Hi<br>
<br>
Using shell script is doable but you will need to put some stall time
between start and stop in order to give openswan time to fully stop and
start.<br>
<br>
You can check if you successfully made a tunnel with the command: " ip
[-s] xfrm state" with -s optionally in order to get more details.<br>
You must have at least 2 entries. But "ip xfrm state" is only to show you the established SAs.<br>
<br>
You need to have configured SPDs and you can see them with command: "ip [-s] xfrm policy"<br>
<br>
There you must see at least 3 entries for "in" "out" and "fwd"
direction. Everything is done automatically from openswan. But if you
have these values there then you know that your tunnel is up from kernel
side of view.<br>
<br>
<br>
I hope it was helpful<br>
<br>
Best regards,<br>
Tamis<br><br><div class="gmail_quote">2012/1/31 satpal parmar <span dir="ltr"><<a href="mailto:systems.satpal@gmail.com">systems.satpal@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi All!<br>
<br>
I am facing a small problem. I have ipsec running on two Linux boxes.<br>
Now I want to connect them through ipsec tunnels. I build a small<br>
script for this as you have to type them every time for a connection<br>
<br>
#!/bin/sh<br>
<br>
service ipsec stop<br>
service ipsec start<br>
ipsec auto --add test<br>
ipsec auto --up test<br>
<br>
I have this on both sides of my connections. My problem is when I run<br>
I get following message very often .<br>
<br>
<br>
root@vnl-desktop:~# ./ipsec_restart.sh<br>
ipsec_setup: Stopping Openswan IPsec...<br>
ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32-33-generic...<br>
024 need --listen before --initiate<br>
<br>
Many times in while I get :<br>
<br>
root@R3BTS-CP-PFS1.0# /etc/init.d/ipsec status<br>
IPsec running - pluto pid: 2807<br>
pluto pid 2807<br>
1 tunnels up<br>
some eroutes exist<br>
<br>
<br>
And in ramdom cases I get :<br>
<br>
root@R3BTS-CP-PFS1.0# /etc/init.d/ipsec status<br>
IPsec running - pluto pid: 2807<br>
pluto pid 2807<br>
2 tunnels up<br>
some eroutes exist<br>
<br>
<br>
At times I also get<br>
root@R3BTS-CP-PFS1.0# /etc/init.d/ipsec start<br>
ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.37-svn5271...<br>
ipsec_setup: no default routes detected<br>
<br>
I want to automate whole connection with 100% success rate for<br>
connection (both sides SAs ). I need help in building minimal<br>
ipsec.config which will not return unless there is a connection when<br>
issue "/etc/ipsec.d/start"<br>
<br>
Possible cases I see I might have to handle in my config:<br>
<br>
a) No IPsec running on other side or other side is down. I will wait<br>
till box n ipsec is up in other side.<br>
<br>
b) No connection 'test' in config other side . I will wait till admin add that.<br>
<br>
c) Connection 'test' is not up. Wait. Till it is up.<br>
<br>
So to say again I do not report partial success or failure and<br>
retry/wait till have I have both side SAs. Is it possible to build<br>
such ipsec config? Is there any security related flaws in this<br>
scheme.?<br>
<br>
Appreciate any input.<br>
<br>
-SP<br>
_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a href="http://lists.openswan.org/mailman/listinfo/users" target="_blank">http://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>Think simple!<br>