[Openswan dev] bug report (auto=add &auto=start)

Michael Richardson mcr at xelerance.com
Tue Jun 26 08:30:23 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Alex" == Alex  <linux at vfemail.net> writes:
    Alex> See my comments inline:

    >> Interesting. The return code should not be non-zero, since your
    >> logs below show that absolutely nothing went wrong. It is
    >> probably non-zero, because the ipsec auto command returns before
    >> knowing if the connection succeeded, because of the default
    >> --asynchronous flag. It does a "fire and forget".
    >> 
    >> Michael: Should we change auto to return 0 for this? Or change
    >> _plutorun to not care about the return code?

    Alex> Is this problem handled by anybody or is considered closed. I
    Alex> couldn't see any fix about this bug.

  --asynchronous makes "ipsec auto" not wait at all, and it isn't on by
default. What may be happening is that pluto will release whack after
some time efforts to bring up the tunnel.
  Perhaps that situation should return a clear non-zero error code,
but that doesn't mean that the tunnel won't succeed when the
network/remote-note/DNS/etc. comes back to life.
  You could change the behaviour about releasing whack if you wanted.

    >> > So, a quick fixto this problem is to add to /etc/ipsec.conf: >
    >> > config setup > plutowait=yes > ^^^^^^^^^^^^^^^^
    >> 
    >> This is the wrong fix, because of you have dozens or hunderds of
    >> tunnels you will now start them up one after the other, instead
    >> of parallel.

    Alex> OK, i agree with you, but what is the correct fix?

  plutowait= actually probably isn't implemented in 2.5 either.
  
  The question is, if the tunnel failed to be created, what are you
going to do differently?  Do you want to do the same thing if the tunnel
fails later on?
  
- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRoEG3oCLcPvd0N1lAQK4uggAiKx2/gW45xi5t3WK6XmHNn+RVTfqpUBg
MNrhkHqfZsI+u9LDCKcuLYKWzWTnTjRZycuatGq0dxCl1H+33AAhoHdP1rKBtT5t
YPBcKTfBrMPp5ee7noo5XpFVCs/WMxtu3HeAEe8Fk0xeF1weezpBKEVGjMDGTanw
Rzk60TBtSEui+JPfFid6eizc36QeR4n/aG1sKKhZ763bRrRRw2CeZbN8DkHr2RpF
RjfXgIi/QXEB5G2MIaY7unmNADg63Htv+je8BPRO0wglCGpy5EfJor8wRRhHRPLr
nNSRimLAQtQDFnF2MgZhcu6U9C5ciej6hzgy3UO1ZFtIP4NKZEN3BQ==
=DAlg
-----END PGP SIGNATURE-----

More information about the Dev mailing list