Red Hat Bugzilla – Bug 432805
ipsec restart does not work
Last modified: 2013-08-05 20:43:09 EDT
Description of problem:
'service ipsec restart' tries to reload kernel modules and fails restarting.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. service ipsec restart
Shutting down IPsec: Stopping Openswan IPsec...
[ OK ]
Starting IPsec: Starting Openswan IPsec 2.6.07...
FATAL ERROR: Both KLIPS and NETKEY IPsec code is present in kernel
OOPS, should have aborted! Broken shell!
[ OK ]
Seems that manual 'start & stop & start' works. Restart doesn't, even if you add
sleep between start_it & stop_it.
Klips check seems to be the reason - it looks for /proc/net/ipsec/version which
seems to be there on restart. In this case having /proc/net/ipsec/version does
not mean klips being actually present. Off to kernel code to check who creates
this proc element and more importantly, why.
Not only the _startklips thing seem broken, but the more obvious question being
why would it get called in the first place.
$IPSECprotostack evaluation in _realsetup seems to yield result that we would be
using klips - and only on restart :)
Or more specifically, it's this:
elif test -f $kamepfkey
Which seems to think that /proc/net/pfkey is not there. Probably has not shown
yet by the time, so trying to sleep it.
Not the sleep, but instead the whole evaluation does not make sense. As is the
case with most of the stack evaluation(s) all around the scripts. Uh-oh.
Negating the evaluation to elif 'test ! -f $kamepfkey' makes it work (and these
types of 'fixes' seem to be deployed all around the code) but nevertheless,
evaluation is still bogus. What this would really need is a considerable rewrite
when it comes to evaluating which stack is being used - and the same method
should be used everywhere.
[ -e /proc/net/pfkey ] || /sbin/modprobe af_key &>/dev/null
in ipsec 'restart' solves it as well as it can be without rewriting anything.
Created attachment 295024 [details]
This is already solved in the current GIT #testing (2.5) version, and will be
updated in the next release of GIT #ikev2 (2.6)
Actually, the issue was not entirely solved. I've made some minor changes.
The best option now is to add protostack=netkey to the ipsec.conf's "config
setup' section. Then most of the script won't be called, and netkey will be
asumed, and even if the kernel modules are not loaded, they'll get loaded.
Fixed in 2.6.08 (and 2.6.09
paul, which file is this fixed in? I don't see any changes to
programs/setup/setup.in, which is where I'd expect to see changes to the init
script. I'm missing something.
The change is in programs/_realsetup/_realsetup.in
if test \! -f $kamepfkey
netkey=true; klips=false; mast=false;;
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.