[Swan] Libreswan and DHCP
Tony Whyman
tony.whyman at mccallumwhyman.com
Thu Dec 10 11:12:29 UTC 2015
The thread on converting from Openswan to Libreswan reminded me of the
following script that I have added to all my Ubuntu systems which use
DHCP rather than static IP addresses. The script is installed as:
/etc/network/if-up.d/ipsec
and seems to be necessary for pluto to recognise a change to the local
IP Address. This may be a bug in pluto or perhaps it is just good
practice to have such a script. I started installing this script with
Openswan and it still seems necessary with Libreswan (1.15). Without it
there seems to be a race condition on startup with pluto sometimes
failing to pick the external interface, especially if DHCP is a bit
slow. The script is essential when I am using a Laptop and moving
between WiFi networks.
To see the impact of the script, start the system with the network
disconnected and use
netstat -uln|grep ':500'
to see which interfaces pluto is listening on. Then connect the network
and once the IP Address is assigned, run the above again. Without the
script there is no change to the interfaces that pluto is listening on.
With the script - pluto will have picked up the new IP Address. It's a
pity a full restart is necessary but I can't seem to find any other way
to get pluto to update its attachments.
Tony Whyman
MWA
#! /bin/sh
# Restart ipsec service (libreswan) when an interface comes up, to allow
it to know
# about new interfaces
set -e
# Don't bother to restart libreswan when lo is configured.
if [ "$IFACE" = lo ]; then
exit 0
fi
# Only run from ifup.
if [ "$MODE" != start ]; then
exit 0
fi
# Is /usr mounted?
if [ ! -e /usr/sbin/ipsec ]; then
exit 0
fi
if [ ! -f /var/run/pluto/pluto.pid ] || \
[ "$(ps -p "$(cat /var/run/pluto/pluto.pid)" -o comm=)" != pluto ]; then
exit 0
fi
/usr/sbin/ipsec restart
exit 0
More information about the Swan
mailing list