[Swan-dev] a question on whack exit codes (libreswan-up-down.sh)

Andrew Cagney andrew.cagney at gmail.com
Mon May 7 15:53:43 UTC 2018

On 7 May 2018 at 10:33, Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 7 May 2018, Andrew Cagney wrote:
>> In the past, if the connection didn't come up immediately, 'ipsec auto
>> --up ${config}' would fail and the script would stop.  With recent
>> changes, that operation now succeeds and the script continues
>> executing wait-until-alive (that script runs ping, and the ping then
>> tricks east into trying to bring up the connection ....):
>> 002 "westnet-eastnet-ipv4-psk-ikev2" #4: IKE SA authentication
> This log message has the wrong RC_XXX type.
> Looking closer, it seems that RC_WHACK_PROBLEM is unfortunately placed
> in lswlog.h. I'll push a fix.

I don't think that helped.

>> Given the connection neither succeed nor failed, what should the exit code
>> be?
> It did fail if it really "rejected" the connection.

Here all the initiator knows is that something is wrong.

Because the other end never proved their identity, the initiator can't
trust what is coming back so it should back off for a bit and then try

As an aside, all the ikev2-unknown-payload-* tests prod this area, and
highlight how inconsistent pluto is with handling this case.  Hmm,
just noticed that ikev2-unknown-payload-03-auth-sk-critical doesn't
try again :-/


More information about the Swan-dev mailing list