[Swan] Cannot start ipsec service using systemd
Philippe Vouters
philippe.vouters at laposte.net
Fri Jan 4 16:33:20 EET 2013
Dear Elison,
Ensure you have this /etc/sysctl.conf configuration:
[philippe at victor libreswan-3.0]$ sudo cat /etc/sysctl.conf
# Kernel sysctl configuration file
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
#net.ipv4.ip_forward = 0
# Controls source route verification
#net.ipv4.conf.all.rp_filter = 0
#net.ipv4.conf.default.rp_filter = 0
#net.ipv4.conf.eth0.rp_filter = 0
# Do not accept source routing
#net.ipv4.conf.default.accept_source_route = 0
#net.ipv4.conf.all.send_redirects = 0
#net.ipv4.conf.default.send_redirects = 0
#net.ipv4.conf.lo.send_redirects = 0
#net.ipv4.conf.eth0.send_redirects = 0
*#IPSec**
**net.ipv4.conf.default.rp_filter = 0**
**net.ipv4.conf.default.accept_redirects = 0**
**net.ipv4.conf.default.send_redirects = 0**
**net.ipv4.icmp_ignore_bogus_error_responses = 1**
**net.ipv4.conf.default.log_martians = 0**
**net.ipv4.ip_forward = 1**
*
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
Afterwards the command should be # sysctl -p from a root account.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
Le 04/01/2013 15:04, Elison Niven a écrit :
> Thanks for your support and time.
> $ cat /etc/sysconfig/pluto
> # Put extra pluto command line options you want here
> PLUTO_OPTIONS=" "
>
> $ ipsec addconn --autoall
> $ echo $?
> 0
>
> Verifying installed system and configuration files
>
> Version check and ipsec on-path [OK]
> Libreswan 3.0 (netkey) on 3.1.0-7.fc16.i686.PAE
> Checking for IPsec support in kernel [OK]
> NETKEY: Testing XFRM related proc values
> ICMP default/send_redirects [NOT DISABLED]
>
> Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause
> act on or cause sending of bogus ICMP redirects!
>
> ICMP default/accept_redirects [NOT DISABLED]
>
> Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will
> cause act on or cause sending of bogus ICMP redirects!
>
> XFRM larval drop [OK]
> Pluto ipsec.conf syntax [OK]
> Hardware random device [N/A]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/p18p1/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/vmnet1/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/vmnet8/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/virbr0/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/virbr0-nic/rp_filter [ENABLED]
> /proc/sys/net/ipv4/conf/ppp0/rp_filter [ENABLED]
> rp_filter is not fully aware of IPsec and should be disabled
> Checking that pluto is running [FAILED]
> Checking NAT and MASQUERADEing [TEST INCOMPLETE]
> Checking 'ip' command [OK]
> Checking 'iptables' command [OK]
> Checking for obsolete ipsec.conf options [OK]
> Opportunistic Encryption [DISABLED]
>
> ipsec verify: encountered 19 errors - see 'man ipsec_verify' for help
>
> On Friday 04 January 2013 07:21:22 PM IST, Philippe Vouters wrote:
>> Dear Elison,
>>
>> If # ipsec addconn --autoall fails, my guess is that you ought to also
>> get the root cause of your problem with this line in bold:
>> [philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec verify
>> Verifying installed system and configuration files
>>
>> Version check and ipsec on-path [OK]
>> Libreswan 3.0 (netkey) on 3.6.10-2.fc17.i686
>> Checking for IPsec support in kernel [OK]
>> NETKEY: Testing XFRM related proc values
>> ICMP default/send_redirects [OK]
>> ICMP default/accept_redirects [OK]
>> XFRM larval drop [OK]
>> *Pluto ipsec.conf syntax [OK]*
>> Hardware random device [N/A]
>> Checking rp_filter [OK]
>> Checking that pluto is running [OK]
>> Pluto listening for IKE on udp 500 [OK]
>> Pluto listening for IKE on tcp 500 [NOT
>> IMPLEMENTED]
>> Pluto listening for IKE/NAT-T on udp 4500 [OK]
>> Pluto listening for IKE/NAT-T on tcp 4500 [NOT
>> IMPLEMENTED]
>> Pluto listening for IKE on tcp 10000 (cisco) [NOT
>> IMPLEMENTED]
>> Pluto ipsec.secret syntax [OK]
>> Checking NAT and MASQUERADEing [TEST
>> INCOMPLETE]
>> Checking 'ip' command [OK]
>> Checking 'iptables' command [OK]
>> Checking for obsolete ipsec.conf options [OK]
>> Opportunistic Encryption [DISABLED]
>>
>> Philippe Vouters (Fontainebleau/France)
>> URL:http://vouters.dyndns.org/
>> SIP:sip:Vouters at sip.linphone.org
>> Le 04/01/2013 14:31, Philippe Vouters a écrit :
>>> Dear Elison,
>>>
>>> I queried Google with "systemctl status=203/EXEC" which is the pluto
>>> exit code you report us and found this discussion at
>>> http://forums.fedoraforum.org/showthread.php?t=272075 This is
>>> specific to Fedora 16 but my guess is that it can also apply to
>>> Fedora 17.
