[Swan] libreswan version 4.9: ipsec.service: Start operation timed out. Terminating.

antonio asilva at wirelessmundi.com
Tue Nov 8 13:25:15 EET 2022 

Hi,

The issue is with systemd service apparently, I started with init.d/ipsec and is ok.

The generated package for version 4.9 doesn’t include a unit file. 

dpkg -c binaries/libreswan_4.9-1_amd64.deb | grep systemd
drwxr-xr-x root/root         0 2022-10-13 01:00 ./lib/systemd/
drwxr-xr-x root/root         0 2022-10-13 01:00 ./lib/systemd/system-preset/
-rw-r--r-- root/root       145 2022-10-13 01:00 ./lib/systemd/system-preset/90-libreswan.preset

But package 4.7 it was present:
dpkg -c libreswan_4.7-1_amd64.deb  | grep systemd
drwxr-xr-x root/root         0 2022-05-24 01:00 ./lib/systemd/
drwxr-xr-x root/root         0 2022-05-24 01:00 ./lib/systemd/system/
-rw-r--r-- root/root      1531 2022-05-24 01:00 ./lib/systemd/system/ipsec.service
drwxr-xr-x root/root         0 2022-05-24 01:00 ./lib/systemd/system-preset/
-rw-r--r-- root/root       145 2022-05-24 01:00 ./lib/systemd/system-preset/90-libreswan.preset


It was removed in commit: https://github.com/libreswan/libreswan/commit/20fe3adb398eaafb8dc62df06cf32461aaa817d7

On my server i had copy  ipsec.service into /etc/systemd/system/ipsec.service, and when updated to 4.9 it wasn’t removed. 

The unit file i had is the same as in version 4.7:

[Unit]
Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
Wants=network-online.target
After=network-online.target
Documentation=man:ipsec(8) man:pluto(8) man:ipsec.conf(5)

[Service]
Type=notify
Restart=on-failure
# 12 is the shutdown while leaving kernel state. Restarting would still kill kernel state
RestartPreventExitStatus=12

#RestartPreventExitStatus=137 143 SIGTERM SIGKILL

# Set WatchdogSec to the amount of time (in seconds) that systemd will wait
# before restarting an unresponsive pluto.
# EVENT_SD_WATCHDOG updates the heartbeat every 15 seconds, recommended values
# are 60, 90, 120. WatchdogSec=0 disables the action
NotifyAccess=all
WatchdogSec=200

# Check configuration file
ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig
# Check for kernel modules
ExecStartPre=/usr/libexec/ipsec/_stackmanager start
# Check for nss database status and migration
ExecStartPre=/usr/sbin/ipsec --checknss
# Check for nflog setup
ExecStartPre=/usr/sbin/ipsec --checknflog
# Start the actual IKE daemon
ExecStart=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
# Enable for portexcludes support
# ExecStartPost=/usr/libexec/ipsec/portexcludes
ExecStop=/usr/libexec/ipsec/whack --shutdown
# 12 is the exit code of pluto for shutting down "leaving state"
ExecStopPost=/bin/bash -c 'if test "$EXIT_STATUS" != "12"; then /sbin/ip xfrm policy flush; /sbin/ip xfrm state flush; fi'
ExecStopPost=/usr/sbin/ipsec --stopnflog

[Install]
WantedBy=multi-user.target



I manage to make it work with systemd by changing the service type to: Type=simple, instead of Type=notify, Pluto is not sending the notification message when starting. 


—
Saludos / Regards / Cumprimentos
António Silva

> On 21 Oct 2022, at 10:41, antonio <asilva at wirelessmundi.com> wrote:
> 
> Hi,
> 
> I update from libreswan 4.7 to 4.9 the connection is establish OK, but the ipsec service is restarting continuously.. and that restart the connection. 
> 
> The restart is provoked by systemd, because the service is not starting normally, it gives timeout and that triggers the restart. 
> 
> I later remove the connection definition from the configuration and try to start ipsec and I got the same error, timeout.  
> Reverting to version 4.7 everything is ok.
> 
> 
> I can’t see where is the timeout. 
> 
> [10:36:15][beelink][~]# systemctl start ipsec
> Job for ipsec.service failed because a timeout was exceeded.
> See "systemctl status ipsec.service" and "journalctl -xe" for details.
> 
> 
> Small log before timed out:
> 
> Oct 21 10:37:37 beelink pluto[21609]: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations
> Oct 21 10:37:37 beelink pluto[21609]: | spent 0.132 (0.133) milliseconds in in connection_check_ddns for hostname lookup
> Oct 21 10:37:37 beelink pluto[21609]: | spent 0.191 (0.189) milliseconds in global timer EVENT_PENDING_DDNS
> Oct 21 10:37:37 beelink pluto[21609]: | processing global timer EVENT_SHUNT_SCAN
> Oct 21 10:37:37 beelink pluto[21609]: | kernel: checking for aged bare shunts from shunt table to expire
> Oct 21 10:37:37 beelink pluto[21609]: | spent 0.0442 (0.0416) milliseconds in global timer EVENT_SHUNT_SCAN
> Oct 21 10:37:57 beelink pluto[21609]: | processing global timer EVENT_SHUNT_SCAN
> Oct 21 10:37:57 beelink pluto[21609]: | kernel: checking for aged bare shunts from shunt table to expire
> Oct 21 10:37:57 beelink pluto[21609]: | spent 0.0614 (0.049) milliseconds in global timer EVENT_SHUNT_SCAN
> Oct 21 10:38:07 beelink systemd[1]: ipsec.service: Start operation timed out. Terminating.
> 
> 
> Full log here: https://pastebin.com/qJ7DY9QU 
> Thanks. 
> 
>> Saludos / Regards / Cumprimentos
> António Silva
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20221108/53f16bb2/attachment.htm>

More information about the Swan mailing list