[Swan] "systemctl stop ipsec" does not stop pluto

Paul Wouters paul at nohats.ca
Tue May 23 02:44:52 UTC 2017


On Mon, 22 May 2017, Martin T wrote:

>> Thanks for reply! I think that pluto is falling to die:
>>
>> # pgrep -la pluto; killall -SIGTERM pluto; sleep 30; pgrep -la pluto
>> 31885 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
>> 31885 /usr/lib/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

I don't know what that is happening, but tempted to blame your
particular system.

>> Maybe pluto didn't compile correctly? I downloaded
>> download.libreswan.org/binaries/rhel/latest/x86_64/libreswan-3.20-1.el6.src.rpm,
>> modified the spec file and built a RPM for OpenSUSE 42.1.

If it compiled, it should work? As long as USE_SECCOMP did not get
enabled, you should be fine.

> command, then I see those very same log messages shown in my initial
> e-mail with an exception that systemd does not kill the process. In
> other words, the "May 18 18:49:28 host systemd[1]: ipsec.service
> stop-sigterm timed out. Killing." does not happen. When I execute
> "systemctl status ipsec", then its status is "running". If I attach to
> pluto(PID is 12912) process with "strace -f -p 12912" command and then
> execute "killall -SIGTERM pluto", then following is shown:
>
> ) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
> [pid 12912] --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER,
> si_pid=13463, si_uid=0} ---
> [pid 12912] rt_sigreturn({mask=[]})     = -1 EINTR (Interrupted system call)
> [pid 12912] futex(0x7f0e440009a0, FUTEX_WAIT_PRIVATE, 2, NULL

I'm not sure what this means.

> I could add "KillSignal=SIGKILL" to systemd unit file, but I'm not
> sure what are the consequences once the server is used for live IPsec
> connections..

It works, in that we won't send any Delete/Notifies so the other end
won't know you're gone until you are back and try to re-establish the
tunnel (or until their dpd settings kick in)

Paul


More information about the Swan mailing list