>>>
>>> It happens that the pluto code forks and exec's "addconn --autoall".
>>> From a root account or sudo'ing, can you also perform:
>>> # ipsec addconn --autoall
>>> # echo $?
>>> On my side:
>>> [philippe at victor libreswan-3.0]$ sudo /usr/local/sbin/ipsec addconn
>>> --autoall
>>> 002 "roadwarrior-l2tp-updatedwin": deleting connection
>>> 002 added connection description "roadwarrior-l2tp-updatedwin"
>>> 002 "roadwarrior-l2tp": deleting connection
>>> 002 added connection description "roadwarrior-l2tp"
>>> 002 "macintosh-l2tp": deleting connection
>>> 002 added connection description "macintosh-l2tp"
>>> 002 "roadwarrior": deleting connection
>>> 002 added connection description "roadwarrior"
>>> [philippe at victor libreswan-3.0]$ echo $?
>>> 0
>>>
>>> You may as well check your /var/log/secure so that we can get more
>>> information on the pluto failure.
>>>
>>> Yours truly,
>>> Philippe Vouters (Fontainebleau/France)
>>> URL:http://vouters.dyndns.org/
>>> SIP:sip:Vouters at sip.linphone.org
>>> Le 04/01/2013 14:07, Philippe Vouters a écrit :
>>>> Dear Elison,
>>>>
>>>> pluto fails to correctly start on your side on:
>>>> /usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
>>>> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
>>>> whack failing on stop is just a consequence.
>>>>
>>>> Because $PLUTO_OPTIONS comes from:
>>>> EnvironmentFile=-/etc/sysconfig/pluto
>>>>
>>>> can you *$ cat /etc/sysconfig/pluto*
>>>>
>>>> $ *export PLUTO_OPTIONS=*<the right side of the assignment in your
>>>> PLUTO_OPTIONS in your /etc/sysconfig/pluto file>
>>>>
>>>> and manually perform:
>>>>
>>>> */usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto **
>>>> **--config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'**
>>>> *
>>>> from a root account ????
>>>>
>>>> You provide us the output of what you did and read.
>>>> Thank you so much in advance.
>>>> Philippe Vouters (Fontainebleau/France)
>>>> URL:http://vouters.dyndns.org/
>>>> SIP:sip:Vouters at sip.linphone.org
>>>> Le 04/01/2013 13:22, Elison Niven a écrit :
>>>>> SELinux is disabled.
>>>>> $ getenforce
>>>>> Disabled
>>>>> $ ls /etc/rc.d/init.d/ipsec*
>>>>> ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
>>>>>
>>>>> Thanks.
