[Openswan dev] bug report (auto=add &auto=start)

Michael Richardson mcr at xelerance.com
Tue Jun 26 08:30:23 EDT 2007

Hash: SHA1

>>>>> "Alex" == Alex  <linux at vfemail.net> writes:
    Alex> See my comments inline:

    >> Interesting. The return code should not be non-zero, since your
    >> logs below show that absolutely nothing went wrong. It is
    >> probably non-zero, because the ipsec auto command returns before
    >> knowing if the connection succeeded, because of the default
    >> --asynchronous flag. It does a "fire and forget".
    >> Michael: Should we change auto to return 0 for this? Or change
    >> _plutorun to not care about the return code?

    Alex> Is this problem handled by anybody or is considered closed. I
    Alex> couldn't see any fix about this bug.

  --asynchronous makes "ipsec auto" not wait at all, and it isn't on by
default. What may be happening is that pluto will release whack after
some time efforts to bring up the tunnel.
  Perhaps that situation should return a clear non-zero error code,
but that doesn't mean that the tunnel won't succeed when the
network/remote-note/DNS/etc. comes back to life.
  You could change the behaviour about releasing whack if you wanted.

    >> > So, a quick fixto this problem is to add to /etc/ipsec.conf: >
    >> > config setup > plutowait=yes > ^^^^^^^^^^^^^^^^
    >> This is the wrong fix, because of you have dozens or hunderds of
    >> tunnels you will now start them up one after the other, instead
    >> of parallel.

    Alex> OK, i agree with you, but what is the correct fix?

  plutowait= actually probably isn't implemented in 2.5 either.
  The question is, if the tunnel failed to be created, what are you
going to do differently?  Do you want to do the same thing if the tunnel
fails later on?
- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list