IPsec vpn server only works with local mode enabled, but not with local mode disabled (hwdsl2)

jannis · January 6, 2021, 11:25am

Howdy,

I’m running an IPsec VPN server on a Raspberry Pi 4 using the hwdsl2/ipsec-vpn-server image. It works perfectly fine with the device in local mode, however, as soon as I disable local mode, I get:

pluto[590]: ABORT: ASSERTION FAILED: event_initialized(&se->ev) (in free_signal_handlers() at server.c:448)

For reference, here’s server.c:448.

I’m using a Raspberry Pi 4, connected via Ethernet, running balenaOS 2.65.0+rev1 and supervisor 12.2.11. The compose file looks like this (as advised here):

version: '2.1'
volumes:
  resin-data:
services:
  hwdsl2:
    build: .
    volumes:
      - 'resin-data:/data'
    ports:
      - 500:500/udp
      - 4500:4500/udp
    cap_add:
      - NET_ADMIN
    devices:
      - "/dev/ppp"
    network_mode: host
    sysctls:
      net.ipv4.ip_forward: 1 
      net.ipv4.conf.all.accept_redirects: 0 
      net.ipv4.conf.all.send_redirects: 0 
      net.ipv4.conf.all.rp_filter: 0 
      net.ipv4.conf.default.accept_redirects: 0 
      net.ipv4.conf.default.send_redirects: 0 
      net.ipv4.conf.default.rp_filter: 0 
      net.ipv4.conf.eth0.send_redirects: 0 
      net.ipv4.conf.eth0.rp_filter: 0

I also tried privileged: true instead of the cap_add/devices/sysctls/, to the same effect.

Anybody have an idea what the reason might be for the different behaviour with local mode enabled?

Cheers!

xginn8 · January 6, 2021, 8:18pm

Hi there,

I just tried reproducing your issue locally to test a theory about might what be causing the discrepancy. I was unable to trigger the behavior you mentioned using the docker-compose you provided and building the latest https://github.com/hwdsl2/docker-ipsec-vpn-server from source. Can you confirm you are also running commit c282440? If that’s correct, are you able to provision a second device to test if something specific to the device is not working as expected?

Please let us know!

jannis · January 7, 2021, 9:31am

Hi @xginn8, thanks for looking into this. My Dockerfile only does FROM hwdsl2/ipsec-vpn-server and then changes the location where the config is loaded from. I don’t have a second device unfortunately. Do you have a hunch on what differences there are with local mode enabled vs. disabled?

klutchell · January 8, 2021, 6:13pm

Hey @jannis, we’ve been unable to reproduce this issue so far, but thank you for clarifying your build file.

Regarding the config file you are loading, could you share the file and remove any sensitive information? We just want to check if there’s anything in your IPsec config that would cause a conflict with managed mode.

Also, just to be sure that both local mode and managed mode are running the same release, could you try the following deploy methods?

when in local mode, use balena push which is probably what you’re already doing
when in managed mode, use balena deploy --build to ensure the dashboard is running the same release as local mode

Here’s a the documentation on the deploy command if you haven’t used it before:
https://www.balena.io/docs/reference/balena-cli/#deploy-appname-image