[Swan-dev] Useful error?

Andrew Cagney andrew.cagney at gmail.com
Thu Jul 26 15:54:07 UTC 2018 

On Mon, 23 Jul 2018 at 14:55, Paul Wouters <paul at nohats.ca> wrote:
>
> On Mon, 23 Jul 2018, D. Hugh Redelmeier wrote:
>
> > | From: Andrew Cagney <andrew.cagney at gmail.com>
> >
> > | I like the idea but I'm not sure about the error being printed - it
> > | makes me think of a Microsoft joke - while the information provided is
> > | technically correct it is completely useless :-)
> >
> > Better to report an error where it is discovered than hope the null
> > action will somehow work out.

My suggestion is to print something contextually meaningful.

> > | My guess (I really don't know) is that, when %default is specified an
> > | error is needed as it won't get resolved?
> >
> > I don't know either.  We don't have a test case.  I don't really
> > understand the code that normally runs (I strongly suspect that it
> > isn't as straight-forward as it could be).
>
> The connection would be loaded but remain unorientd and not usable until
> another call to "whack -listen" happens to resolve the default route.

So if pluto correctly handled this case - trying to orient in the
connection code say - then we'd have pretty much eliminated the call
in whack :-)

I'm going to end up leaving a few bread crumbs for this, so I'd like
to leave the right ones :-)

> [root at east ~]# ipsec auto --add san
> 002 added connection description "san"
> [root at east ~]# ipsec status |grep san |grep orient
> 000 "san":     unoriented; my_ip=unset; their_ip=unset; mycert=east; my_updown=ipsec _updown;
>
> So far so good.
>
> [root at east ~]# ip ro add default via 192.1.2.254
> [root at east ~]# ipsec whack --listen
> 002 listening for IKE messages
> 002 forgetting secrets
> 002 loading secrets from "/etc/ipsec.secrets"
> 002 loaded private key for keyid: PKK_RSA:AQO9bJbr3
> [root at east ~]# ipsec status |grep san |grep orient
> 000 "san":     unoriented; my_ip=unset; their_ip=unset; mycert=east; my_updown=ipsec _updown;
>
> I guess it didn't do it here.
>
> [root at east ~]# ipsec auto --add san
> 002 "san": deleting non-instance connection
> 002 added connection description "san"
> [root at east ~]# ipsec status |grep san |grep orient
> 000 "san":     oriented; my_ip=unset; their_ip=unset; hiscert=east; my_updown=ipsec _updown;
>
> Guess we never recover from it. Tested for ikev1 and ikev2.
>
> Guess, that's a bug.
>
> Paul
> _______________________________________________
> Swan-dev mailing list
> Swan-dev at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan-dev

More information about the Swan-dev mailing list