[Swan] Ipsec auto --up

John Crisp jcrisp at safeandsoundit.co.uk
Thu Dec 3 17:45:25 UTC 2015


Been trying to script some of the functionality in ipsec to run on SME
server but have been struggling with one particular issue to do with
ipsec auto --up


I can run the following without problems ($ipsecprop is the name of the
connection):

system("/usr/sbin/ipsec auto --replace $ipsecprop");

But if I try the following my script hangs if it cannot bring up a
connection :

system("/usr/sbin/ipsec auto --up $ipsecprop");

The SME system pushes all logging from the perl commands to the system
log rather than the console as 'events' i.e. my perl script - are
designed to be triggered from a web panel.

At the console if I run
ipsec auto --replace

I get this at the console, and an immediate exit :

[root at test ~]# ipsec auto --replace TestToRemote
002 "TestToRemote": deleting connection
002 "TestToRemote" #8: deleting state #8 (STATE_MAIN_I1)
002 added connection description "TestToRemote"

If I use it in the perl script it works perfectly.


If I try this from the console I get an immediate exit :


[root at test ~]# ipsec auto --add TestToRemote
002 "TestToRemote": deleting connection
002 "TestToRemote" #20: deleting state #20 (STATE_MAIN_I1)
002 added connection description "TestToRemote"


But if I use it in a script, the script hangs when a connection cannot
be made. It also logs the first few lines of the connection attempt to
the system log :

ec  3 18:36:14 test esmith::event[16024]: Ipsec Information - En- En -
Auto Up TestToRemote
Dec  3 18:36:14 test esmith::event[16024]: 002 "TestToRemote" #7:
initiating Main Mode
Dec  3 18:36:14 test esmith::event[16024]: 104 "TestToRemote" #7:
STATE_MAIN_I1: initiate
Dec  3 18:36:14 test esmith::event[16024]: 003 "TestToRemote" #7:
received Vendor ID payload [Dead Peer Detection]
Dec  3 18:36:14 test esmith::event[16024]: 003 "TestToRemote" #7:
received Vendor ID payload [FRAGMENTATION]
Dec  3 18:36:14 test esmith::event[16024]: 003 "TestToRemote" #7:
received Vendor ID payload [RFC 3947]
Dec  3 18:36:14 test esmith::event[16024]: 003 "TestToRemote" #7: Can't
authenticate: no preshared key found for `@Testbox' and `@Remote'.
Attribute OAKLEY_AUTHENTICATION_METHOD
Dec  3 18:36:14 test esmith::event[16024]: 003 "TestToRemote" #7: no
acceptable Oakley Transform
Dec  3 18:36:14 test esmith::event[16024]: 214 "TestToRemote" #7:
STATE_MAIN_I1: NO_PROPOSAL_CHOSEN
Dec  3 18:36:14 test esmith::event[16024]: 002 "TestToRemote" #7:
sending notification NO_PROPOSAL_CHOSEN to 203.206.105.123:500


It then carries on logging in pluto.log but my perl scripts is just hung
there.

What I don't understand is why --replace works and --add doesn't.

On the CLI both seem to fire off and terminate regardless of what
happens to the connection, but not in the script.

I have also tried ipsec whack --initiate --name TestToRemote but this
suffers the same issue.

Any help gratefully appreciated.

B. Rgds
John

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151203/376ad923/attachment.sig>


More information about the Swan mailing list