>>>>>
>>>>> On Friday 04 January 2013 05:35 PM, Philippe Vouters wrote:
>>>>>> Dear Elison,
>>>>>>
>>>>>> I am running Fedora 17 i686 with SELinux policy set to permissive. I
>>>>>> just dowloaded https://download.libreswan.org/libreswan-3.0.tar.gz
>>>>>> and performed the following commands from my user account:
>>>>>>
>>>>>> $ sudo yum remove libreswan
>>>>>> $ sudo mv /etc/ipsec.conf.rpmsave /etc/ipsec.conf
>>>>>> $ tar -zxvf download/libreswan-3.0.tar.gz
>>>>>> $ cd libreswan-3.0/
>>>>>> $ make programs
>>>>>> $ sudo make install
>>>>>> $ sudo systemctl start ipsec.service
>>>>>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>>>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for
>>>>>> IPsec
>>>>>> Loaded: loaded (/usr/lib/systemd/system/ipsec.service;
>>>>>> disabled)
>>>>>> Active: active (running) since Fri, 04 Jan 2013 12:42:54
>>>>>> +0100; 14s ago
>>>>>> Process: 2154
>>>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>>>> (code=exited,
>>>>>> status=0/SUCCESS)
>>>>>> Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>>>> --config /etc/ipsec.conf --checkconfig (code=exited,
>>>>>> status=0/SUCCESS)
>>>>>> Main PID: 2215 (sh)
>>>>>> CGroup: name=systemd:/system/ipsec.service
>>>>>> 2215 /usr/bin/sh -c eval
>>>>>> `/usr/local/libexec/ipsec/plut...
>>>>>> 2216 /usr/bin/sh -c eval
>>>>>> `/usr/local/libexec/ipsec/plut...
>>>>>> 2217 /usr/local/libexec/ipsec/pluto --config
>>>>>> /etc/ipsec...
>>>>>> 2242 _pluto_adns
>>>>>>
>>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>>> find_host_pair_conn ...
>>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: added
>>>>>> connection
>>>>>> descr...
>>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: | reaped
>>>>>> addconn
>>>>>> helpe...
>>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>>> connect_to_host_pair...
>>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>>> find_host_pair:
>>>>>> comp...
>>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>>> connect_to_host_pair...
>>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>>> find_host_pair:
>>>>>> comp...
>>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>>> connect_to_host_pair...
>>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>>> find_host_pair:
>>>>>> comp...
>>>>>> Jan 04 12:42:56 victor.vouters.dyndns.org pluto[2217]: |
>>>>>> connect_to_host_pair...
>>>>>> [philippe at victor libreswan-3.0]$ sudo systemctl stop ipsec.service
>>>>>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>>>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for
>>>>>> IPsec
>>>>>> Loaded: loaded (/usr/lib/systemd/system/ipsec.service;
>>>>>> disabled)
>>>>>> Active: inactive (dead) since Fri, 04 Jan 2013 12:50:26
>>>>>> +0100; 2s ago
>>>>>> Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
>>>>>> (code=exited, status=0/SUCCESS)
>>>>>> Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
>>>>>> (code=exited, status=0/SUCCESS)
>>>>>> Process: 2572 ExecStop=/usr/local/sbin/ipsec whack
>>>>>> --shutdown
>>>>>> (code=exited, status=0/SUCCESS)
>>>>>> Process: 2215 ExecStart=/usr/bin/sh -c eval
>>>>>> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
>>>>>> $PLUTO_OPTIONS` (code=exited, status=0/SUCCESS)
>>>>>> Process: 2154
>>>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>>>> (code=exited,
>>>>>> status=0/SUCCESS)
>>>>>> Process: 2150 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>>>> --config /etc/ipsec.conf --checkconfig (code=exited,
>>>>>> status=0/SUCCESS)
>>>>>> CGroup: name=systemd:/system/ipsec.service
>>>>>>
>>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: shutting down
>>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>>>>> connectio...
>>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>>>>> "roadwarrior":
>>>>>> deletin...
>>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>>>>> connectio...
>>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>>>>> "macintosh-l2tp":
>>>>>> dele...
>>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>>>>> connectio...
>>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>>>>> "roadwarrior-l2tp": de...
>>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | processing
>>>>>> connectio...
>>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]:
>>>>>> "roadwarrior-l2tp-upda...
>>>>>> Jan 04 12:50:26 victor.vouters.dyndns.org pluto[2217]: | crl fetch
>>>>>> request li...
>>>>>>
>>>>>> So would it happen you still have /etc/rc.d/init.d/ipsec* ?
