1026105 – no start ipsec connection after system up

Bug 1026105 - no start ipsec connection after system up

Summary: no start ipsec connection after system up

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	libreswan
Sub Component:
Version:	19
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	systemd-maint
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-03 17:51 UTC by mx
Modified:	2013-11-06 14:42 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-06 14:42:35 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description mx 2013-11-03 17:51:49 UTC

Description of problem:
I start my computer and start ipsec connection:
ipsec auto --up CERT-CLIENT03
022 "CERT-CLIENT03": We cannot identify ourselves with either end of this connection.

ipsec status
...
000  
000 Total IPsec connections: loaded 2, active 0
000  
000 State list:
000  
000 Shunt list:
000  

systemctl status ipsec
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled)
   Active: active (running) since Вс 2013-11-03 20:10:08 MSK; 1h 25min ago
 Main PID: 1045 (sh)
   CGroup: name=systemd:/system/ipsec.service
           ├─1045 /bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`...
           ├─1048 /bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`...
           ├─1049 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
           └─1265 _pluto_adns

ноя 03 20:10:15 n5050.home pluto[1049]: loading certificate from client02
ноя 03 20:10:15 n5050.home pluto[1049]: could not open host cert with nick name 'client02' in NSS DB
ноя 03 20:10:15 n5050.home pluto[1049]: loading certificate from server01
ноя 03 20:10:15 n5050.home pluto[1049]: could not open host cert with nick name 'server01' in NSS DB
ноя 03 20:10:15 n5050.home pluto[1049]: added connection description "L2TP-CERT-CLIENT"
ноя 03 20:10:15 n5050.home pluto[1049]: loading certificate from client03
ноя 03 20:10:15 n5050.home pluto[1049]: added connection description "CERT-CLIENT03"
ноя 03 20:10:15 n5050.home sh[1045]: pluto: chdir() do dumpdir failed (2: No such file or directory)
ноя 03 21:17:45 n5050.home pluto[1049]: "CERT-CLIENT03": We cannot identify ourselves with either end ...ion.
ноя 03 21:25:46 n5050.home pluto[1049]: "CERT-CLIENT03": We cannot identify ourselves with either end ...ion.

ipsec auto --up CERT-CLIENT03
022 "CERT-CLIENT03": We cannot identify ourselves with either end of this connection.

systemctl status ipsec
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled)
   Active: active (running) since Вс 2013-11-03 20:10:08 MSK; 1h 29min ago
 Main PID: 1045 (sh)
   CGroup: name=systemd:/system/ipsec.service
           ├─1045 /bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`...
           ├─1048 /bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`...
           ├─1049 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
           └─1265 _pluto_adns

ноя 03 20:10:15 n5050.home pluto[1049]: could not open host cert with nick name 'client02' in NSS DB
ноя 03 20:10:15 n5050.home pluto[1049]: loading certificate from server01
ноя 03 20:10:15 n5050.home pluto[1049]: could not open host cert with nick name 'server01' in NSS DB
ноя 03 20:10:15 n5050.home pluto[1049]: added connection description "L2TP-CERT-CLIENT"
ноя 03 20:10:15 n5050.home pluto[1049]: loading certificate from client03
ноя 03 20:10:15 n5050.home pluto[1049]: added connection description "CERT-CLIENT03"
ноя 03 20:10:15 n5050.home sh[1045]: pluto: chdir() do dumpdir failed (2: No such file or directory)
ноя 03 21:17:45 n5050.home pluto[1049]: "CERT-CLIENT03": We cannot identify ourselves with either end ...ion.
ноя 03 21:25:46 n5050.home pluto[1049]: "CERT-CLIENT03": We cannot identify ourselves with either end ...ion.
ноя 03 21:38:38 n5050.home pluto[1049]: "CERT-CLIENT03": We cannot identify ourselves with either end ...ion.

systemctl restart ipsec

systemctl status ipsec
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled)
   Active: active (running) since Вс 2013-11-03 21:40:14 MSK; 3s ago
  Process: 4605 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
  Process: 4602 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
  Process: 4599 ExecStop=/usr/sbin/ipsec whack --shutdown (code=exited, status=0/SUCCESS)
  Process: 4610 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
  Process: 4607 ExecStartPre=/usr/sbin/ipsec addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
 Main PID: 4671 (sh)
   CGroup: name=systemd:/system/ipsec.service
           ├─4671 /bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`...
           ├─4674 /bin/sh -c eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`...
           ├─4675 /usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork
           └─4701 _pluto_adns

