[Openswan Users] Ipsec auto --up {tunnelname} hangs

Greg Scott GregScott at InfraSupportEtc.com
Wed Jun 18 19:20:50 EDT 2008 

> Are you sure? Because ipsec auto releases the whack after 
> 60 seconds, giving your script control back.

Absolutely, positively sure.  The first time I saw this, it was hung for
several days before I dug into it.  With this latest time, I know what
to look for now, so I did my workaround after maybe 10 or 20 minutes or
so.  I keep a log file so I know every time it does anything important.
I can also tell with tcpdump it isn't pinging the MPLS router on the
other end any more.  Based on looking at my log file and watching
tcpdump, I can tell right where the script is sitting.  

When it does the ipsec auto --up and hangs, I can do ps ax in a window
and I see these processes:

[root at lme-fw log]# ps ax | grep Janesville
 3415 ?        S      0:11 bash /firewall-scripts/route-monitor.sh
12.115.128.14 192.168.3.97 JanesvillePNT-Everywhere 20
23742 ?        S      0:00 /bin/sh /usr/libexec/ipsec/auto --up
JanesvillePNT-Everywhere
23744 ?        S      0:00 /bin/sh /usr/libexec/ipsec/auto --up
JanesvillePNT-Everywhere
23750 ?        S      0:00 /usr/libexec/ipsec/whack --name
JanesvillePNT-Everywhere --initiate
10588 pts/2    R+     0:00 grep Janesville
[root at lme-fw log]#
[root at lme-fw log]# kill -9 23750
[root at lme-fw log]# ps ax | grep Janesville
 3415 ?        S      0:11 bash /firewall-scripts/route-monitor.sh
12.115.128.14 192.168.3.97 JanesvillePNT-Everywhere 20
10593 pts/2    R+     0:00 grep Janesville
[root at lme-fw log]#

When I kill the ipsec/whack process, I can see in my script's logfile
that it picks up again and keeps going.  

The right side - the side that hangs - is running this version:

[root at lme-fw log]# ipsec version
Linux Openswan U2.4.5/K2.6.18-1.2798.fc6 (netkey)
See `ipsec --copyright' for copyright information.
[root at lme-fw log]#

The left side is running a newer version:

[root at Janesville-fw1 ~]# ipsec version
Linux Openswan U2.4.9/K2.6.23.1-42.fc8 (netkey)
See `ipsec --copyright' for copyright information.
[root at Janesville-fw1 ~]#

Was that 60 second timeout introduced after 2.4.5?  If I upgrade that
2.4.5 system, should my hangs go away?

And I'll look into --asynch.  Even if I don't get a usable status code,
I can always cook up something to check and make sure the tunnel is
really working.  

- Greg

More information about the Users mailing list