Need help in configuring strongswan


#1

Hi,

I configured strongswan using the following inside configuration.nix

services.strongswan.connections.mainconn.auto = “add”;
services.strongswan.connections.mainconn.eap_identity = “michael.calimlim”;
services.strongswan.connections.mainconn.esp = “aes256-sha1,3des-sha1!”;
services.strongswan.connections.mainconn.forceencaps = “yes”;
services.strongswan.connections.mainconn.ike = “aes256-sha1-modp1024,3des-sha1-modp1024!”;
services.strongswan.connections.mainconn.keyexchange = “ikev2”;
services.strongswan.connections.mainconn.left = “%defaultroute”;
services.strongswan.connections.mainconn.leftauth = “eap-mschapv2”;
services.strongswan.connections.mainconn.leftid = “any”;
services.strongswan.connections.mainconn.leftsourceip = “%config4”;
services.strongswan.connections.mainconn.lifetime = “1800”;
services.strongswan.connections.mainconn.rightauth = “pubkey”;
services.strongswan.connections.mainconn.rightsendcert = “always”;
services.strongswan.connections.mainconn.rightsubnet = “0.0.0.0/0”;
services.strongswan.connections.mainconn.type = “tunnel”;
services.strongswan.connections.subconn.also = “mainconn”;
services.strongswan.connections.subconn.right = “my.vpn.io”;
services.strongswan.connections.subconn.rightid = “my.vpn.io”;
services.strongswan.enable = true;

then nixos-rebuild switch

but it doesn’t generate the /etc/ipsec.conf file

or is it being generated somewhere else than the /etc directory?

need help…

Thanks


#2

You can run systemctl cat strongswan and look where the Environment variable STRONGSWAN_CONF points to.


#3

Strange… I don’t have strongswan running as a service. I can’t even enable/start it…


#4

that is certainly strange. I just tested it locally and it worked as expected. Can you paste the output of nix-info ?


#5

system: “x86_64-linux”, multi-user?: yes, version: nix-env (Nix) 2.2, nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos


#6

systemctl cat strongswan
No files found for strongswan.service

systemctl enable strongswan
Failed to enable unit: Unit file strongswan.service does not exist.


#7

If you edit other things in your configuraton.nix do they apply after nixos-rebuild switch?
For example adding services.nginx.enable = true; inside your config and then checking if systemctl status nginx returns the service as running.

You don’t need to do systemctl enable ... on NixOS, since the system itself will take care of that.

Could you also paste the output of nix-channel --list


#8

I tried changing something in my configuration.nix file then executed nixos-rebuild switch. It applied the changes but not for strongswan. I still dont have strongswan running…

nix-channel --list does not return me anything…


#9

anyone? need some help on strongswan…


#10

hmm, I really don’t have any idea… did you run nix-channel --list as root?
could you paste the output of nixos-rebuild switch somewhere?


#11

nixos-outputs


#12

bumping this again, anyone? :frowning:


#13

I’m no expert by any means, but running nix-channel --list should return the channels you are subscribed to. If you don’t have any channels nothing will probably work.

Try subscribing to a channel that feels relevant for you, please see this page for info.


#14

strange, it works without any channel…


#15

Since you don’t have any channels to fetch packages or updates I hardly think that your strongswan changes will ever take effect, as that package definition normally lives in a nixos channel.


#16

strongswan-issue
am I missing something here?