ноя 03 21:40:14 n5050.home pluto[4675]: could not open host cert with nick name 'client02' in NSS DB
ноя 03 21:40:14 n5050.home pluto[4675]: "/etc/ipsec.d/clients.secrets" line 2: NSS certficate not found
ноя 03 21:40:14 n5050.home pluto[4675]: loaded private key for keyid: PPK_RSA:AwEAAcTOe
ноя 03 21:40:15 n5050.home pluto[4675]: loading certificate from client02
ноя 03 21:40:15 n5050.home pluto[4675]: could not open host cert with nick name 'client02' in NSS DB
ноя 03 21:40:15 n5050.home pluto[4675]: loading certificate from server01
ноя 03 21:40:15 n5050.home pluto[4675]: could not open host cert with nick name 'server01' in NSS DB
ноя 03 21:40:15 n5050.home pluto[4675]: added connection description "L2TP-CERT-CLIENT"
ноя 03 21:40:15 n5050.home pluto[4675]: loading certificate from client03
ноя 03 21:40:15 n5050.home pluto[4675]: added connection description "CERT-CLIENT03"

ipsec auto --up CERT-CLIENT03
104 "CERT-CLIENT03" #1: STATE_MAIN_I1: initiate
...
connect no problem !

Version-Release number of selected component (if applicable):
systemd-204-17.fc19.x86_64
libreswan-3.5-2.fc19.x86_64

Comment 1 Zbigniew Jędrzejewski-Szmek 2013-11-03 20:56:23 UTC

Might be some race issue with network being up. Unlikely to be related to systemd itself, though.

Comment 2 mx 2013-11-04 10:17:27 UTC

I understand systemd affects the boot.
Why, then, as I do systemctl restart ipsec, everything becomes normal?

Or are you saying that is not correct file:
usr/lib/systemd/syst/ipsec.service

[Unit]
Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
After=syslog.target
After=network.target
#After=remote-fs.target

[Service]
Type=simple
Restart=always
# backwards compatible with plutorestartoncrash=no
#RestartPreventExitStatus=137 143 SIGTERM SIGKILL
EnvironmentFile=-/etc/sysconfig/pluto
#Environment=IPSEC_LIBDIR=/usr/libexec/ipsec
#Environment=IPSEC_SBINDIR=/usr/sbin
#Environment=IPSEC_EXECDIR=/usr/libexec/ipsec/ipsec
#PIDFile=/var/run/pluto/pluto.pid
#
ExecStartPre=/usr/sbin/ipsec addconn --config /etc/ipsec.conf --checkconfig
ExecStartPre=/usr/libexec/ipsec/_stackmanager start
ExecStart=/bin/sh -c 'eval `/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
ExecStop=/usr/sbin/ipsec whack --shutdown
ExecStopPost=/sbin/ip xfrm policy flush
ExecStopPost=/sbin/ip xfrm state flush
ExecReload=/usr/sbin/ipsec whack --listen

[Install]
WantedBy=multi-user.target
Alias=libreswan.service

I think the authors libreswan do not care who and how it runs.

Comment 3 Zbigniew Jędrzejewski-Szmek 2013-11-04 14:35:45 UTC

(In reply to mx from comment #2)
> I understand systemd affects the boot.
Sure. So does the e.g. bash.

> Why, then, as I do systemctl restart ipsec, everything becomes normal?
Probably because some conditions which are necessary for ipsec to start were not satisfied the first time, but are later on.

> Or are you saying that is not correct file:
> usr/lib/systemd/syst/ipsec.service
> 
> [Unit]
> Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
> After=syslog.target
Don't need this line.

> After=network.target
This means that network interfaces are up (see http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/).

> #After=remote-fs.target
> 
> [Service]
> Type=simple
> Restart=always
> # backwards compatible with plutorestartoncrash=no
> #RestartPreventExitStatus=137 143 SIGTERM SIGKILL
> EnvironmentFile=-/etc/sysconfig/pluto
> #Environment=IPSEC_LIBDIR=/usr/libexec/ipsec
> #Environment=IPSEC_SBINDIR=/usr/sbin
> #Environment=IPSEC_EXECDIR=/usr/libexec/ipsec/ipsec
> #PIDFile=/var/run/pluto/pluto.pid
> #
> ExecStartPre=/usr/sbin/ipsec addconn --config /etc/ipsec.conf --checkconfig
> ExecStartPre=/usr/libexec/ipsec/_stackmanager start
> ExecStart=/bin/sh -c 'eval `/usr/libexec/ipsec/pluto --config
> /etc/ipsec.conf --nofork $PLUTO_OPTIONS`'
Why not
ExecStart=/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS
?

