[Openswan Users] Minimal working ipsec.config

[satpal parmar]

Hi All!

I am facing a small problem. I have ipsec running on two Linux boxes.
Now I want to connect them through ipsec tunnels. I build a small
script for this as you have to type them every time  for a connection

#!/bin/sh

service ipsec stop
service ipsec start
ipsec auto --add test
ipsec auto --up test

I have this on both sides of my connections. My problem is when I run
I get following message very often .


root at vnl-desktop:~# ./ipsec_restart.sh
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32-33-generic...
024 need --listen before --initiate

Many times  in while I get :

root at R3BTS-CP-PFS1.0# /etc/init.d/ipsec status
IPsec running  - pluto pid: 2807
pluto pid 2807
1 tunnels up
some eroutes exist


And in ramdom  cases I get :

root at R3BTS-CP-PFS1.0# /etc/init.d/ipsec status
IPsec running  - pluto pid: 2807
pluto pid 2807
2 tunnels up
some eroutes exist


At times I also get
root at R3BTS-CP-PFS1.0# /etc/init.d/ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.33/K2.6.37-svn5271...
ipsec_setup: no default routes detected

I want to automate whole connection with 100% success rate for
connection (both sides SAs ). I need help in building minimal
ipsec.config which will not return unless there is a connection when
issue "/etc/ipsec.d/start"

Possible cases I see I might have to handle in my config:

a) No IPsec running on other side or other side is down.  I will wait
till box n  ipsec is up in other side.

b) No connection 'test' in config other side . I will wait till admin add that.

c) Connection 'test' is not up. Wait. Till it is up.

So to say again I do not report partial success or failure and
retry/wait  till have I have both side SAs. Is it possible to build
such ipsec config?  Is there any security related flaws in this
scheme.?

Appreciate any input.

-SP