[Swan] Libreswan and DHCP

Tony Whyman tony.whyman at mccallumwhyman.com
Thu Dec 10 11:12:29 UTC 2015


The thread on converting from Openswan to Libreswan reminded me of the 
following script that I have added to all my Ubuntu systems which use 
DHCP rather than static IP addresses. The script is installed as:

/etc/network/if-up.d/ipsec

and seems to be necessary for pluto to recognise a change to the local 
IP Address. This may be a bug in pluto or perhaps it is just good 
practice to have such a script. I started installing this script with 
Openswan and it still seems necessary with Libreswan (1.15). Without it 
there seems to be a race condition on startup with pluto sometimes 
failing to pick the external interface, especially if DHCP is a bit 
slow. The script is essential when I am using a Laptop and moving 
between WiFi networks.

To see the impact of the script, start the system with the network 
disconnected and use

netstat -uln|grep ':500'

to see which interfaces pluto is listening on. Then connect the network 
and once the IP Address is assigned, run the above again. Without the 
script there is no change to the interfaces that pluto is listening on. 
With the script - pluto will have picked up the new IP Address. It's a 
pity a full restart is necessary but I can't seem to find any other way 
to get pluto to update its attachments.

Tony Whyman
MWA


#! /bin/sh
# Restart ipsec service (libreswan) when an interface comes up, to allow 
it to know
# about new interfaces

set -e

# Don't bother to restart libreswan when lo is configured.
if [ "$IFACE" = lo ]; then
   exit 0
fi

# Only run from ifup.
if [ "$MODE" != start ]; then
   exit 0
fi

# Is /usr mounted?
if [ ! -e /usr/sbin/ipsec ]; then
   exit 0
fi

if [ ! -f /var/run/pluto/pluto.pid ] || \
    [ "$(ps -p "$(cat /var/run/pluto/pluto.pid)" -o comm=)" != pluto ]; then
   exit 0
fi

/usr/sbin/ipsec restart

exit 0



More information about the Swan mailing list