IpSec StrongSwan HA config misses / no connection

Question

I am using strongswan on rasberian 12 to connect to PFsense with /etc/ipsec.conf from an external network to an PfSense:

config setup

conn %default
        keyexchange=ikev1


conn peer-ipsec.xxx.de-tunnel-1
        left=%any
        leftid="xx.zapto.org"
        right=ipsec.xx.de
        rightid="%any"
        leftsubnet=10.130.117.0/24
        rightsubnet=10.128.0.0/16
        ike=aes128-sha256-modp2048,aes128-sha256-modp2048!
        keyexchange=ikev2
        reauth=no
        ikelifetime=28800s
        esp=aes128-sha256-modp2048,aes128-sha256-modp2048!
        keylife=3600s
        rekeymargin=540s
        type=tunnel
        compress=no
        authby=secret
        auto=route
        keyingtries=%forever

On pfsense:
Key Exchange version: IKEv2
InternetProtocol: IPv4
Remote Gateeway: xx.zapto.org
Authentication Method: Mutual PSK
My Identifier: My IP address
Peer identifier: Fully qualified domain name xx.zapto.org
Encryption Algorithm: AES 128 bit SHA256 DH Group 14 (I will improve this later)

Phase 2:
local network: Network 10.128.0.0/0
NAT: None
Remote Network: Network 10.130.117.0/24
Protocol: ESP
Encryption Algorithm: AES 128, AES12-GCM 128 SHA256 PFS key group 14

• ip a -> 192.168.2.117
• ipsec.xx.de can be pinged.
• nftables: nothing defined

Result:

sudo /usr/sbin/ipsec start --nofork --debug --debug-more
Starting strongSwan 5.9.8 IPsec [starter]...
Loading config setup
Loading conn 'peer-ipsec.xx.de-tunnel-1'
  authby=secret
  auto=route
  compress=no
  esp=aes128-sha256-modp2048,aes128-sha256-modp2048!
  ike=aes128-sha256-modp2048,aes128-sha256-modp2048!
  ikelifetime=28800s
  keyexchange=ikev2
  keyingtries=%forever
  keylife=3600s
  left=%any
  leftid=xx.zapto.org
  leftsubnet=10.130.117.0/24
  reauth=no
  rekeymargin=540s
  right=ipsec.xx.de
  rightid=%any
  rightsubnet=10.128.0.0/16
  type=tunnel
Attempting to start charon...
00[DMN] Starting IKE charon daemon (strongSwan 5.9.8, Linux 6.1.0-rpi7-rpi-v8, aarch64)
00[LIB] providers loaded by OpenSSL: legacy default
00[NET] using forecast interface eth1
00[CFG] joining forecast multicast groups: 224.0.0.1,224.0.0.22,224.0.0.251,224.0.0.252,239.255.255.250
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded IKE secret for %any %any
00[CFG] loaded 0 RADIUS server configurations
00[CFG] HA config misses local/remote address
00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl pkcs8 fips-prf gmp agent xcbc hmac kdf gcm drbg attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (14801) started after 140 ms
04[CFG] received stroke: add connection 'peer-ipsec.xx.de-tunnel-1'
04[CFG] added configuration 'peer-ipsec.xx.de-tunnel-1'
05[CFG] received stroke: route 'peer-ipsec.xx.de-tunnel-1'
'peer-ipsec.xx.de-tunnel-1' routed

No connection is established - why?

What does HA config misses mean?

The same configuration is working on a EdgeRouter ER-X (ubiquity) which is also using StrongSwan.

I have also tried libreSwan.

Answer 1

with auto=start it works - see documentation.