Ubuntu
openswan package

init.d script does not stop pluto daemon

Bug #1544115 reported by Whit Blauvelt
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openswan (Ubuntu)
New
Undecided
Unassigned

Bug Description

Running "/etc/init.d/ipsec stop" leaves the pluto daemon running, so IKE negotiations continue if the other end is up. This results in a confused connection if, for instance, the purpose of stopping it is to switch the tunnel to a different interface and ISP line with a common peer on the far side, as pluto keeps the peer engaged. The expected behavior, when stopping ipsec, is that all components that it started, it should stop.

Revision history for this message
Whit Blauvelt (whit-launchpad) wrote :

On Ubuntu 14.04 we have Linux Openswan U2.6.38/K3.13.0-57-generic which is
working fine to connect to a Cisco ASA, basically.

Our problem is on the the Openswan end we're dual-homed - two ISP lines -
and we'd like to be able to switch between them for the IPsec tunnel at
will. The Cisco, as it happens, can be configured to accept either, but only
one at a time.

The /etc/init.d/ipsec script works fine to start Openswan, but it's flawed
in stopping it. It invokes:

ipsec _realsetup stop

Where /usr/lib/ipsec/_realsetup contains this subroutine which sure looks
like it should kill pluto by hook or crook:

        perform test -f $plutopid "&&" "{" \
                if test -d '/proc/`' cat $plutopid '`' ">" /dev/null ";" \
                then \
                        ipsec whack --shutdown "|" grep -v "^002" ";" \
                        sleep 1 ";" \
                        if test -s $plutopid ";" \
                        then \
                                echo "\"Attempt to shut Pluto down failed! Trying kill:\"" ";" \
                                kill '`' cat $plutopid '`' ";" \
                                sleep 5 ";" \
                        fi ";" \
                else \
                        echo "\"Removing orphaned $plutopid:\"" ";" \
                fi ";" \
                rm -f $plutopid ";" \
                "}"

        perform $KILLKLIPS
        rm -f /var/run/pluto.pid

But pluto comes back, persistently. Even if I subsequently kill off the
pluto processes which have come back.

This is a serious problem, because pluto comes back and attempts to
re-establish the old connection. That puts it in competition with the new
one we're trying to start on the other public IP, and confuses the Cisco.

Same problem when we want to shut down Openswan on one firewall and start it
on another, to test failover on that level.

Looks like this might be a persistence "feature" added by Canonical, but so
far I can't find any documentation on what they've done. It certainly breaks
the intent of /usr/lib/ipsec/_realsetup, which is to be able to shut down
ipsec entirely when invoked for that.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.