[Swan-dev] Useful error?
Paul Wouters
paul at nohats.ca
Mon Jul 23 18:55:19 UTC 2018
On Mon, 23 Jul 2018, D. Hugh Redelmeier wrote:
> | From: Andrew Cagney <andrew.cagney at gmail.com>
>
> | I like the idea but I'm not sure about the error being printed - it
> | makes me think of a Microsoft joke - while the information provided is
> | technically correct it is completely useless :-)
>
> Better to report an error where it is discovered than hope the null
> action will somehow work out.
>
> | My guess (I really don't know) is that, when %default is specified an
> | error is needed as it won't get resolved?
>
> I don't know either. We don't have a test case. I don't really
> understand the code that normally runs (I strongly suspect that it
> isn't as straight-forward as it could be).
The connection would be loaded but remain unorientd and not usable until
another call to "whack -listen" happens to resolve the default route.
[root at east ~]# ipsec auto --add san
002 added connection description "san"
[root at east ~]# ipsec status |grep san |grep orient
000 "san": unoriented; my_ip=unset; their_ip=unset; mycert=east; my_updown=ipsec _updown;
So far so good.
[root at east ~]# ip ro add default via 192.1.2.254
[root at east ~]# ipsec whack --listen
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
002 loaded private key for keyid: PKK_RSA:AQO9bJbr3
[root at east ~]# ipsec status |grep san |grep orient
000 "san": unoriented; my_ip=unset; their_ip=unset; mycert=east; my_updown=ipsec _updown;
I guess it didn't do it here.
[root at east ~]# ipsec auto --add san
002 "san": deleting non-instance connection
002 added connection description "san"
[root at east ~]# ipsec status |grep san |grep orient
000 "san": oriented; my_ip=unset; their_ip=unset; hiscert=east; my_updown=ipsec _updown;
Guess we never recover from it. Tested for ikev1 and ikev2.
Guess, that's a bug.
Paul
More information about the Swan-dev
mailing list