[Openswan Users] Trouble stopping Openswan

[Whit Blauvelt]

Hi,

Here's the situation: Openswan on one side, a Cisco ASA on the other. The
Openswan side is dual-homed (two ISPs). The Cisco can only handle a single
tunnel at a time to a remote subnet. So for failover if one of our ISP lines
is down - or just flakey - we have a script that shuts down Openswan using
the init.d script that's in the Ubuntu 14.04 package, swaps /etc/ipsec
files for one identical except for the left= IP corresponding to the desired
ISP's line, and then starts Openswan again with the init.d script. Except in
practice it doesn't fully work yet. 

The problem we have is that Openswan's pluto IKE daemon keeps running after
/etc/init.d/ipsec stop, and this can confuse the Cisco to the point where
it's got its routing flapping between tunnels on both of the ISPs - despite
that the Cisco's specs say it's not supposed to allow that. Killing pluto by
hand fixes that, and I can of course incorporate that in our script. But I'm
curious why the problem is even there.

The init.d script calls "ipsec _realsetup stop," which is
/usr/lib/ipsec/_realsetup, which should run "ipsec whack --shutdown" and if
that fails run "kill" against it. So on the face of it it should just work.

Is there a reason for shutdown to either be really slow or just fail in some
circumstances? 

Thanks,
Whit