[strongSwan] "auto = try_again_later" on DNS problems?

Mon Jul 10 20:21:14 CEST 2017

Hi folks,

sometimes starting charon fails with "Temporary failure 
in name resolution", e.g.

Jul 10 19:58:50 00[DMN] Starting IKE charon daemon (strongSwan 5.5.3, Linux 4.11.9-raw, x86_64)
Jul 10 19:58:50 00[CFG] PKCS11 module '<name>' lacks library path
Jul 10 19:58:50 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jul 10 19:58:50 00[CFG]   loaded ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=example Root CA" from '/etc/ipsec.d/cacerts/root-ca.pem'
Jul 10 19:58:50 00[CFG]   loaded ca certificate "C=DE, O=example AG, OU=example Certificate Authority, CN=ws-example-CA" from '/etc/ipsec.d/cacerts/ws-example-CA-public.root-ca.pem'
Jul 10 19:58:50 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jul 10 19:58:50 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jul 10 19:58:50 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jul 10 19:58:50 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jul 10 19:58:50 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jul 10 19:58:50 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/local.sample.de.key.pem'
Jul 10 19:58:50 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark stroke vici updown
Jul 10 19:58:50 00[LIB] dropped capabilities, running as uid 0, gid 0
Jul 10 19:58:50 00[JOB] spawning 16 worker threads
Jul 10 19:58:50 05[CFG] received stroke: add connection 'sample-example'
Jul 10 19:58:50 17[LIB] resolving 'gate.example.com' failed: Temporary failure in name resolution
Jul 10 19:58:50 05[CFG]   loaded certificate "C=DE, O=sample.de, CN=local.sample.de, E=jupp at sample.de" from 'local.sample.de.cert.pem'
Jul 10 19:58:50 05[CFG] added configuration 'sample-example'
Jul 10 19:58:50 06[CFG] received stroke: route 'sample-example'
Jul 10 19:58:50 17[LIB] resolving 'gate.example.com' failed: Temporary failure in name resolution
Jul 10 19:58:50 06[CFG] installing trap failed, remote address unknown

I tried both "auto = start" and "auto = route". Of course I can add 
the missing DNS entry to /etc/hosts, but I wonder if there some 
smart trick to tell charon to try again later?

Regards
Harri