[Swan] Need support for IPSEC

Paul Wouters paul at nohats.ca
Sun Apr 1 17:16:19 UTC 2018


On Thu, 29 Mar 2018, Sriram Yarlagadda wrote:

>  $systemctl status ipsec.service
> ● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>    Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: en
>    Active: activating (start-pre) since Thu 2018-03-29 04:31:49 UTC; 1s ago
>      Docs: man:ipsec(8)
>            man:pluto(8)
>            man:ipsec.conf(5)
>   Process: 17567 ExecStopPost=/usr/local/sbin/ipsec --stopnflog (code=exited, st
>   Process: 17564 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/S
>   Process: 17561 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/
>   Process: 17536 ExecStart=/usr/local/libexec/ipsec/pluto --leak-detective --con
>   Process: 17523 ExecStartPre=/usr/local/sbin/ipsec --checknflog (code=exited, s
>   Process: 17520 ExecStartPre=/usr/local/sbin/ipsec --checknss (code=exited, sta
>   Process: 17575 ExecStartPre=/usr/local/libexec/ipsec/addconn --config /etc/ips
>  Main PID: 17536 (code=exited, status=9); Control PID: 17578 (_stackmanager)
>     Tasks: 3 (limit: 4915)
>    CGroup: /system.slice/ipsec.service
>            └─control
>              ├─17578 /bin/sh /usr/local/libexec/ipsec/_stackmanager start
>              └─17746 modprobe --quiet --use-blacklist esp4

It looks here that your modprobe command is hanging, resulting in
"ipsec _stackmanager" hanging, and therefor pluto not starting properly.

I don't know what is causing that though. you can try and run this
manually to see what it tells you (on console and in dmesg):

 	modprobe --use-blacklist esp4

It's odd that systemd does not see this as a failed startup. It did not
even try to run the Start command as it is stuck in an ExecStartPre job.
It should have marked this clearly as failed start.

Paul


More information about the Swan mailing list