>>>>>> On my side:
>>>>>> [philippe at victor libreswan-3.0]$ ls /etc/rc.d/init.d/ipsec*
>>>>>> ls: cannot access /etc/rc.d/init.d/ipsec*: No such file or directory
>>>>>> Would it also happen but it looks at first glance unlikely that
>>>>>> you are
>>>>>> facing some SELinux issue ?
>>>>>> Can you give us the output of the following:
>>>>>> [philippe at victor libreswan-3.0]$ sudo getenforce
>>>>>> Permissive
>>>>>> If getenforce returns Enforcing, can you perform the following
>>>>>> commands:
>>>>>> [philippe at victor libreswan-3.0]$ sudo restorecon /usr/local/sbin -Rv
>>>>>> [philippe at victor libreswan-3.0]$ sudo restorecon
>>>>>> /usr/local/libexec/ipsec -Rv
>>>>>> [philippe at victor libreswan-3.0]$
>>>>>>
>>>>>> Once the above points clean,
>>>>>>
>>>>>> [philippe at victor libreswan-3.0]$ sudo systemctl --system
>>>>>> daemon-reload
>>>>>> [philippe at victor libreswan-3.0]$ sudo systemctl restart
>>>>>> ipsec.service
>>>>>> [philippe at victor libreswan-3.0]$ sudo systemctl status ipsec.service
>>>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for
>>>>>> IPsec
>>>>>> Loaded: loaded (/usr/lib/systemd/system/ipsec.service;
>>>>>> disabled)
>>>>>> Active: active (running) since Fri, 04 Jan 2013 12:58:55
>>>>>> +0100; 6s ago
>>>>>> Process: 2580 ExecStopPost=/sbin/ip xfrm state flush
>>>>>> (code=exited, status=0/SUCCESS)
>>>>>> Process: 2576 ExecStopPost=/sbin/ip xfrm policy flush
>>>>>> (code=exited, status=0/SUCCESS)
>>>>>> Process: 2572 ExecStop=/usr/local/sbin/ipsec whack
>>>>>> --shutdown
>>>>>> (code=exited, status=0/SUCCESS)
>>>>>> Process: 2947
>>>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>>>> (code=exited,
>>>>>> status=0/SUCCESS)
>>>>>> Process: 2942 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>>>> --config /etc/ipsec.conf --checkconfig (code=exited,
>>>>>> status=0/SUCCESS)
>>>>>> Main PID: 3011 (sh)
>>>>>> CGroup: name=systemd:/system/ipsec.service
>>>>>> 3011 /usr/bin/sh -c eval
>>>>>> `/usr/local/libexec/ipsec/plut...
>>>>>> 3012 /usr/bin/sh -c eval
>>>>>> `/usr/local/libexec/ipsec/plut...
>>>>>> 3013 /usr/local/libexec/ipsec/pluto --config
>>>>>> /etc/ipsec...
>>>>>> 3038 _pluto_adns
>>>>>>
>>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>>> find_host_pair_conn ...
>>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: added
>>>>>> connection
>>>>>> descr...
>>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: | reaped
>>>>>> addconn
>>>>>> helpe...
>>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>>> connect_to_host_pair...
>>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>>> find_host_pair:
>>>>>> comp...
>>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>>> connect_to_host_pair...
>>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>>> find_host_pair:
>>>>>> comp...
>>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>>> connect_to_host_pair...
>>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>>> find_host_pair:
>>>>>> comp...
>>>>>> Jan 04 12:58:56 victor.vouters.dyndns.org pluto[3013]: |
>>>>>> connect_to_host_pair...
>>>>>>
>>>>>> Thank you so much in advance to keep us informed.
>>>>>> Best regards,
>>>>>>
>>>>>> Philippe Vouters (Fontainebleau/France)
>>>>>> URL: http://vouters.dyndns.org/
>>>>>> SIP: sip:Vouters at sip.linphone.org
>>>>>>
>>>>>> Le 04/01/2013 10:51, Elison Niven a écrit :
>>>>>>> Hi,
>>>>>>>
>>>>>>> I downloaded libreswan and installed from source on Fedora 16.
