<html dir="ltr"><head></head><body style="text-align:left; direction:ltr;"><div>Hi All,</div><div><br></div><div>I have a workstation running rocky8.5 linux that connects via ipsec to a remote vpn server also running rocky8.5. </div><div>Both run libreswan which gets restarted via a cron job on the client on a regular basis </div><div>I was also playing with some smartcards looking to program them via gp.jar <a href="https://github.com/martinpaljak/GlobalPlatformPro">https://github.com/martinpaljak/GlobalPlatformPro</a> to put openFIPS onto some javacards <a href="https://github.com/makinako/OpenFIPS201">https://github.com/makinako/OpenFIPS201</a></div><div>Anyway ipsec attempted to restart via the cronjob and the link didn't come up. It took me a while to work out that the smartcard was the culprit and I see something like the logs at the bottom. </div><div><br></div><div>Unplugging the smartcard and the reader made things peachy again. pcscd is running. </div><div><br></div><div>Rather than digging too much I was hoping that someone would explain this behaviour. It does look like ipsec tries to leverage the smartcard as it's credential store. </div><div><br></div><div><br></div><div><br></div><div>● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec</div><div> Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)</div><div> Active: activating (start) since Thu 2022-04-28 22:47:12 AEST; 38s ago</div><div> Docs: man:ipsec(8)</div><div> man:pluto(8)</div><div> man:ipsec.conf(5)</div><div> Process: 4972 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited, status=0/SUCCESS)</div><div> Process: 4968 ExecStopPost=/bin/bash -c if test "$EXIT_STATUS" != "12"; then /sbin/ip xfrm policy flush; /sbin/ip xfrm state flush; fi (code=exited, status=0/SUCCESS)</div><div> Process: 4933 ExecStop=/usr/libexec/ipsec/whack --shutdown (code=exited, status=0/SUCCESS)</div><div> Process: 5222 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)</div><div> Process: 5220 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)</div><div> Process: 4981 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)</div><div> Process: 4979 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)</div><div> Main PID: 5234 (pluto)</div><div> Tasks: 1 (limit: 100532)</div><div> Memory: 3.4M</div><div> CGroup: /system.slice/ipsec.service</div><div> └─5234 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork</div><div><br></div><div>Apr 28 22:47:50 blah pluto[5234]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15</div><div>Apr 28 22:47:50 blah pluto[5234]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16</div><div>Apr 28 22:47:50 blah pluto[5234]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17</div><div>Apr 28 22:47:50 blah pluto[5234]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18</div><div>Apr 28 22:47:50 blah pluto[5234]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256</div><div>Apr 28 22:47:50 blah pluto[5234]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384</div><div>Apr 28 22:47:50 blah pluto[5234]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521</div><div>Apr 28 22:47:50 blah pluto[5234]: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519</div><div>Apr 28 22:47:50 blah pluto[5234]: testing CAMELLIA_CBC:</div><div>Apr 28 22:47:50 blah pluto[5234]: Camellia: 16 bytes with 128-bit key</div><div></div></body></html>