[strongSwan] swanctl deadlock

Tobias Brunner tobias at strongswan.org
Wed Nov 18 11:49:49 CET 2020

Hi Volodymyr,

> I'm using call to swanctl in updown script in order to distinguish
> between deleting connection and IKE rekeying, checking for existence of
> IKE session and, thus, trying to avoid unnecessary changes to the network:

You can't detect IKE rekeying from the updown script as no updown event
is generated during it.  If you are referring to reauthentication, it
might be easier to do refcounting.

> but this creates deadlock when I'm restarting service by 'systemctl
> restart strongswan': if there are existing sessions, then first and all
> subsequent calls to swanctl (from updown script) freeze infinitely,
> stopping charon restart itself - progress possible only by repeatedly
> killing every launched 'swanctl' using SIGKILL signal.

While the updown script is called, the daemon's event bus is locked.
This pretty much makes any call from it to the daemon prone to
deadlocks.  Note that vici clients that listen to events don't have that
problem because they are notified asynchronously.


More information about the Users mailing list