[Swan] Ipsec auto --up

Paul Wouters paul at nohats.ca
Thu Dec 3 17:55:20 UTC 2015


On Thu, 3 Dec 2015, John Crisp wrote:

> Been trying to script some of the functionality in ipsec to run on SME
> server but have been struggling with one particular issue to do with
> ipsec auto --up
>
>
> I can run the following without problems ($ipsecprop is the name of the
> connection):
>
> system("/usr/sbin/ipsec auto --replace $ipsecprop");
>
> But if I try the following my script hangs if it cannot bring up a
> connection :
>
> system("/usr/sbin/ipsec auto --up $ipsecprop");

You can try:

system("/usr/sbin/ipsec auto --asynchronous --up $ipsecprop");

but you will not get any reporting on the command line (but it will be
in the logs)

> At the console if I run
> ipsec auto --replace
>
> I get this at the console, and an immediate exit :
>
> [root at test ~]# ipsec auto --replace TestToRemote
> 002 "TestToRemote": deleting connection
> 002 "TestToRemote" #8: deleting state #8 (STATE_MAIN_I1)
> 002 added connection description "TestToRemote"
>
> If I use it in the perl script it works perfectly.
>
>
> If I try this from the console I get an immediate exit :
>
>
> [root at test ~]# ipsec auto --add TestToRemote
> 002 "TestToRemote": deleting connection
> 002 "TestToRemote" #20: deleting state #20 (STATE_MAIN_I1)
> 002 added connection description "TestToRemote"
>
>
> But if I use it in a script, the script hangs when a connection cannot
> be made. It also logs the first few lines of the connection attempt to
> the system log :

We did fix a bug that caused add or replace to take a very long time to
fail. Can you try 3.16rc2 from download.libreswan.org/development/ ?

> It then carries on logging in pluto.log but my perl scripts is just hung
> there.

I wonder if there is a leaking filedescriptor somewhere....

> What I don't understand is why --replace works and --add doesn't.

That is very strange because if you look in programs/auto/auto.in you
can see that "add" and "replace" are actually both eaten up when it
calls addconn. There cannot be a difference in behaviour between the
two. (addconn implicitely treats add as replace)

Paul


More information about the Swan mailing list