[Openswan Users] Ipsec auto --up {tunnelname} hangs

Paul Wouters paul at xelerance.com
Fri Jun 20 16:27:48 EDT 2008


On Fri, 20 Jun 2008, Greg Scott wrote:

> We have a "static" tunnel between sunrise and sunset, with a conn definition auto=start.  The name of the "static"
> tunnel is Janesvillecheetah-Everywhere, with an ID of janesvillecheetah.local.  This tunnel is up all the time. 
> 
> And we have a "dynamic" tunnel between sunrise and sunset, defined with auto=ignore.  The name of the "dynamic" tunnel
> is JanesvillePNT-Everywhere with an ID of janesvillepnt.local.   This tunnel goes up and down dynamically. 

Note that you might see what looks like it picks the "wrong tunnel
name" at times, but that happens because the phase 1's of those are
similar when it starts, so you might see the name change midway the
negotiation. That's normal.

> On the left side, do this by hand to make sure the tunnel is down and turned off:
> 
> ipsec auto --down JanesvillePNT-Everywhere
> ipsec auto --delete JanesvillePNT-Everywhere
> 
> On the right side, do this by hand:
> 
> ipsec auto --add JanesvillePNT-Everywhere
> ipsec auto --up JanesvillePNT-Everywhere
> 
> This should return an error - right?  After all, I'm trying to start a tunnel that doesn't exist on the other end.  But
> instead, it generates the following output and then hangs.
> 
> [root at lme-fw ~]#
> [root at lme-fw ~]# ipsec auto --add JanesvillePNT-Everywhere
> [root at lme-fw ~]# ipsec auto --up JanesvillePNT-Everywhere
> 104 "JanesvillePNT-Everywhere" #64: STATE_MAIN_I1: initiate
> 003 "JanesvillePNT-Everywhere" #64: ignoring unknown Vendor ID payload [4f455f5d7b764b67436f4f49]
> 003 "JanesvillePNT-Everywhere" #64: received Vendor ID payload [Dead Peer Detection]
> 003 "JanesvillePNT-Everywhere" #64: received Vendor ID payload [RFC 3947] method set to=110
> 106 "JanesvillePNT-Everywhere" #64: STATE_MAIN_I2: sent MI2, expecting MR2
> 003 "JanesvillePNT-Everywhere" #64: NAT-Traversal: Result using 3: no NAT detected
> 108 "JanesvillePNT-Everywhere" #64: STATE_MAIN_I3: sent MI3, expecting MR3
> 003 "JanesvillePNT-Everywhere" #64: we require peer to have ID '@janesvillepnt.local', but peer declares
> '@janesvillecheetah.local'

Right, since you deleted  the one conn, it can only pick the other, which means it picks the wrong
one. It then fails and will try again, though it should release the whack to your script.

> 218 "JanesvillePNT-Everywhere" #64: STATE_MAIN_I3: INVALID_ID_INFORMATION
> 
> (The hang is right here.  This also generates a bunch of debug info similar to what I posted last night.  Pressing
> CTRL/C stops the hang and kills the ipsec whack process that was generated.  And I get a linux prompt back.)

And the env variables I gave earlier have no effect?

> I think this hang can be reproduced any time there are two tunnels, and one of the tunnels goes up and down dynamically,
> and the tunnel is not yet added on the other side. 
> 
> If this hang is indeed a bug, and there's an easy fix, I'll be happy to  test it. 

It's not a real bug, but auto should release the whack after the error.

Paul


More information about the Users mailing list