Hi, The issue is with systemd service apparently, I started with init.d/ipsec and is ok.
The generated package for version 4.9 doesn’t include a unit file. dpkg -c binaries/libreswan_4.9-1_amd64.deb | grep systemd drwxr-xr-x root/root 0 2022-10-13 01:00 ./lib/systemd/ drwxr-xr-x root/root 0 2022-10-13 01:00 ./lib/systemd/system-preset/ -rw-r--r-- root/root 145 2022-10-13 01:00 ./lib/systemd/system-preset/90-libreswan.preset But package 4.7 it was present: dpkg -c libreswan_4.7-1_amd64.deb | grep systemd drwxr-xr-x root/root 0 2022-05-24 01:00 ./lib/systemd/ drwxr-xr-x root/root 0 2022-05-24 01:00 ./lib/systemd/system/ -rw-r--r-- root/root 1531 2022-05-24 01:00 ./lib/systemd/system/ipsec.service drwxr-xr-x root/root 0 2022-05-24 01:00 ./lib/systemd/system-preset/ -rw-r--r-- root/root 145 2022-05-24 01:00 ./lib/systemd/system-preset/90-libreswan.preset It was removed in commit: https://github.com/libreswan/libreswan/commit/20fe3adb398eaafb8dc62df06cf32461aaa817d7 On my server i had copy ipsec.service into /etc/systemd/system/ipsec.service, and when updated to 4.9 it wasn’t removed. The unit file i had is the same as in version 4.7: [Unit] Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec Wants=network-online.target After=network-online.target Documentation=man:ipsec(8) man:pluto(8) man:ipsec.conf(5) [Service] Type=notify Restart=on-failure # 12 is the shutdown while leaving kernel state. Restarting would still kill kernel state RestartPreventExitStatus=12 #RestartPreventExitStatus=137 143 SIGTERM SIGKILL # Set WatchdogSec to the amount of time (in seconds) that systemd will wait # before restarting an unresponsive pluto. # EVENT_SD_WATCHDOG updates the heartbeat every 15 seconds, recommended values # are 60, 90, 120. WatchdogSec=0 disables the action NotifyAccess=all WatchdogSec=200 # Check configuration file ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig # Check for kernel modules ExecStartPre=/usr/libexec/ipsec/_stackmanager start # Check for nss database status and migration ExecStartPre=/usr/sbin/ipsec --checknss # Check for nflog setup ExecStartPre=/usr/sbin/ipsec --checknflog # Start the actual IKE daemon ExecStart=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork # Enable for portexcludes support # ExecStartPost=/usr/libexec/ipsec/portexcludes ExecStop=/usr/libexec/ipsec/whack --shutdown # 12 is the exit code of pluto for shutting down "leaving state" ExecStopPost=/bin/bash -c 'if test "$EXIT_STATUS" != "12"; then /sbin/ip xfrm policy flush; /sbin/ip xfrm state flush; fi' ExecStopPost=/usr/sbin/ipsec --stopnflog [Install] WantedBy=multi-user.target I manage to make it work with systemd by changing the service type to: Type=simple, instead of Type=notify, Pluto is not sending the notification message when starting. — Saludos / Regards / Cumprimentos António Silva > On 21 Oct 2022, at 10:41, antonio <[email protected]> wrote: > > Hi, > > I update from libreswan 4.7 to 4.9 the connection is establish OK, but the > ipsec service is restarting continuously.. and that restart the connection. > > The restart is provoked by systemd, because the service is not starting > normally, it gives timeout and that triggers the restart. > > I later remove the connection definition from the configuration and try to > start ipsec and I got the same error, timeout. > Reverting to version 4.7 everything is ok. > > > I can’t see where is the timeout. > > [10:36:15][beelink][~]# systemctl start ipsec > Job for ipsec.service failed because a timeout was exceeded. > See "systemctl status ipsec.service" and "journalctl -xe" for details. > > > Small log before timed out: > > Oct 21 10:37:37 beelink pluto[21609]: | FOR_EACH_UNORIENTED_CONNECTION_... in > check_orientations > Oct 21 10:37:37 beelink pluto[21609]: | spent 0.132 (0.133) milliseconds in > in connection_check_ddns for hostname lookup > Oct 21 10:37:37 beelink pluto[21609]: | spent 0.191 (0.189) milliseconds in > global timer EVENT_PENDING_DDNS > Oct 21 10:37:37 beelink pluto[21609]: | processing global timer > EVENT_SHUNT_SCAN > Oct 21 10:37:37 beelink pluto[21609]: | kernel: checking for aged bare shunts > from shunt table to expire > Oct 21 10:37:37 beelink pluto[21609]: | spent 0.0442 (0.0416) milliseconds in > global timer EVENT_SHUNT_SCAN > Oct 21 10:37:57 beelink pluto[21609]: | processing global timer > EVENT_SHUNT_SCAN > Oct 21 10:37:57 beelink pluto[21609]: | kernel: checking for aged bare shunts > from shunt table to expire > Oct 21 10:37:57 beelink pluto[21609]: | spent 0.0614 (0.049) milliseconds in > global timer EVENT_SHUNT_SCAN > Oct 21 10:38:07 beelink systemd[1]: ipsec.service: Start operation timed out. > Terminating. > > > Full log here: https://pastebin.com/qJ7DY9QU > Thanks. > > — > Saludos / Regards / Cumprimentos > António Silva > > _______________________________________________ > Swan mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
