Hi Nick, Yes, the line After is present.
There is an issue with network-online that doesn’t wait enough, so ipsec service will start without having a default route. This is cause because my dhcp server is slow to assign an ip, setting a static ip the issue is not present, and ipsec service start ok. My final ipsec.service: [Unit] Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec Wants=network-online.target After=network-online.target Documentation=man:ipsec(8) man:pluto(8) man:ipsec.conf(5) [Service] Type=notify Restart=on-failure # 12 is the shutdown while leaving kernel state. Restarting would still kill kernel state RestartPreventExitStatus=12 #RestartPreventExitStatus=137 143 SIGTERM SIGKILL # Set WatchdogSec to the amount of time (in seconds) that systemd will wait # before restarting an unresponsive pluto. # EVENT_SD_WATCHDOG updates the heartbeat every 15 seconds, recommended values # are 60, 90, 120. WatchdogSec=0 disables the action NotifyAccess=all WatchdogSec=200 # check internet connectivity ExecStartPre=/bin/sh -c 'until ping -c1 1.1.1.1; do sleep 1; done;' # Check configuration file ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig # Check for kernel modules ExecStartPre=/usr/libexec/ipsec/_stackmanager start # Check for nss database status and migration ExecStartPre=/usr/sbin/ipsec --checknss # Check for nflog setup ExecStartPre=/usr/sbin/ipsec --checknflog # Start the actual IKE daemon ExecStart=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork # Enable for portexcludes support # ExecStartPost=/usr/libexec/ipsec/portexcludes ExecStop=/usr/libexec/ipsec/whack --shutdown # 12 is the exit code of pluto for shutting down "leaving state" ExecStopPost=/bin/bash -c 'if test "$EXIT_STATUS" != "12"; then /sbin/ip xfrm policy flush; /sbin/ip xfrm state flush; fi' ExecStopPost=/usr/sbin/ipsec --stopnflog [Install] WantedBy=multi-user.target -- Saludos / Regards / Cumprimentos António Silva > On 9 Sep 2021, at 12:07, Nick Howitt <n...@howitts.co.uk> wrote: > > Can you check the unit file and see if it has a line: > After=network-online.target > > If it does not, try adding it? > > Nick > > On 09/09/2021 10:42, António Silva wrote: >> Hi, >> I change the ipsec.service and added to it: >> # check internet connectivity >> ExecStartPre=/bin/sh -c 'until ping -c1 1.1.1.1; do sleep 1; done;' >> This solves it, ipsec waits to have external connection to start. >> -- >> Saludos / Regards / Cumprimentos >> António Silva >>> On 8 Sep 2021, at 15:55, António Silva <asi...@wirelessmundi.com >>> <mailto:asi...@wirelessmundi.com><mailto:asi...@wirelessmundi.com >>> <mailto:asi...@wirelessmundi.com>>> wrote: >>> >>> Hi, >>> >>> I’ve found an issue that my tunnel is not up after I reboot my machine., if >>> I connect via ssh restart ipsec it connects.. no errors. >>> >>> What I notice is that is because network is not enable yet, I mean, no dns >>> to resolve the right address, form the logs I get: >>> >>> [16:47:48][beelink][~]# systemctl status ipsec >>> ●ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec >>> Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor >>> preset: disabled) >>> Active: active (running)since Wed 2021-09-08 16:46:24 CEST; 1min 25s ago >>> Docs: man:ipsec(8) >>> man:pluto(8) >>> man:ipsec.conf(5) >>> Main PID: 1224 (pluto) >>> Status: "Startup completed." >>> Tasks: 4 (limit: 4597) >>> Memory: 11.8M >>> CPU: 1.529s >>> CGroup: /system.slice/ipsec.service >>> └─1224 /usr/libexec/ipsec/pluto --leak-detective --config >>> /etc/ipsec.conf --nofork >>> >>> Sep 08 16:46:24 beelink pluto[1224]: "tunnel1": we cannot identify >>> ourselves with either end of this connection. 192.168.1.60 or >>> <unset-address> are not usable >>> Sep 08 16:46:24 beelink pluto[1224]: "tunnel1": failed to initiate >>> connection >>> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with >>> length 60 < 232 bytes; ignore message >>> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with >>> length 60 < 232 bytes; ignore message >>> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with >>> length 60 < 232 bytes; ignore message >>> Sep 08 16:46:26 beelink pluto[1224]: netlink_acquire got message with >>> length 60 < 232 bytes; ignore message >>> Sep 08 16:46:39 beelink pluto[1224]: netlink_acquire got message with >>> length 52 < 232 bytes; ignore message >>> Sep 08 16:46:39 beelink pluto[1224]: netlink_acquire got message with >>> length 52 < 232 bytes; ignore message >>> Sep 08 16:46:39 beelink pluto[1224]: netlink_acquire got message with >>> length 36 < 232 bytes; ignore message >>> Sep 08 16:47:24 beelink pluto[1224]: EXPECTATION FAILED: c->host_pair != >>> ((void *)0) (connection_check_ddns1() +1141 programs/pluto/initiate.c) >>> >>> To reproduce it, I’ve setup my machine to use DHCP address, the dhcp server >>> is slow to reply the address, so ipsec start before I’ve a valid ip. >>> If I set a static IP everything work as expected. >>> >>> Can we set the timeout to wait for a valid DNS/connection before it fails? >>> >>> Using libreswan v4.5 in debian buster. >>> >>> >>> Thanks. >>> >>> >>> -- >>> Saludos / Regards / Cumprimentos >>> António Silva >>> >>> >>> >>> >>> _______________________________________________ >>> Swan mailing list >>> Swan@lists.libreswan.org <mailto:Swan@lists.libreswan.org> >>> <mailto:Swan@lists.libreswan.org <mailto:Swan@lists.libreswan.org>> >>> https://lists.libreswan.org/mailman/listinfo/swan >>> <https://lists.libreswan.org/mailman/listinfo/swan> >> _______________________________________________ >> Swan mailing list >> Swan@lists.libreswan.org <mailto:Swan@lists.libreswan.org> >> https://lists.libreswan.org/mailman/listinfo/swan >> <https://lists.libreswan.org/mailman/listinfo/swan> > _______________________________________________ > Swan mailing list > Swan@lists.libreswan.org <mailto:Swan@lists.libreswan.org> > https://lists.libreswan.org/mailman/listinfo/swan > <https://lists.libreswan.org/mailman/listinfo/swan>
_______________________________________________ Swan mailing list Swan@lists.libreswan.org https://lists.libreswan.org/mailman/listinfo/swan