>>>>>>> # Install dependencies
>>>>>>> $ yum install unbound-devel libcap-ng-devel xmto
>>>>>>>
>>>>>>> # Remove openswan, racoon
>>>>>>> $ yum remove openswan ipsec-tools
>>>>>>>
>>>>>>> # Make and install libreswan
>>>>>>> # make programs
>>>>>>> $ make install
>>>>>>>
>>>>>>> $ systemctl --system daemon-reload
>>>>>>> $ systemctl enable ipsec.service
>>>>>>> $ service ipsec start
>>>>>>> Redirecting to /bin/systemctl start ipsec.service
>>>>>>>
>>>>>>> $ service ipsec status
>>>>>>> Redirecting to /bin/systemctl status ipsec.service
>>>>>>> ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for
>>>>>>> IPsec
>>>>>>> Loaded: loaded (/lib/systemd/system/ipsec.service; enabled)
>>>>>>> Active: failed since Fri, 04 Jan 2013 15:11:52 +0530; 2s ago
>>>>>>> Process: 13445 ExecStopPost=/sbin/ip xfrm state flush
>>>>>>> (code=exited, status=0/SUCCESS)
>>>>>>> Process: 13443 ExecStopPost=/sbin/ip xfrm policy flush
>>>>>>> (code=exited, status=0/SUCCESS)
>>>>>>> Process: 13440 ExecStop=/usr/local/sbin/ipsec whack --shutdown
>>>>>>> (code=exited, status=1/FAILURE)
>>>>>>> Process: 13438 ExecStart=/usr/bin/sh -c eval
>>>>>>> `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
>>>>>>> $PLUTO_OPTIONS` (code=exited, status=203/EXEC)
>>>>>>> Process: 13379
>>>>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>>>>> (code=exited, status=0/SUCCESS)
>>>>>>> Process: 13376 ExecStartPre=/usr/local/sbin/ipsec addconn
>>>>>>> --config /etc/ipsec.conf --checkconfig (code=exited,
>>>>>>> status=0/SUCCESS)
>>>>>>> CGroup: name=systemd:/system/ipsec.service
>>>>>>>
>>>>>>>
>>>>>>> I can start pluto manually by executing the commands in the systemd
>>>>>>> unit file marked for ExecStartPre and ExecStart.
>>>>>>>
>>>>>>> $ cat /etc/systemd/system/multi-user.target.wants/ipsec.service
>>>>>>> [Unit]
>>>>>>> Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>>>>> After=syslog.target
>>>>>>> After=network.target
>>>>>>> #After=remote-fs.target
>>>>>>>
>>>>>>> [Service]
>>>>>>> Type=simple
>>>>>>> Restart=always
>>>>>>> EnvironmentFile=-/etc/sysconfig/pluto
>>>>>>> #Environment=IPSEC_LIBDIR=/usr/local/libexec/ipsec
>>>>>>> #Environment=IPSEC_SBINDIR=/usr/local/sbin
>>>>>>> #Environment=IPSEC_EXECDIR=/usr/local/libexec/ipsec/ipsec
>>>>>>> #PIDFile=/var/run/pluto/pluto.pid
>>>>>>> #
>>>>>>> ExecStartPre=/usr/local/sbin/ipsec addconn --config /etc/ipsec.conf
>>>>>>> --checkconfig
>>>>>>> ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start
>>>>>>> ExecStart=/usr/bin/sh -c 'eval `/usr/local/libexec/ipsec/pluto
>>>>>>> --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
>>>>>>> ExecStop=/usr/local/sbin/ipsec whack --shutdown
>>>>>>> ExecStopPost=/sbin/ip xfrm policy flush
>>>>>>> ExecStopPost=/sbin/ip xfrm state flush
>>>>>>> ExecReload=/usr/local/sbin/ipsec whack --listen
>>>>>>>
>>>>>>> [Install]
>>>>>>> WantedBy=multi-user.target
>>>>>>> Alias=syslog.service
>>>>>>>
>>>>>>> Any help?
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Swan mailing list
>>>> Swan at lists.libreswan.org
>>>> https://lists.libreswan.org/mailman/listinfo/swan
>>>
>>
>
> --
> Best Regards,
> Elison Niven
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20130104/ff8988ca/attachment-0001.html>
More information about the Swan
mailing list