons mentioned upstream.

comment:3 Changed 6 years ago by nico

  • Owner changed from developers to nico
  • Status changed from new to accepted

comment:4 Changed 6 years ago by nico

  • Resolution set to fixed
  • Status changed from accepted to closed

Fixed in [28517], strongswan4-full is now shown when DEVEL is enabled

comment:5 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.