[strongSwan] ipsec_starter strikes charon for pluto's misdeeds

Jan Engelhardt jengelh at medozas.de
Wed Sep 1 12:57:12 CEST 2010


openSUSE 11.3 currently allows to install strongswan such that it is 
possible to omit the pluto daemon from the installation. Now, suppose 
there is a typical ipsec.conf that only defines connections, i.e.

	#config setup
	#nothing here
	conn foo
		keyexchange=ikev2 # important

The connection foo is established without problems, however, since pluto 
could not be started, ipsec_starter takes the opportunity to send a 
stroke to charon too.

ipsec_starter[4376]: can't execv(/usr/lib/ipsec/pluto,...): No such file or directory
ipsec_starter[3411]: pluto has died -- restart scheduled (5sec)
ipsec_starter[3411]: pluto refused to be started
charon: 09[CFG] received stroke: add connection 'foo'

Subsequently, charon establishes new CHILD_SAs every 5 seconds, leading to

12:56 s96:/var/log # ipsec status
Security Associations:
foo[1]: ESTABLISHED 7 minutes ago,[C=DE...]...[C=DE...]
foo{1}:  INSTALLED, TUNNEL, ESP SPIs: c989a12a_i c7d7b658_o
foo{1}: === 
foo{2}:  INSTALLED, TUNNEL, ESP SPIs: cac8e0a3_i c509a7b2_o
foo{2}: === 
foo{3}:  INSTALLED, TUNNEL, ESP SPIs: cc6f99a6_i c3a94262_o
foo{3}: === 
foo{4}:  INSTALLED, TUNNEL, ESP SPIs: ca73305e_i cee7e1cf_o
foo{4}: === 
foo{5}:  INSTALLED, TUNNEL, ESP SPIs: c3ec46e1_i ca995d15_o
foo{5}: === 

More information about the Users mailing list