<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Ipsec auto --up still hangs sometimes</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3429" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=889512817-10122008><FONT face=Arial
color=#0000ff size=2>This silence on this one is deafening. ipsec auto
--up should never hang - right? Yet it hangs for me. Admittedly, I
am trying some things off the beaten path, but I can reproduce the problem any
time I want, now with multiple versions of Openswan. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=889512817-10122008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN><SPAN class=889512817-10122008><FONT
face=Arial color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=889512817-10122008><FONT face=Arial
color=#0000ff size=2>Until a fix comes available, maybe there's a
workaround. I think the shell scripts have a way to spawn a subprocess and
then set a timer for it to finish. Maybe instead of doing the ipsec auto
--up directly in-line, maybe it's better to fork it off somehow and then somehow
get a completion status I can test. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=889512817-10122008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=889512817-10122008><FONT face=Arial
color=#0000ff size=2>Is there a better workaround?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=889512817-10122008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=889512817-10122008><FONT face=Arial
color=#0000ff size=2>thanks</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=889512817-10122008><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=889512817-10122008><FONT face=Arial
color=#0000ff size=2>- Greg Scott</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> users-bounces@openswan.org
[mailto:users-bounces@openswan.org] <B>On Behalf Of </B>Greg
Scott<BR><B>Sent:</B> Monday, December 08, 2008 6:50 AM<BR><B>To:</B>
users@lists.openswan.org<BR><B>Subject:</B> [Openswan Users] Ipsec auto --up
still hangs sometimes<BR></FONT><BR></DIV>
<DIV></DIV><!-- Converted from text/rtf format -->
<P><SPAN lang=en-us><FONT face=Arial size=2>It seemed best to open a new thread
for this issue. I couldn't help myself - I had to reproduce the hang
problem I ran across a few minutes ago. </FONT></SPAN></P>
<P><SPAN lang=en-us><FONT face=Arial size=2>Here's the situation.
Janesville has 2 LANs, one named JanesvilleCheetah that normally has an IPSEC
Openswan tunnel, the other named JanesvillePNT that normally routes
differently. </FONT></SPAN></P>
<P><SPAN lang=en-us><FONT face=Arial size=2>These tunnels all connect to the HQ
site. JanesvilleCheetah stays up all the time, JanesvillePNT is supposed
to come up and down as needed. </FONT></SPAN></P>
<P><SPAN lang=en-us><FONT face=Arial size=2>The HQ Openswan firewall is now
running this version:</FONT></SPAN> </P>
<P><SPAN lang=en-us><FONT face=Arial size=2>[root@lme-fw2 ipsec.d]# ipsec
version</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial size=2>Linux
Openswan U2.6.14/K2.6.25-14.fc9.i686 (netkey)</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>See `ipsec --copyright' for copyright
information.</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>[root@lme-fw2 ipsec.d]#</FONT></SPAN> </P>
<P><SPAN lang=en-us><FONT face=Arial size=2>Here is the condition to reproduce
the problem:</FONT></SPAN> </P>
<P><SPAN lang=en-us><FONT face=Arial size=2>In Janesville, the JanesvilleCheetah
tunnel is up and running.</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>The JanesvillePNT tunnel is specifically ***not*** loaded.
</FONT></SPAN></P>
<P><SPAN lang=en-us><FONT face=Arial size=2>From the HQ Openswan firewall, when
I do ipsec auto --add and then ipsec auto --up -- but without doing anything in
Janesville, then the whack at HQ still hangs. It should eventually return
with an error, but it doesn't. It hangs. </FONT></SPAN></P><BR>
<P><SPAN lang=en-us><FONT face=Arial size=2>[root@lme-fw2 ipsec.d]# ipsec auto
--down JanesvillePNT-Everywhere</FONT></SPAN> <BR><SPAN lang=en-us><FONT
face=Arial size=2>[root@lme-fw2 ipsec.d]# ipsec auto --delete
JanesvillePNT-Everywhere</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>000 "JanesvillePNT-Everywhere": request to delete a unrouted policy with
netkey kernel --- experimental</FONT></SPAN> <BR><SPAN lang=en-us><FONT
face=Arial size=2>[root@lme-fw2 ipsec.d]# ipsec auto --up
JanesvillePNT-Everywhere</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>000 initiating all conns with
alias='JanesvillePNT-Everywhere'</FONT></SPAN> <BR><SPAN lang=en-us><FONT
face=Arial size=2>021 no connection named
"JanesvillePNT-Everywhere"</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>[root@lme-fw2 ipsec.d]# ipsec auto --add
JanesvillePNT-Everywhere</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>[root@lme-fw2 ipsec.d]# ipsec auto --up
JanesvillePNT-Everywhere</FONT></SPAN> <BR><SPAN lang=en-us><FONT face=Arial
size=2>104 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I1: initiate</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>003 "JanesvillePNT-Everywhere" #22:
ignoring unknown Vendor ID payload [4f455f5d7b764b67436f4f49]</FONT></SPAN>
<BR><SPAN lang=en-us><FONT face=Arial size=2>003 "JanesvillePNT-Everywhere" #22:
received Vendor ID payload [Dead Peer Detection]</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>003 "JanesvillePNT-Everywhere" #22: received
Vendor ID payload [RFC 3947] method set to=109</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>106 "JanesvillePNT-Everywhere" #22:
STATE_MAIN_I2: sent MI2, expecting MR2</FONT></SPAN> <BR><SPAN lang=en-us><FONT
face=Arial size=2>003 "JanesvillePNT-Everywhere" #22: NAT-Traversal: Result
using RFC 3947 (NAT-Traversal): no NAT detected</FONT></SPAN> <BR><SPAN
lang=en-us><FONT face=Arial size=2>108 "JanesvillePNT-Everywhere" #22:
STATE_MAIN_I3: sent MI3, expecting MR3</FONT></SPAN> <BR><SPAN lang=en-us><FONT
face=Arial size=2>003 "JanesvillePNT-Everywhere" #22: we require peer to have ID
'@janesvillepnt.local', but peer declares
'@janesvillecheetah.local'</FONT></SPAN></P>
<P><SPAN lang=en-us><FONT face=Arial size=2>218 "JanesvillePNT-Everywhere" #22:
STATE_MAIN_I3: INVALID_ID_INFORMATION</FONT></SPAN> </P>
<P><SPAN lang=en-us><FONT face=Arial size=2>-----> (Long pause here until I
pressed CTRL/C) <-------</FONT></SPAN> </P>
<P><SPAN lang=en-us><FONT face=Arial size=2>^C[root@lme-fw2 ipsec.d]# ipsec auto
--delete JanesvillePNT-Everywhere</FONT></SPAN> <BR><SPAN lang=en-us><FONT
face=Arial size=2>[root@lme-fw2 ipsec.d]#</FONT></SPAN> </P>
<P><SPAN lang=en-us><FONT face=Arial size=2>- Greg</FONT></SPAN>
</P></BODY></HTML>