[strongSwan] ipsec_starter strikes charon for pluto's misdeeds
Jan Engelhardt
jengelh at medozas.de
Wed Sep 1 12:57:12 CEST 2010
Greetings.
openSUSE 11.3 currently allows to install strongswan such that it is
possible to omit the pluto daemon from the installation. Now, suppose
there is a typical ipsec.conf that only defines connections, i.e.
#config setup
#nothing here
conn foo
left=x
right=y
etc.
keyexchange=ikev2 # important
The connection foo is established without problems, however, since pluto
could not be started, ipsec_starter takes the opportunity to send a
stroke to charon too.
ipsec_starter[4376]: can't execv(/usr/lib/ipsec/pluto,...): No such file or directory
ipsec_starter[3411]: pluto has died -- restart scheduled (5sec)
ipsec_starter[3411]: pluto refused to be started
charon: 09[CFG] received stroke: add connection 'foo'
Subsequently, charon establishes new CHILD_SAs every 5 seconds, leading to
12:56 s96:/var/log # ipsec status
Security Associations:
foo[1]: ESTABLISHED 7 minutes ago, 192.168.100.40[C=DE...]...81.1.2.3[C=DE...]
foo{1}: INSTALLED, TUNNEL, ESP SPIs: c989a12a_i c7d7b658_o
foo{1}: 1.0.0.2/32 === 81.20.113.211/32
foo{2}: INSTALLED, TUNNEL, ESP SPIs: cac8e0a3_i c509a7b2_o
foo{2}: 1.0.0.2/32 === 81.20.113.211/32
foo{3}: INSTALLED, TUNNEL, ESP SPIs: cc6f99a6_i c3a94262_o
foo{3}: 1.0.0.2/32 === 81.20.113.211/32
foo{4}: INSTALLED, TUNNEL, ESP SPIs: ca73305e_i cee7e1cf_o
foo{4}: 1.0.0.2/32 === 81.20.113.211/32
foo{5}: INSTALLED, TUNNEL, ESP SPIs: c3ec46e1_i ca995d15_o
foo{5}: 1.0.0.2/32 === 81.20.113.211/32
...
More information about the Users
mailing list