[Openswan Users] Ipsec auto --up still hangs sometimes

Greg Scott GregScott at InfraSupportEtc.com
Wed Dec 10 14:01:03 EST 2008 

This silence on this one is deafening.  ipsec auto --up should never
hang - right?  Yet it hangs for me.  Admittedly, I am trying some things
off the beaten path, but I can reproduce the problem any time I want,
now with multiple versions of Openswan.  
 
Until a fix comes available, maybe there's a workaround.  I think the
shell scripts have a way to spawn a subprocess and then set a timer for
it to finish.  Maybe instead of doing the ipsec auto --up directly
in-line, maybe it's better to fork it off somehow and then somehow get a
completion status I can test.  
 
Is there a better workaround?
 
thanks
 
- Greg Scott

________________________________

From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of Greg Scott
Sent: Monday, December 08, 2008 6:50 AM
To: users at lists.openswan.org
Subject: [Openswan Users] Ipsec auto --up still hangs sometimes



It seemed best to open a new thread for this issue.  I couldn't help
myself - I had to reproduce the hang problem I ran across a few minutes
ago.  

Here's the situation.  Janesville has 2 LANs, one named
JanesvilleCheetah that normally has an IPSEC Openswan tunnel, the other
named JanesvillePNT that normally routes differently.  

These tunnels all connect to the HQ site.  JanesvilleCheetah stays up
all the time, JanesvillePNT is supposed to come up and down as needed.  

The HQ Openswan firewall is now running this version: 

[root at lme-fw2 ipsec.d]# ipsec version 
Linux Openswan U2.6.14/K2.6.25-14.fc9.i686 (netkey) 
See `ipsec --copyright' for copyright information. 
[root at lme-fw2 ipsec.d]# 

Here is the condition to reproduce the problem: 

In Janesville, the JanesvilleCheetah tunnel is up and running. 
The JanesvillePNT tunnel is specifically ***not*** loaded.  

>From the HQ Openswan firewall, when I do ipsec auto --add and then ipsec
auto --up -- but without doing anything in Janesville, then the whack at
HQ still hangs.  It should eventually return with an error, but it
doesn't.  It hangs. 


[root at lme-fw2 ipsec.d]# ipsec auto --down JanesvillePNT-Everywhere 
[root at lme-fw2 ipsec.d]# ipsec auto --delete JanesvillePNT-Everywhere 
000 "JanesvillePNT-Everywhere": request to delete a unrouted policy with
netkey kernel --- experimental 
[root at lme-fw2 ipsec.d]# ipsec auto --up JanesvillePNT-Everywhere 
000 initiating all conns with alias='JanesvillePNT-Everywhere' 
021 no connection named "JanesvillePNT-Everywhere" 
[root at lme-fw2 ipsec.d]# ipsec auto --add JanesvillePNT-Everywhere 
[root at lme-fw2 ipsec.d]# ipsec auto --up JanesvillePNT-Everywhere 
104 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I1: initiate 
003 "JanesvillePNT-Everywhere" #22: ignoring unknown Vendor ID payload
[4f455f5d7b764b67436f4f49] 
003 "JanesvillePNT-Everywhere" #22: received Vendor ID payload [Dead
Peer Detection] 
003 "JanesvillePNT-Everywhere" #22: received Vendor ID payload [RFC
3947] method set to=109 
106 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I2: sent MI2, expecting
MR2 
003 "JanesvillePNT-Everywhere" #22: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): no NAT detected 
108 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I3: sent MI3, expecting
MR3 
003 "JanesvillePNT-Everywhere" #22: we require peer to have ID
'@janesvillepnt.local', but peer declares '@janesvillecheetah.local'

218 "JanesvillePNT-Everywhere" #22: STATE_MAIN_I3:
INVALID_ID_INFORMATION 

-----> (Long pause here until I pressed CTRL/C) <------- 

^C[root at lme-fw2 ipsec.d]# ipsec auto --delete JanesvillePNT-Everywhere 
[root at lme-fw2 ipsec.d]# 

- Greg 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081210/64d60664/attachment.html

More information about the Users mailing list