[Openswan Users] Ipsec auto --up {tunnelname} hangs

Greg Scott GregScott at InfraSupportEtc.com
Wed Jun 18 16:56:34 EDT 2008


I first reported this a few weeks ago and now I have a little bit more
data.  The application is backup routing.  The main site and some branch
sites are normally connected via a MPLS cloud.  But the MPLS cloud is
not always reliable, despite the marketing hype.  So I have a few key
sites using IPSEC tunnels for backup routing.  On each side, a script
pings the MPLS router on the other side.  If the MPLS router doesn't
answer, the script does this:
 
ipsec auto --add {tunnelname}
ipsec auto --up {tunnelname}
 
And then when the MPLS router on the other side answers again, it does
this:
 
ipsec auto --down {tunnelname}
ipsec auto --delete  {tunnelname}
 
the conn definitions for these backup tunnels use auto=ignore, so my
scripts on both sides should completely control bringing the tunnels up
and down.  
 
But then this sequence of events throws a monkey-wrench into my best
laid plans.  
 
Sometimes, the MPLS router goes offline for a few seconds and then comes
back to life.  The scripts on both sides notice they can't see the MPLS
router on the other side and start to bring up the tunnel.  The left
side brings up the tunnel and properly takes it down when the MPLS
router comes back alive.  But the right side hangs trying to bring up
the tunnel.  I think it hangs because the left side deleted the tunnel
before the right side can fully set it up.  
 
So there the right side sits, hung in limbo forever - and that's my
problem.  I don't know how to break that hang so I can handle the error
condition.
 
For right now, this is my workaround:
 
[root at lme-fw log]# ps ax | grep Janesville
 3415 ?        S      0:11 bash /firewall-scripts/route-monitor.sh
12.115.128.14 192.168.3.97 JanesvillePNT-Everywhere 20
23742 ?        S      0:00 /bin/sh /usr/libexec/ipsec/auto --up
JanesvillePNT-Everywhere
23744 ?        S      0:00 /bin/sh /usr/libexec/ipsec/auto --up
JanesvillePNT-Everywhere
23750 ?        S      0:00 /usr/libexec/ipsec/whack --name
JanesvillePNT-Everywhere --initiate
10588 pts/2    R+     0:00 grep Janesville
[root at lme-fw log]#
[root at lme-fw log]# kill -9 23750
[root at lme-fw log]# ps ax | grep Janesville
3415 ?        S      0:11 bash /firewall-scripts/route-monitor.sh
12.115.128.14 192.168.3.97 JanesvillePNT-Everywhere 20
10593 pts/2    R+     0:00 grep Janesville
[root at lme-fw log]#
 
When I see this condition, I know what process to look for and I can
kill it.  Then my script continues where it was, logs a bunch of stuff
for me and continues.
 
Here's my question - what can I do to make sure any ipsec command always
returns back to me with some kind of status code so I can handle it?
 
thanks
 
- Greg Scott
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080618/bd6835ea/attachment.html 


More information about the Users mailing list