<div dir="ltr">Thanks Paul.<div><br></div><div>My tunnels are auto=start but the connection did not come back by itself.</div><div>This is where my ipsec.log sat until I rebooted the host (didn't try just restarting ipsec).</div><div><br></div><div><div>2015-04-30T13:00:24.416058+00:00 vpnhost pluto[27203]: nss directory plutomain: /etc/ipsec.d</div><div>2015-04-30T13:00:24.465400+00:00 vpnhost pluto[27203]: NSS Initialized</div><div>2015-04-30T13:00:24.465843+00:00 vpnhost pluto[27203]: libcap-ng support [enabled]</div><div>2015-04-30T13:00:24.544242+00:00 vpnhost pluto[27203]: FIPS HMAC integrity verification test passed</div><div>2015-04-30T13:00:24.544672+00:00 vpnhost pluto[27203]: FIPS: pluto daemon NOT running in FIPS mode</div><div>2015-04-30T13:00:24.545061+00:00 vpnhost pluto[27203]: Linux audit support [enabled]</div><div>2015-04-30T13:00:24.545633+00:00 vpnhost pluto[27203]: Linux audit activated</div><div>2015-04-30T13:00:24.546025+00:00 vpnhost pluto[27203]: Starting Pluto (Libreswan Version 3.12 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS) LDAP(non-NSS)) pid:27203</div><div>2015-04-30T13:00:24.546416+00:00 vpnhost pluto[27203]: core dump dir: /var/run/pluto</div><div>2015-04-30T13:00:24.546772+00:00 vpnhost pluto[27203]: secrets file: /etc/ipsec.secrets</div><div>2015-04-30T13:00:24.547144+00:00 vpnhost pluto[27203]: leak-detective disabled</div><div>2015-04-30T13:00:24.547532+00:00 vpnhost pluto[27203]: SAref support [disabled]: Protocol not available</div><div>2015-04-30T13:00:24.547898+00:00 vpnhost pluto[27203]: SAbind support [disabled]: Protocol not available</div><div>2015-04-30T13:00:24.548320+00:00 vpnhost pluto[27203]: NSS crypto [enabled]</div><div>2015-04-30T13:00:24.549756+00:00 vpnhost pluto[27203]: XAUTH PAM support [enabled]</div><div>2015-04-30T13:00:24.550121+00:00 vpnhost pluto[27203]: NAT-Traversal support [enabled]</div><div>2015-04-30T13:00:24.550513+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok</div><div>2015-04-30T13:00:24.550894+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok</div><div>2015-04-30T13:00:24.551292+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok</div><div>2015-04-30T13:00:24.551644+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok</div><div>2015-04-30T13:00:24.551992+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating OAKLEY_AES_CTR: Ok</div><div>2015-04-30T13:00:24.552392+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_A: Ok</div><div>2015-04-30T13:00:24.552782+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_B: Ok</div><div>2015-04-30T13:00:24.553153+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating OAKLEY_AES_GCM_C: Ok</div><div>2015-04-30T13:00:24.553527+00:00 vpnhost pluto[27203]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok</div><div>2015-04-30T13:00:24.554358+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CBC: Ok</div><div>2015-04-30T13:00:24.554755+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok</div><div>2015-04-30T13:00:24.555121+00:00 vpnhost pluto[27203]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok</div><div>2015-04-30T13:00:24.555540+00:00 vpnhost pluto[27203]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok</div><div>2015-04-30T13:00:24.555925+00:00 vpnhost pluto[27203]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok</div><div>2015-04-30T13:00:24.556352+00:00 vpnhost pluto[27203]: starting up 1 crypto helpers</div><div>2015-04-30T13:00:24.556735+00:00 vpnhost pluto[27203]: started thread for crypto helper 0 (master fd 6)</div><div>2015-04-30T13:00:24.557117+00:00 vpnhost pluto[27203]: Using Linux XFRM/NETKEY IPsec interface code on 3.10.0-123.20.1.el7.x86_64</div><div>2015-04-30T13:00:24.557512+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating aes_ccm_8: Ok</div><div>2015-04-30T13:00:24.557904+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating aes_ccm_12: Ok</div><div>2015-04-30T13:00:24.558291+00:00 vpnhost pluto[27203]: ike_alg_register_enc(): Activating aes_ccm_16: Ok</div><div>2015-04-30T13:00:24.587885+00:00 vpnhost pluto[27203]: | selinux support is NOT enabled.</div><div>2015-04-30T13:00:25.093206+00:00 vpnhost pluto[1047]: ADNS process terminated by signal 15</div></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Apr 30, 2015 at 8:24 AM, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On Thu, 30 Apr 2015, David M wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I did a yum update on a CentOS 7 host running libreswan and my tunnel was terminated at this part of the process:<br>
<br>
Cleanup : libreswan-3.8-6.el7_0.x86_64 247/453<br>
<br>
I accessed the remote console and rebooted to complete the process and my tunnels are working again.<br>
<br>
I don't recall this happening with previous updates.<br>
<br>
Is this expected behavior?<br>
</blockquote>
<br></div></div>
Unfortunately, when we restart we cannot save & restore the current<br>
tunnels. So a daemon restart will lose all existing tunnel state. But if<br>
your tunnels are auto=start, those should come back up automatically.<br>
<br>
Road warriors will have to reconnect on their own.<br>
<br>
In the future, we would like to be able to save & restore the state,<br>
also so we can save and send over the state to a failover instance.<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div>