[Swan-dev] IPSEC Active Tunnels Status using 'ipsec whack --status'

Praveen Chavan prawin219 at gmail.com
Mon Jan 9 18:24:34 EET 2023 

Hi ,

With libreswan upgrade to 4.5.x, I've noticed changes in the output of
'ipsec whack --status' command. I relied on 'IPsec SA established' to
verify the active tunnels. With the upgraded version this string is not
present in the output. I rather notice 'STATE_V2_ESTABLISHED_CHILD_SA
(established Child SA)' and 'STATE_V2_ESTABLISHED_IKE_SA (established IKE
SA)'.

What are your thoughts? What is the best string pattern (needle) one can
use from whack status output to find the active tunnel information?

Also, please share details on different states for the tunnels (
STATE_V2_ESTABLISHED_CHILD_SA , STATE_V2_ESTABLISHED_IKE_SA etc etc ).

Thanks,
Praveen

On Mon, Aug 22, 2022 at 12:50 PM Praveen Chavan <prawin219 at gmail.com> wrote:

> Hi,
>
> I'm using the Libreswan 4.5 binary package to start 'pluto' on a linux
> (RedHat based, customized version) machine. Moving to Binaries from source
> to avoid unnecessary build requirements.
>
> Pluto fails to start with error,
>
> Aug 22 14:48:02.318450: *FATAL ERROR: bind(0.0.0.0:500
> <http://0.0.0.0:500>) failed in find_raw_ifaces4()Address already in use*
> (errno 98)
> Aug 22 14:48:02.318478: ABORT: ASSERTION FAILED: nr_helper_threads == 0
> (free_server_helper_jobs() +595 programs/pluto/server_pool.c)
>
> However, when using the source rpm, locally built binaries instead, this
> error can be resolved with following change,
>
>         /* in pluto/kernel_linux.c */
>         if (0){
>                 ip_address any = address_any(&ipv4_info);
>                 ip_endpoint any_ep = endpoint(&any, pluto_port);
>                 ip_sockaddr any_sa;
>                 size_t any_sa_size = endpoint_to_sockaddr(&any_ep,
> &any_sa);
>                 if (bind(master_sock, &any_sa.sa, any_sa_size) < 0)
>                         EXIT_LOG_ERRNO(errno, "bind() failed in %s()",
> __func__);
>         }
>
> I would like to know how one can achieve the same using the binary
> packages directly. I came across '--interface' and '--listen' options but
> didn't help.
>
> Assistance would be truly appreciated.
>
> Thanks,
> Praveen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20230109/7926da2a/attachment.htm>

More information about the Swan-dev mailing list