[Openswan Users] Ipsec auto --up {tunnelname} hangs
Greg Scott
GregScott at InfraSupportEtc.com
Fri Jun 20 14:28:33 EDT 2008
> Oh yes - and why 2 tunnels from the same left side to the same right
side?
OK - forget about complicated scripts and backup routing. I can now
reproduce the problem any time I want without effecting production and
without using any scripts.
Scenario:
2 Linux IPSEC routers, call them sunrise and sunset. Sunrise on the
right, sunset on the left.
We have a "static" tunnel between sunrise and sunset, with a conn
definition auto=start. The name of the "static" tunnel is
Janesvillecheetah-Everywhere, with an ID of janesvillecheetah.local.
This tunnel is up all the time.
And we have a "dynamic" tunnel between sunrise and sunset, defined with
auto=ignore. The name of the "dynamic" tunnel is
JanesvillePNT-Everywhere with an ID of janesvillepnt.local. This
tunnel goes up and down dynamically.
On the left side, do this by hand to make sure the tunnel is down and
turned off:
ipsec auto --down JanesvillePNT-Everywhere
ipsec auto --delete JanesvillePNT-Everywhere
On the right side, do this by hand:
ipsec auto --add JanesvillePNT-Everywhere
ipsec auto --up JanesvillePNT-Everywhere
This should return an error - right? After all, I'm trying to start a
tunnel that doesn't exist on the other end. But instead, it generates
the following output and then hangs.
[root at lme-fw ~]#
[root at lme-fw ~]# ipsec auto --add JanesvillePNT-Everywhere
[root at lme-fw ~]# ipsec auto --up JanesvillePNT-Everywhere
104 "JanesvillePNT-Everywhere" #64: STATE_MAIN_I1: initiate
003 "JanesvillePNT-Everywhere" #64: ignoring unknown Vendor ID payload
[4f455f5d7b764b67436f4f49]
003 "JanesvillePNT-Everywhere" #64: received Vendor ID payload [Dead
Peer Detection]
003 "JanesvillePNT-Everywhere" #64: received Vendor ID payload [RFC
3947] method set to=110
106 "JanesvillePNT-Everywhere" #64: STATE_MAIN_I2: sent MI2, expecting
MR2
003 "JanesvillePNT-Everywhere" #64: NAT-Traversal: Result using 3: no
NAT detected
108 "JanesvillePNT-Everywhere" #64: STATE_MAIN_I3: sent MI3, expecting
MR3
003 "JanesvillePNT-Everywhere" #64: we require peer to have ID
'@janesvillepnt.local', but peer declares '@janesvillecheetah.local'
218 "JanesvillePNT-Everywhere" #64: STATE_MAIN_I3:
INVALID_ID_INFORMATION
(The hang is right here. This also generates a bunch of debug info
similar to what I posted last night. Pressing CTRL/C stops the hang and
kills the ipsec whack process that was generated. And I get a linux
prompt back.)
[root at lme-fw ~]#
I think this hang can be reproduced any time there are two tunnels, and
one of the tunnels goes up and down dynamically, and the tunnel is not
yet added on the other side.
If this hang is indeed a bug, and there's an easy fix, I'll be happy to
test it.
- Greg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080620/25cee4f1/attachment.html
More information about the Users
mailing list