[Swan] Fail to connect on reboot

António Silva asilva at wirelessmundi.com
Thu Sep 9 09:42:30 UTC 2021 

Hi,

I change the ipsec.service and added to it:

# check internet connectivity
ExecStartPre=/bin/sh -c 'until ping -c1 1.1.1.1; do sleep 1; done;'

This solves it, ipsec waits to have external connection to start. 
 
--
Saludos / Regards / Cumprimentos
António Silva




> On 8 Sep 2021, at 15:55, António Silva <asilva at wirelessmundi.com> wrote:
> 
> Hi,
> 
> I’ve found an issue that my tunnel is not up after I reboot my machine., if I connect via ssh restart ipsec it connects.. no errors. 
> 
> What I notice is that is because network is not enable yet, I mean, no dns to resolve the right address, form the logs I get:
> 
> [16:47:48][beelink][~]# systemctl status ipsec
> ● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>    Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
>    Active: active (running) since Wed 2021-09-08 16:46:24 CEST; 1min 25s ago
>      Docs: man:ipsec(8)
>            man:pluto(8)
>            man:ipsec.conf(5)
>  Main PID: 1224 (pluto)
>    Status: "Startup completed."
>     Tasks: 4 (limit: 4597)
>    Memory: 11.8M
>       CPU: 1.529s
>    CGroup: /system.slice/ipsec.service
>            └─1224 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
> 
> Sep 08 16:46:24 beelink pluto[1224]: "tunnel1": we cannot identify ourselves with either end of this connection.  192.168.1.60 or <unset-address> are not usable
> Sep 08 16:46:24 beelink pluto[1224]: "tunnel1": failed to initiate connection
> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with length 60 < 232 bytes; ignore message
> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with length 60 < 232 bytes; ignore message
> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with length 60 < 232 bytes; ignore message
> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with length 60 < 232 bytes; ignore message
> Sep 08 16:46:39 beelink pluto[1224]: netlink_acquire got message with length 52 < 232 bytes; ignore message
> Sep 08 16:46:39 beelink pluto[1224]: netlink_acquire got message with length 52 < 232 bytes; ignore message
> Sep 08 16:46:39 beelink pluto[1224]: netlink_acquire got message with length 36 < 232 bytes; ignore message
> Sep 08 16:47:24 beelink pluto[1224]: EXPECTATION FAILED: c->host_pair != ((void *)0) (connection_check_ddns1() +1141 programs/pluto/initiate.c)
> 
> To reproduce it, I’ve setup my machine to use DHCP address, the dhcp server is slow to reply the address, so ipsec start before I’ve a valid ip.  
> If I set a static IP everything work as expected. 
> 
> Can we set the timeout to wait for a valid DNS/connection before it fails? 
> 
> Using libreswan v4.5 in debian buster. 
> 
> 
> Thanks.
> 
> 
> --
> Saludos / Regards / Cumprimentos
> António Silva
> 
> 
> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210909/2ef0ecb1/attachment-0001.html>

More information about the Swan mailing list