> ExecStop=/usr/sbin/ipsec whack --shutdown
> ExecStopPost=/sbin/ip xfrm policy flush
> ExecStopPost=/sbin/ip xfrm state flush
> ExecReload=/usr/sbin/ipsec whack --listen
> 
> [Install]
> WantedBy=multi-user.target
> Alias=libreswan.service
> 
> I think the authors libreswan do not care who and how it runs.

So, I don't see anything in the unit file that would be clearly wrong. I don't know too much about ipsec, haven't used it for years. Where is is loading "host cert with nick name 'server01'" from? Does this require network access or some specific service to run or an access to some filesystem other than root?

Comment 4 mx 2013-11-04 16:54:33 UTC

section with server01 or as not related to the launch of section CERT-CLIENT03.
are other options for other profiles.
Please contact us do not pay attention to them.

> Why not
> ExecStart=/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork 
> $PLUTO_OPTIONS
> ?
I do not know. This file is in the package of this, it may not work as it should?

Comment 5 mx 2013-11-04 17:08:07 UTC

i changed line to :
ExecStart=/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS

Failed resultat:
---
[root@n5050 ~]# ipsec auto --up CERT-CLIENT03
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
[root@n5050 ~]# ipsec auto --up CERT-CLIENT03
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
[root@n5050 ~]# systemctl restart ipsec
[root@n5050 ~]# ipsec auto --up CERT-CLIENT03
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
[root@n5050 ~]# systemctl status ipsec
ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled)
   Active: failed (Result: start-limit) since Пн 2013-11-04 21:04:27 MSK; 41s ago
  Process: 2966 ExecStopPost=/sbin/ip xfrm state flush (code=exited, status=0/SUCCESS)
  Process: 2964 ExecStopPost=/sbin/ip xfrm policy flush (code=exited, status=0/SUCCESS)
  Process: 2961 ExecStop=/usr/sbin/ipsec whack --shutdown (code=exited, status=1/FAILURE)
  Process: 2959 ExecStart=/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork $PLUTO_OPTIONS (code=exited, status=1/FAILURE)
  Process: 2898 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
  Process: 2895 ExecStartPre=/usr/sbin/ipsec addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)

ноя 04 21:04:27 n5050.home systemd[1]: ipsec.service: control process exited, code=exited status=1
ноя 04 21:04:27 n5050.home systemd[1]: Unit ipsec.service entered failed state.
ноя 04 21:04:27 n5050.home systemd[1]: ipsec.service holdoff time over, scheduling restart.
ноя 04 21:04:27 n5050.home systemd[1]: Stopping Internet Key Exchange (IKE) Protocol Daemon for ...c...
ноя 04 21:04:27 n5050.home systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for ...c...
ноя 04 21:04:27 n5050.home systemd[1]: ipsec.service start request repeated too quickly, refusin...art.
ноя 04 21:04:27 n5050.home systemd[1]: Failed to start Internet Key Exchange (IKE) Protocol Daem...sec.
ноя 04 21:04:27 n5050.home systemd[1]: Unit ipsec.service entered failed state.

Comment 6 Zbigniew Jędrzejewski-Szmek 2013-11-04 17:12:13 UTC

(In reply to mx from comment #4)
> section with server01 or as not related to the launch of section
> CERT-CLIENT03.
> are other options for other profiles.
> Please contact us do not pay attention to them.
OK.
 
> > Why not
> > ExecStart=/usr/libexec/ipsec/pluto --config /etc/ipsec.conf --nofork 
> > $PLUTO_OPTIONS
> > ?
> I do not know. This file is in the package of this, it may not work as it
> should?
It's just inefficient and ugly, that's all.

I the network is configured by NetworkManager, can you try:

systemctl enable NetworkManager-wait-online.service

(The meaning is described in the wiki link I posted above).

Comment 7 Paul Wouters 2013-11-05 17:58:44 UTC

The reason for the "eval" construct is to avoid failures when environment variables are unset and used on a systemd line. So if PLUTO_OPTIONS is unset, it will still run properly using an eval, but it would die if not using eval.

This might indeed be related to network manager. Let me know if the workaround of comment #6 works

Comment 8 mx 2013-11-06 14:42:35 UTC

I use : systemctl enable NetworkManager-wait-online.service
and its works !

Thank you all !

Note You need to log in before you can comment on or make changes to this bug.