[Swan] Libreswan and DHCP

Paul Wouters paul at nohats.ca
Fri Dec 11 19:19:02 UTC 2015 

On Thu, 10 Dec 2015, Tony Whyman wrote:

> The thread on converting from Openswan to Libreswan reminded me of the 
> following script that I have added to all my Ubuntu systems which use DHCP 
> rather than static IP addresses. The script is installed as:
>
> /etc/network/if-up.d/ipsec
>
> and seems to be necessary for pluto to recognise a change to the local IP 
> Address.

That's a rather blunt hammer. You should replace that with only:

 	ipsec whack --listen

> have such a script. I started installing this script with Openswan and it 
> still seems necessary with Libreswan (1.15). Without it there seems to be a 
> race condition on startup with pluto sometimes failing to pick the external 
> interface, especially if DHCP is a bit slow. The script is essential when I 
> am using a Laptop and moving between WiFi networks.

There is a bit of history behind this. Originally, pluto's design was
not meant to gain or lose IP addresses on the fly. However, the world
changes and this now happens for everyone. pluto should be extended to
deal with this. In a NetworkManager world, NM can send a notify that
pluto could act on. But it might be easier and more generic for pluto
to monitor for networking changes itself.

Note that pluto "orients" connections to determine if it is "left" or
"right" when the connection loads. So a network change might require
re-orienting connections. That's fine for connections loaded and not
up. What to do with active tunnels is more tricky.

> to see which interfaces pluto is listening on. Then connect the network and 
> once the IP Address is assigned, run the above again. Without the script 
> there is no change to the interfaces that pluto is listening on. With the 
> script - pluto will have picked up the new IP Address. It's a pity a full 
> restart is necessary but I can't seem to find any other way to get pluto to 
> update its attachments.

I guess you should look at what event triggers when DHCP completes, and
cause that event to run "ipsec whack --listen".

Paul

More information about the Swan mailing list