[Openswan Users] The persistence of pluto on Ubuntu 14.04

Whit Blauvelt whit at transpect.com
Fri May 27 10:05:15 EDT 2016


On Ubuntu 14.04 we have Linux Openswan U2.6.38/K3.13.0-57-generic which is
working fine to connect to a Cisco ASA, basically.

Our problem is on the the Openswan end we're dual-homed - two ISP lines -
and we'd like to be able to switch between them for the IPsec tunnel at
will. The Cisco, as it happens, can be configured to accept either, but only
one at a time. 

The /etc/init.d/ipsec script works fine to start Openswan, but it's flawed
in stopping it. It invokes:

ipsec _realsetup stop

Where /usr/lib/ipsec/_realsetup contains this subroutine which sure looks
like it should kill pluto by hook or crook:

        perform test -f $plutopid "&&" "{" \
                if test -d '/proc/`' cat $plutopid '`' ">" /dev/null ";" \
                then \
                        ipsec whack --shutdown "|" grep -v "^002" ";" \
                        sleep 1 ";" \
                        if test -s $plutopid ";" \
                        then \
                                echo "\"Attempt to shut Pluto down failed!  Trying kill:\"" ";" \
                                kill '`' cat $plutopid '`' ";" \
                                sleep 5 ";" \
                        fi ";" \
                else \
                        echo "\"Removing orphaned $plutopid:\"" ";" \
                fi ";" \
                rm -f $plutopid ";" \
                "}"

        perform $KILLKLIPS
        rm -f /var/run/pluto.pid

But pluto comes back, persistently. Even if I subsequently kill off the
pluto processes which have come back. 

This is a serious problem, because pluto comes back and attempts to
re-establish the old connection. That puts it in competition with the new
one we're trying to start on the other public IP, and confuses the Cisco.

Same problem when we want to shut down Openswan on one firewall and start it
on another, to test failover on that level.

Looks like this might be a persistence "feature" added by Canonical, but so
far I can't find any documentation on what they've done. It certainly breaks
the intent of /usr/lib/ipsec/_realsetup, which is to be able to shut down
ipsec entirely when invoked for that.

Anyone familiar with this problem?

Thanks,
Whit



More information about the Users mailing list