[Swan] Fail to connect on reboot

Nick Howitt nick at howitts.co.uk
Thu Sep 9 11:07:00 UTC 2021 

Can you check the unit file and see if it has a line:
After=network-online.target

If it does not, try adding it?

Nick

On 09/09/2021 10:42, António Silva wrote:
> Hi,
> 
> I change the ipsec.service and added to it:
> 
> # check internet connectivity
> ExecStartPre=/bin/sh -c 'until ping -c1 1.1.1.1; do sleep 1; done;'
> 
> This solves it, ipsec waits to have external connection to start.
> --
> Saludos / Regards / Cumprimentos
> António Silva
> 
> 
> 
> 
>> On 8 Sep 2021, at 15:55, António Silva <asilva at wirelessmundi.com 
>> <mailto:asilva at wirelessmundi.com>> wrote:
>>
>> Hi,
>>
>> I’ve found an issue that my tunnel is not up after I reboot my 
>> machine., if I connect via ssh restart ipsec it connects.. no errors.
>>
>> What I notice is that is because network is not enable yet, I mean, no 
>> dns to resolve the right address, form the logs I get:
>>
>> [16:47:48][beelink][~]# systemctl status ipsec
>> ●ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>    Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor 
>> preset: disabled)
>>    Active: active (running)since Wed 2021-09-08 16:46:24 CEST; 1min 
>> 25s ago
>>      Docs: man:ipsec(8)
>>            man:pluto(8)
>>            man:ipsec.conf(5)
>>  Main PID: 1224 (pluto)
>>    Status: "Startup completed."
>>     Tasks: 4 (limit: 4597)
>>    Memory: 11.8M
>>       CPU: 1.529s
>>    CGroup: /system.slice/ipsec.service
>>            └─1224 /usr/libexec/ipsec/pluto --leak-detective --config 
>> /etc/ipsec.conf --nofork
>>
>> Sep 08 16:46:24 beelink pluto[1224]: "tunnel1": we cannot identify 
>> ourselves with either end of this connection.  192.168.1.60 or 
>> <unset-address> are not usable
>> Sep 08 16:46:24 beelink pluto[1224]: "tunnel1": failed to initiate 
>> connection
>> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with 
>> length 60 < 232 bytes; ignore message
>> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with 
>> length 60 < 232 bytes; ignore message
>> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with 
>> length 60 < 232 bytes; ignore message
>> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with 
>> length 60 < 232 bytes; ignore message
>> Sep 08 16:46:39 beelink pluto[1224]: netlink_acquire got message with 
>> length 52 < 232 bytes; ignore message
>> Sep 08 16:46:39 beelink pluto[1224]: netlink_acquire got message with 
>> length 52 < 232 bytes; ignore message
>> Sep 08 16:46:39 beelink pluto[1224]: netlink_acquire got message with 
>> length 36 < 232 bytes; ignore message
>> Sep 08 16:47:24 beelink pluto[1224]: EXPECTATION FAILED: c->host_pair 
>> != ((void *)0) (connection_check_ddns1() +1141 programs/pluto/initiate.c)
>>
>> To reproduce it, I’ve setup my machine to use DHCP address, the dhcp 
>> server is slow to reply the address, so ipsec start before I’ve a 
>> valid ip.
>> If I set a static IP everything work as expected.
>>
>> Can we set the timeout to wait for a valid DNS/connection before it 
>> fails?
>>
>> Using libreswan v4.5 in debian buster.
>>
>>
>> Thanks.
>>
>>
>> --
>> Saludos / Regards / Cumprimentos
>> António Silva
>>
>>
>>
>>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org <mailto:Swan at lists.libreswan.org>
>> https://lists.libreswan.org/mailman/listinfo/swan
> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
>

More information about the Swan mailing list