[Openswan Users] Ipsec auto --up {tunnelname} hangs

Greg Scott GregScott at InfraSupportEtc.com
Fri Jun 20 12:47:59 EDT 2008 

> auto=up is not a valid parameter in ipsec.conf and will default to
auto=ignore.
> If you want the connection to start automatically use auto=start.
> If you want the connection added (ready to answer) use auto=add.
> Then it will answer incoming connect requests.
> Note that auto=ignore will not accept incoming connection requests.
> Granted this shouldn't cause a hang, but it will cause connection
failure.

Woops - just to clarify:

I have lots of connections that use auto=start in the conn definitions
in ipsec.conf.  These all work just fine.  

I have one connection - and more to come - that use auto=ignore.  This
is the one with the problem.

I have a script that does backup routing.  A copy runs on both the left
and right sides.  The main circuit is a MPLS cloud and my IPSEC stuff is
supposed to kick in when the MPLS cloud has an outage.  If the MPLS
router on the other side stops answering, then the script does this:

ipsec auto --add {TunnelName}
ipsec auto --up {TunnelName}

And when the MPLS router starts answering again, it does this:

ipsec auto --down {TunnelName}
ipsec auto --delete {TunnelName}

So I dynamically bring this particular tunnel up and down.  Note, this
is not a conn definition, these are linux commands my home-brewed script
does.  

Here is the problem:

When the left side MPLS router has a transient outage, the right side
notices it and takes the above action.  But the left side does not take
the same action because the left side does not notice the outage.

So the left side never sets up the tunnel - but the right side tries to
connect to it and hangs.  It doesn't return any error, it just hangs.  I
documented this in a bunch of previous emails in this thread. 

And now I figured out a way to reproduce the problem any time I want.  I
can tell the right side to start up the tunnel and make sure the left
side does not start it up.  

There are actually 2 tunnels between this particular left side and the
right side. One is a "static" tunnel - defined in the conn definition
with auto=start - and the other is a "dynamic" tunnel - defined as above
with auto=ignore.  ("Static" and "dynamic" are my descriptive words for
this case.)

When the right side tries to bring up the "dynamic" tunnel, it somehow
gets confused with the "static" tunnel and ipsec whack hangs.
Hopefully, all the debug stuff I sent in the middle of last night will
help find the problem.

Btw, I tried auto=add in the conn definitions.  The problem with
auto=add in this case is, it increases the odds of starting the tunnel
up when I don't want it running.  As I recall, somebody pinging a host
on the other side, for example, could start up the tunnel.  But I don't
my tunnel running in this case unless the MPLS is offline.  So I made
the call to do auto=ignore and then create and destroy the tunnel
dynamically at the right times.  

- Greg

More information about the Users mailing list