[Swan] Fail to connect on reboot

António Silva asilva at wirelessmundi.com
Thu Sep 9 15:35:44 UTC 2021 

Hi Nick,

Yes, the line After is present.

There is an issue with network-online that doesn’t wait enough, so ipsec service will start without having a default route.  
This is cause because my dhcp server is slow to assign an ip, setting a static ip the issue is not present, and ipsec service start ok. 


My final ipsec.service: 

[Unit]
Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
Wants=network-online.target
After=network-online.target
Documentation=man:ipsec(8) man:pluto(8) man:ipsec.conf(5)

[Service]
Type=notify
Restart=on-failure
# 12 is the shutdown while leaving kernel state. Restarting would still kill kernel state
RestartPreventExitStatus=12

#RestartPreventExitStatus=137 143 SIGTERM SIGKILL

# Set WatchdogSec to the amount of time (in seconds) that systemd will wait
# before restarting an unresponsive pluto.
# EVENT_SD_WATCHDOG updates the heartbeat every 15 seconds, recommended values
# are 60, 90, 120. WatchdogSec=0 disables the action
NotifyAccess=all
WatchdogSec=200

# check internet connectivity
ExecStartPre=/bin/sh -c 'until ping -c1 1.1.1.1; do sleep 1; done;'
# Check configuration file
ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig
# Check for kernel modules
ExecStartPre=/usr/libexec/ipsec/_stackmanager start
# Check for nss database status and migration
ExecStartPre=/usr/sbin/ipsec --checknss
# Check for nflog setup
ExecStartPre=/usr/sbin/ipsec --checknflog
# Start the actual IKE daemon
ExecStart=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
# Enable for portexcludes support
# ExecStartPost=/usr/libexec/ipsec/portexcludes
ExecStop=/usr/libexec/ipsec/whack --shutdown
# 12 is the exit code of pluto for shutting down "leaving state"
ExecStopPost=/bin/bash -c 'if test "$EXIT_STATUS" != "12"; then /sbin/ip xfrm policy flush; /sbin/ip xfrm state flush; fi'
ExecStopPost=/usr/sbin/ipsec --stopnflog

[Install]
WantedBy=multi-user.target



--
Saludos / Regards / Cumprimentos
António Silva




> On 9 Sep 2021, at 12:07, Nick Howitt <nick at howitts.co.uk> wrote:
> 
> Can you check the unit file and see if it has a line:
> After=network-online.target
> 
> If it does not, try adding it?
> 
> Nick
> 
> On 09/09/2021 10:42, António Silva wrote:
>> Hi,
>> I change the ipsec.service and added to it:
>> # check internet connectivity
>> ExecStartPre=/bin/sh -c 'until ping -c1 1.1.1.1; do sleep 1; done;'
>> This solves it, ipsec waits to have external connection to start.
>> --
>> Saludos / Regards / Cumprimentos
>> António Silva
>>> On 8 Sep 2021, at 15:55, António Silva <asilva at wirelessmundi.com <mailto:asilva at wirelessmundi.com><mailto:asilva at wirelessmundi.com <mailto:asilva at wirelessmundi.com>>> wrote:
>>> 
>>> Hi,
>>> 
>>> I’ve found an issue that my tunnel is not up after I reboot my machine., if I connect via ssh restart ipsec it connects.. no errors.
>>> 
>>> What I notice is that is because network is not enable yet, I mean, no dns to resolve the right address, form the logs I get:
>>> 
>>> [16:47:48][beelink][~]# systemctl status ipsec
>>> ●ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
>>>    Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
>>>    Active: active (running)since Wed 2021-09-08 16:46:24 CEST; 1min 25s ago
>>>      Docs: man:ipsec(8)
>>>            man:pluto(8)
>>>            man:ipsec.conf(5)
>>>  Main PID: 1224 (pluto)
>>>    Status: "Startup completed."
>>>     Tasks: 4 (limit: 4597)
>>>    Memory: 11.8M
>>>       CPU: 1.529s
>>>    CGroup: /system.slice/ipsec.service
>>>            └─1224 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
>>> 
>>> Sep 08 16:46:24 beelink pluto[1224]: "tunnel1": we cannot identify ourselves with either end of this connection.  192.168.1.60 or <unset-address> are not usable
>>> Sep 08 16:46:24 beelink pluto[1224]: "tunnel1": failed to initiate connection
>>> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with length 60 < 232 bytes; ignore message
>>> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with length 60 < 232 bytes; ignore message
>>> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with length 60 < 232 bytes; ignore message
>>> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with length 60 < 232 bytes; ignore message
>>> Sep 08 16:46:39 beelink pluto[1224]: netlink_acquire got message with length 52 < 232 bytes; ignore message
>>> Sep 08 16:46:39 beelink pluto[1224]: netlink_acquire got message with length 52 < 232 bytes; ignore message
>>> Sep 08 16:46:39 beelink pluto[1224]: netlink_acquire got message with length 36 < 232 bytes; ignore message
>>> Sep 08 16:47:24 beelink pluto[1224]: EXPECTATION FAILED: c->host_pair != ((void *)0) (connection_check_ddns1() +1141 programs/pluto/initiate.c)
>>> 
>>> To reproduce it, I’ve setup my machine to use DHCP address, the dhcp server is slow to reply the address, so ipsec start before I’ve a valid ip.
>>> If I set a static IP everything work as expected.
>>> 
>>> Can we set the timeout to wait for a valid DNS/connection before it fails?
>>> 
>>> Using libreswan v4.5 in debian buster.
>>> 
>>> 
>>> Thanks.
>>> 
>>> 
>>> --
>>> Saludos / Regards / Cumprimentos
>>> António Silva
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Swan mailing list
>>> Swan at lists.libreswan.org <mailto:Swan at lists.libreswan.org> <mailto:Swan at lists.libreswan.org <mailto:Swan at lists.libreswan.org>>
>>> https://lists.libreswan.org/mailman/listinfo/swan <https://lists.libreswan.org/mailman/listinfo/swan>
>> _______________________________________________
>> Swan mailing list
>> Swan at lists.libreswan.org <mailto:Swan at lists.libreswan.org>
>> https://lists.libreswan.org/mailman/listinfo/swan <https://lists.libreswan.org/mailman/listinfo/swan>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org <mailto:Swan at lists.libreswan.org>
> https://lists.libreswan.org/mailman/listinfo/swan <https://lists.libreswan.org/mailman/listinfo/swan>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20210909/8d5c9c08/attachment-0001.html>

More information about the Swan mailing list