[Swan] yum update to libreswan-3.12-5.el7.x86_64

David M da3bobots at gmail.com
Thu Apr 30 16:31:36 EEST 2015

Thanks Paul.

My tunnels are auto=start but the connection did not come back by itself.
This is where my ipsec.log sat until I rebooted the host (didn't try just
restarting ipsec).

2015-04-30T13:00:24.416058+00:00 vpnhost pluto[27203]: nss directory
plutomain: /etc/ipsec.d
2015-04-30T13:00:24.465400+00:00 vpnhost pluto[27203]: NSS Initialized
2015-04-30T13:00:24.465843+00:00 vpnhost pluto[27203]: libcap-ng support
2015-04-30T13:00:24.544242+00:00 vpnhost pluto[27203]: FIPS HMAC integrity
verification test passed
2015-04-30T13:00:24.544672+00:00 vpnhost pluto[27203]: FIPS: pluto daemon
NOT running in FIPS mode
2015-04-30T13:00:24.545061+00:00 vpnhost pluto[27203]: Linux audit support
2015-04-30T13:00:24.545633+00:00 vpnhost pluto[27203]: Linux audit activated
2015-04-30T13:00:24.546025+00:00 vpnhost pluto[27203]: Starting Pluto
(Libreswan Version 3.12 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK
CURL(non-NSS) LDAP(non-NSS)) pid:27203
2015-04-30T13:00:24.546416+00:00 vpnhost pluto[27203]: core dump dir:
2015-04-30T13:00:24.546772+00:00 vpnhost pluto[27203]: secrets file:
2015-04-30T13:00:24.547144+00:00 vpnhost pluto[27203]: leak-detective
2015-04-30T13:00:24.547532+00:00 vpnhost pluto[27203]: SAref support
[disabled]: Protocol not available
2015-04-30T13:00:24.547898+00:00 vpnhost pluto[27203]: SAbind support
[disabled]: Protocol not available
2015-04-30T13:00:24.548320+00:00 vpnhost pluto[27203]: NSS crypto [enabled]
2015-04-30T13:00:24.549756+00:00 vpnhost pluto[27203]: XAUTH PAM support
2015-04-30T13:00:24.550121+00:00 vpnhost pluto[27203]: NAT-Traversal
support  [enabled]
2015-04-30T13:00:24.550513+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
2015-04-30T13:00:24.550894+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
2015-04-30T13:00:24.551292+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
2015-04-30T13:00:24.551644+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
2015-04-30T13:00:24.551992+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok
2015-04-30T13:00:24.552392+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok
2015-04-30T13:00:24.552782+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok
2015-04-30T13:00:24.553153+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok
2015-04-30T13:00:24.553527+00:00 vpnhost pluto[27203]:
ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok
2015-04-30T13:00:24.554358+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok
2015-04-30T13:00:24.554755+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok
2015-04-30T13:00:24.555121+00:00 vpnhost pluto[27203]:
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
2015-04-30T13:00:24.555540+00:00 vpnhost pluto[27203]:
ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok
2015-04-30T13:00:24.555925+00:00 vpnhost pluto[27203]:
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
2015-04-30T13:00:24.556352+00:00 vpnhost pluto[27203]: starting up 1 crypto
2015-04-30T13:00:24.556735+00:00 vpnhost pluto[27203]: started thread for
crypto helper 0 (master fd 6)
2015-04-30T13:00:24.557117+00:00 vpnhost pluto[27203]: Using Linux
XFRM/NETKEY IPsec interface code on 3.10.0-123.20.1.el7.x86_64
2015-04-30T13:00:24.557512+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating aes_ccm_8: Ok
2015-04-30T13:00:24.557904+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating aes_ccm_12: Ok
2015-04-30T13:00:24.558291+00:00 vpnhost pluto[27203]:
ike_alg_register_enc(): Activating aes_ccm_16: Ok
2015-04-30T13:00:24.587885+00:00 vpnhost pluto[27203]: | selinux support is
NOT enabled.
2015-04-30T13:00:25.093206+00:00 vpnhost pluto[1047]: ADNS process
terminated by signal 15

On Thu, Apr 30, 2015 at 8:24 AM, Paul Wouters <paul at nohats.ca> wrote:

> On Thu, 30 Apr 2015, David M wrote:
>  I did a yum update on a CentOS 7 host running libreswan and my tunnel was
>> terminated at this part of the process:
>> Cleanup    : libreswan-3.8-6.el7_0.x86_64
>>                             247/453
>> I accessed the remote console and rebooted to complete the process and my
>> tunnels are working again.
>> I don't recall this happening with previous updates.
>> Is this expected behavior?
> Unfortunately, when we restart we cannot save & restore the current
> tunnels. So a daemon restart will lose all existing tunnel state. But if
> your tunnels are auto=start, those should come back up automatically.
> Road warriors will have to reconnect on their own.
> In the future, we would like to be able to save & restore the state,
> also so we can save and send over the state to a failover instance.
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150430/b4ad493e/attachment.html>

More information about the Swan mailing list