[Openswan Users] What would cause ipsec auto --up {tunnelname} to hang?

Greg Scott GregScott at InfraSupportEtc.com
Mon May 26 02:41:31 EDT 2008 

I have a script that does this:
 
$IPSEC auto --add "${TUNNEL}"
$IPSEC auto --up "${TUNNEL}"

The script is more complex than above - it goes through a decision
process on whether to bring up the tunnel, and then brings down the
tunnel at the appropriate time like this:

$IPSEC auto --down "${TUNNEL}"
$IPSEC auto --delete "${TUNNEL}"

This all works - except that after a couple of passes, I see my script
seems to be hung running 

ipsec auto --up

Looking at ps ax, I see these processes running - hopefully this email
client won't butcher the output:
.
.
.
18134 ?        S      0:00 /bin/sh /usr/lib/ipsec/_plutoload --wait no
--post
18136 ?        S      0:00 logger -s -p daemon.error -t ipsec__plutorun
18183 ?        S      0:00 _pluto_adns
 6273 ?        S      0:23 bash /firewall-scripts/route-monitor.sh
12.115.128.14 192.168.3.97 JanesvillePNT-Everywhere 20
14283 ?        Ssl    0:00 /usr/libexec/bonobo-activation-server
--ac-activate --ior-output-fd=16
14343 ?        S      0:00 /usr/libexec/gam_server
15314 ?        Ss     0:00 /usr/bin/esd -terminate -nobeeps -as 2
-spawnfd 25
16938 ?        S      0:00 /bin/sh /usr/libexec/ipsec/auto --up
JanesvillePNT-Everywhere
16940 ?        S      0:00 /bin/sh /usr/libexec/ipsec/auto --up
JanesvillePNT-Everywhere
16942 ?        S      0:00 sh
16943 ?        S      0:00 awk /^= / { exit $2 } $1 != "002" { print }
16945 ?        S      0:00 sh
16946 ?        S      0:00 /usr/libexec/ipsec/whack --name
JanesvillePNT-Everywhere --initiate
19435 ?        Ss     0:00 cupsd.
.
.
.

I see a couple copies of ipsec auto --up running for this tunnel and an
ipsec whack --initiate.  

Could there be some timing window, such that ipsec auto --add does not
complete and then I do ipsec auto --up too soon?  Or is there some
constraint doing ipsec auto --add and ipsec auto --delete repeatedly on
the same tunnel?  This particular system has several IPSEC tunnels to
other systems, and I can bring this specific tunnel up and down by hand
any time.  Would it make sense to sleep a couple of seconds between

ipsec auto --add

and

ipsec auto --up?

ipsec version shows the following:

[root at lme-fw ~]# ipsec version
Linux Openswan U2.4.5/K2.6.18-1.2798.fc6 (netkey)

Thanks

- Greg Scott

More information about the Users mailing list