[Swan] adding ipsec clients requiring reboot

Paul Wouters paul at nohats.ca
Thu Dec 11 15:33:22 EET 2014


On Thu, 11 Dec 2014, Ted Toth wrote:

> This is actually an openswan RHEL6 question but hopefully the answer
> will also apply to libreswan.

It should. But also note that libreswan is available in EPEL6 as well,
although not supported by Red Hat for RHEL6 at this moment.

> We have a script to add a ipsec client
> to our server which creates ${REMOTE_HOSTNAME}.conf (conn
> ${REMOTE_HOSTNAME}) and ${REMOTE_HOSTNAME}.secrets in /etc/ipsec.d and
> then does:
> ipsec auto --add ${REMOTE_HOSTNAME}
> ipsec auto --asynchronous --up ${REMOTE_HOSTNAME}
>
> On the client we do the mirror using the server hostname. However the
> connection doesn't work unless we reboot both ends. What are the steps
> and their order required to add a client without having to reboot?

If you change the *.conf an *.secrets files and manually run:

ipsec auto --add

on both sides and then run:

ipsec auto --up

on one side it should work. If you also added an IP address to the
machine that is used in such a new config, before --up you should
run: ipsec whack --listen

If that is not working for you, it is a bug (and possibly we need
more info to try and actually reproduce it)

Paul


More information about the Swan mailing list