From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Oct 23 2002 - 23:02:44 CEST
-----BEGIN PGP SIGNED MESSAGE-----
On Wed, 23 Oct 2002, Arsen Drambyan wrote:
> I use FreeSWan 1.98b now, and never had the same problem with 1.91,
> and I think with 1.96 also (though not so sure).
> I have a script doing something like:
>
> /etc/init.d/ipsec stop
> > /var/log/messages
> /etc/init.d/ipsec start
> ipsec auto --add test
> ipsec auto --up test
Some quasi-useful info I posted before on this error:
http://lists.freeswan.org/pipermail/users/2002-August/013563.html
You need to give pluto some time to get its ducks in a row before it can
properly "up" added connections. With auto=start, our mechanisms wait for
the appropriate time before upping the conn. A "sleep 10" before "ipsec auto
- --up test" would do the trick.
> Is it a new speedup trick, having some parts running in
> background, while the main script returns? Or it's just a bug?
ipsec setup is now an asynchronous process, as opposed to a synchronous one.
It's more efficient and much quicker, but there is no longer a wait period
until the command can be issued, saving you from some grief. Here's a log
excerpt that shows the result of "ipsec auto --restart && ipsec auto --add
rook-abigail-net":
Oct 23 16:45:35 rook pluto[9773]: shutting down interface ipsec0/eth0
66.199.183.102
Oct 23 16:45:41 rook ipsec__plutorun: Starting Pluto subsystem...
Oct 23 16:45:41 rook pluto[10153]: Starting Pluto (FreeS/WAN Version 1.98)
Oct 23 16:45:43 rook pluto[10153]: added connection description
"rook-abigail-net"
Oct 23 16:45:44 rook pluto[10153]: added connection description
"me-to-anyone"
Oct 23 16:45:44 rook pluto[10153]: listening for IKE messages
Oct 23 16:45:44 rook pluto[10153]: adding interface ipsec0/eth0
66.199.183.102
There's a full second between the addition of the conn, and before we receive
the "listening for IKE messages/adding interface" messages. The ipsec auto
- --up command falls right in that gap, before the scripts issue "ipsec whack
- --listen", and fails with that error.
Given the async nature of the new start scripts, you'll have to re-address
your approach. You could just insist that pluto start listening ready by
adding this line:
ipsec auto --ready
ipsec auto --up test
There is some talk of having ipsec auto --up be "deferable", ie having it
queue the --up attempt until a whack socket has been made available by
"--listen".
- --
Sam Sgro
sam_at_freeswan.org
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.
iQCVAwUBPbcOdkOSC4btEQUtAQEFzgP/bvzGQhtd9gE8adVo5lGP/yzM0Ww3mIg0
bpYMSLNDeDpWGdaHsH05X+cYunAJowAnnya2n/XOHbk61dfT3NnllS04ZQXeyzDO
wV0d7Z+3IALLU+yl/UAL62U0hzhzFeLOsZeNrS2gOp/vnq0t1yZmXUvKqT26jqYg
EBC/ky06zgQ=
=UXOu
-----END PGP SIGNATURE-----
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Fri Oct 25 2002 - 05:20:31 CEST