[Swan] "systemctl stop ipsec" does not stop pluto
Martin T
m4rtntns at gmail.com
Sat May 20 01:01:39 UTC 2017
On Fri, May 19, 2017 at 6:22 PM, Paul Wouters <paul at nohats.ca> wrote:
> On Thu, 18 May 2017, Martin T wrote:
>
>> I installed Libreswan 3.20 under OpenSUSE 42.1 and it has following
>> options in ipsec.service unit file:
>>
>> ExecStart=/usr/lib/ipsec/pluto --leak-detective --config
>> /etc/ipsec.conf --nofork
>> ExecStop=/usr/lib/ipsec/whack --shutdown
>>
>>
>> As I understand, this should mean that pluto should be stopped with
>> "whack --shutdown" command. However, "systemctl stop ipsec.service"
>> command hangs until watchdog kicks in and if I execute "whack
>> --shutdown" manually using "strace -f", then following can be seen:
>
>
> [hangs]
>
> Odd, can you tell me what happens when you run: killall -SIGTERM pluto
> That should do the same thing as whack --shutdown but won't use the
> socket. Then we know if it is pluto that's failing to die, or something
> weird with reading/writing the socket?
>
> Is there any apparmor or selinux policies that you could temporarilly
> disable to see if those are causing this?
>
> Paul
Thanks for reply! I think that pluto is falling to die:
# pgrep -la pluto; killall -SIGTERM pluto; sleep 30; pgrep -la pluto
31885 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
31885 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
#
I'm not running SELinux nor Apparmor:
# systemctl status apparmor
apparmor.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
# ls -l /etc/apparmor.d
ls: cannot access /etc/apparmor.d: No such file or directory
#
Maybe pluto didn't compile correctly? I downloaded
download.libreswan.org/binaries/rhel/latest/x86_64/libreswan-3.20-1.el6.src.rpm,
modified the spec file and built a RPM for OpenSUSE 42.1.
Any ideas how to troubleshoot this?
thanks,
Martin
More information about the Swan
mailing list