[Swan] Problem with SAupdate when SA does not exist in the kernel

Philippe Vouters philippe.vouters at laposte.net
Thu Sep 12 14:08:47 EEST 2013


Dear Mattias,

I give my first answer not knowing whether this is fully applicable to 
your case. What I can say with my Unix/Linux experience is that a kill 
-9 (alias SIGKILL) is a brutal untrappable signal to use when everything 
else has failed. In no case SIGKILL causes a clean exit. I have not yet 
checked Libreswan source to best advise you, but you may rather attempt 
a SIGTERM (kill -TERM) or SIGQUIT (kill -QUIT) which are more often 
appropriate and trapped by most software. SIGTERM and SIGQUIT signals 
are commonly trapped by Unix/Linux software and cause them to cleanly exit.

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org

On 09/12/2013 12:18 PM, Mattias Walström wrote:
> Hi!
> I have discovered a problem with a non-clean restart of the responder, 
> I have 14 tunnels configured between one initiator and one responder. 
> When I do a "killall -9 pluto" on the responder, it will force pluto 
> to exit, without closing the connection. When pluto starts again I 
> will get an error on the initiator for some of the tunnels (one to 
> three tunnels will not come back up at all):
>
> Jan  5 16:46:50 i pluto[2593]: | setup_half_ipsec_sa() hit fail:
> Jan  5 16:46:50 i pluto[2593]: "ipsec7" #23: ERROR: netlink response 
> for Add SA esp.17d54247 at 198.18.106.2 included errno 3: No such process
>
> To solve this I have made sure that update will not fail even if there 
> has been a problem adding the SA, but I am unsure if this is a proper 
> solution.
>
> I have seen the same problem for both libreswan 3.5 and openswan 
> 2.6.38, but I have only tested to patch for openswan.
>
> Regards
> Mattias
>
> Index: openswan-2.6.38/programs/pluto/kernel_netlink.c
> ===================================================================
> --- openswan-2.6.38.orig/programs/pluto/kernel_netlink.c 2013-09-12 
> 11:35:45.853061103 +0200
> +++ openswan-2.6.38/programs/pluto/kernel_netlink.c    2013-09-12 
> 12:09:50.948600196 +0200
> @@ -393,6 +393,7 @@
>          , description, text_said
>          , -rsp.e.error
>          , strerror(-rsp.e.error));
> +    errno = -rsp.e.error;
>      return FALSE;
>      }
>
> @@ -794,6 +795,7 @@
>      } req;
>      struct rtattr *attr;
>      struct aead_alg *aead;
> +    int ret;
>
>      memset(&req, 0, sizeof(req));
>      req.n.nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK;
> @@ -990,8 +992,11 @@
>          attr = (struct rtattr *)((char *)attr + attr->rta_len);
>     }
>  #endif
> +    ret = send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
> +    if (ret == FALSE && errno == ESRCH && req.n.nlmsg_type == 
> XFRM_MSG_UPDSA)
> +        return netlink_add_sa(sa, 0);
>
> -    return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
> +    return ret;
>  }
>
>  /** netlink_del_sa - Delete an SA from the Kernel
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>



More information about the Swan mailing list