[Bug 1544115] Re: init.d script does not stop pluto daemon

Tue, 31 May 2016 06:52:07 -0700 

On Ubuntu 14.04 we have Linux Openswan U2.6.38/K3.13.0-57-generic which is
working fine to connect to a Cisco ASA, basically.

Our problem is on the the Openswan end we're dual-homed - two ISP lines -
and we'd like to be able to switch between them for the IPsec tunnel at
will. The Cisco, as it happens, can be configured to accept either, but only
one at a time.

The /etc/init.d/ipsec script works fine to start Openswan, but it's flawed
in stopping it. It invokes:

ipsec _realsetup stop

Where /usr/lib/ipsec/_realsetup contains this subroutine which sure looks
like it should kill pluto by hook or crook:

        perform test -f $plutopid "&&" "{" \
                if test -d '/proc/`' cat $plutopid '`' ">" /dev/null ";" \
                then \
                        ipsec whack --shutdown "|" grep -v "^002" ";" \
                        sleep 1 ";" \
                        if test -s $plutopid ";" \
                        then \
                                echo "\"Attempt to shut Pluto down failed!  
Trying kill:\"" ";" \
                                kill '`' cat $plutopid '`' ";" \
                                sleep 5 ";" \
                        fi ";" \
                else \
                        echo "\"Removing orphaned $plutopid:\"" ";" \
                fi ";" \
                rm -f $plutopid ";" \
                "}"

        perform $KILLKLIPS
        rm -f /var/run/pluto.pid

But pluto comes back, persistently. Even if I subsequently kill off the
pluto processes which have come back.

This is a serious problem, because pluto comes back and attempts to
re-establish the old connection. That puts it in competition with the new
one we're trying to start on the other public IP, and confuses the Cisco.

Same problem when we want to shut down Openswan on one firewall and start it
on another, to test failover on that level.

Looks like this might be a persistence "feature" added by Canonical, but so
far I can't find any documentation on what they've done. It certainly breaks
the intent of /usr/lib/ipsec/_realsetup, which is to be able to shut down
ipsec entirely when invoked for that.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1544115

Title:
  init.d script does not stop pluto daemon

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openswan/+bug/1544115/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to