[strongSwan] swanctl deadlock

Thor Simon Thor.Simon at twosigma.com
Wed Nov 18 13:34:55 CET 2020

I was going to say pretty much the same thing.  However, it really would be nice if, from within updown, it were possible to distinguish a rekeying from the "real" down/up cases.

I appreciate that the verb can't be changed since this would break backwards compatibility, but perhaps an environment variable could be set?

-----Original Message-----
From: Users <users-bounces at lists.strongswan.org> On Behalf Of Noel Kuntze
Sent: Wednesday, November 18, 2020 4:37 AM
To: Volodymyr Litovka <doka.ua at gmx.com>; users at lists.strongswan.org
Subject: Re: [strongSwan] swanctl deadlock


VICI acquires locks to do some stuff, which the updown script also does when it executes to save you the trouble of having to manually/externally serialize all the things you want to do in the updown script.
TL;DR: Don't do that, you get a deadlock with the updown script plugin.

Kind regards


Am 18.11.20 um 09:32 schrieb Volodymyr Litovka:
> Hi colleagues,
> I'm using call to swanctl in updown script in order to distinguish between deleting connection and IKE rekeying, checking for existence of IKE session and, thus, trying to avoid unnecessary changes to the network:
> # if there are no [re-]established SAs for this connection, then 
> delete networking for this connection if [ $PLUTO_VERB = "down-client" 
> ] || [ $PLUTO_VERB = "down-host" ] && [ -z "$(swanctl -l -n -i 
> ${PLUTO_CONNECTION})" ]; then
>   ip link set $intf down
>   ip link del $intf
> fi
> but this creates deadlock when I'm restarting service by 'systemctl 
> restart strongswan': if there are existing sessions, then first and 
> all subsequent calls to swanctl (from updown script) freeze 
> infinitely, stopping charon restart itself - progress possible only by 
> repeatedly killing every launched 'swanctl' using SIGKILL signal. At 
> the same time, any call to vici also freezes - so this isn't a problem 
> with swanctl but with vici interface. It doesn't matter whether I call 
> swanctl with or without '-n' parameter or whether I call vici using 
> "noblock" parameter set (1) or unset (0) ( 
> vici.Session(sock=s).list_sas({"noblock": 1}) )
> This behaviour raises few questions:
> 1) whether vici can be called simultaneously by different processes?
> 2) how is it possible to avoid such deadlocks? Documentation says nothing about number of vici 'listeners' and the basic idea to increase amount of these listeners can't be implemented.
> My environment is:
> OS: Ubuntu 20.04.1
> Strongswan: 5.8.2 (5.8.2-1ubuntu3.1)
> Thank you.
> --
> Volodymyr Litovka
>   "Vision without Execution is Hallucination." -- Thomas Edison

More information about the Users mailing list