<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7638.1">
<TITLE>RE: [Openswan Users] Ipsec auto --up {tunnelname} hangs</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">> Oh yes - and why 2 tunnels from the same left side to the same right side?</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">OK - forget about complicated scripts and backup routing. I can now reproduce the problem any time I want without effecting production</FONT><FONT SIZE=2 FACE="Arial"> and without using any scripts. </FONT> </SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">Scenario:</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">2 Linux IPSEC routers,</FONT> <FONT SIZE=2 FACE="Arial">call them</FONT><FONT SIZE=2 FACE="Arial"> sunrise and sunset. Sunrise on the right, sunset on the left. </FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">We have a "static" tunnel between sunrise and sunset, with a conn definition auto=start.</FONT><FONT SIZE=2 FACE="Arial"> The name of the "static" tunnel is Janesvillecheetah-Everywhere, with an ID of janesvillecheetah.local. This tunnel is up all the time. </FONT> </SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">And we have a "dynamic" tunnel between sunrise and sunset, defined with auto=ignore. The name of the "dynamic" tunnel is JanesvillePNT-Everywhere</FONT><FONT SIZE=2 FACE="Arial"> with an ID of janesvillepnt.local. This tunnel goes up and down dynamically. </FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">On the left side, do this by hand to make sure the tunnel is down and turned off:</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">ipsec auto --</FONT><FONT SIZE=2 FACE="Arial">down</FONT><FONT SIZE=2 FACE="Arial"> JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">ipsec auto --</FONT><FONT SIZE=2 FACE="Arial">delete</FONT><FONT SIZE=2 FACE="Arial"> JanesvillePNT-Everywhere</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">On the right side, do this by hand:</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">ipsec auto --add JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">ipsec auto --up JanesvillePNT-Everywhere</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">This should return an error - right? After all, I'm trying to start a tunnel that doesn't exist on the other end. But instead, it</FONT> <FONT SIZE=2 FACE="Arial">generates the following output and then hangs.</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ~]#</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ~]# ipsec auto --add JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ~]# ipsec auto --up JanesvillePNT-Everywhere</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">104 "JanesvillePNT-Everywhere" #64: STATE_MAIN_I1: initiate</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #64: ignoring unknown Vendor ID payload [4f455f5d7b764b67436f4f49]</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #64: received Vendor ID payload [Dead Peer Detection]</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #64: received Vendor ID payload [RFC 3947] method set to=110</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">106 "JanesvillePNT-Everywhere" #64: STATE_MAIN_I2: sent MI2, expecting MR2</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #64: NAT-Traversal: Result using 3: no NAT detected</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">108 "JanesvillePNT-Everywhere" #64: STATE_MAIN_I3: sent MI3, expecting MR3</FONT></SPAN>
<BR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">003 "JanesvillePNT-Everywhere" #64: we require peer to have ID '@janesvillepnt.local', but peer declares '@janesvillecheetah.local'</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">218 "JanesvillePNT-Everywhere" #64: STATE_MAIN_I3: INVALID_ID_INFORMATION</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">(The hang is right here. This also generates a bunch of debug info similar to what I posted last night. Pressing CTRL/C stops the hang and kills the ipsec whack process that was generated. And I get a linux prompt back.)</FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">[root@lme-fw ~]#</FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">I think this hang can be reproduced any time there are two tunnels, and one of the tunnels goes up and down dynamically, and the tunnel is not yet added on the other side. </FONT></SPAN></P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">If this hang is indeed a bug, and there's an easy fix, I'll be happy to test it. </FONT></SPAN>
</P>
<P><SPAN LANG="en-us"><FONT SIZE=2 FACE="Arial">- Greg</FONT></SPAN>
</P>
</BODY>
</HTML>