[SOVLED] How to restart ipsec service from command line

doktornotor

I frankly have no idea what's the difference between the button and script. The button may work perfectly fine except for the fact it fails to apply changed configuration here so it's totally useless. So, the only workable way to really restart this thing is stop and start (always thought restart would do that but here apparently some reload attempt is made or god knows what…) Cannot see myself getting in love with strongswan any time soon.

esquire1968

Hi again!

The effect of the script and the "restart button" is the same, it doesn't work. See the log as below:

Feb 11 19:04:57 charon: 13[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls' 
Feb 11 19:04:57 charon: 13[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts' 
Feb 11 19:04:57 charon: 13[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts' 
Feb 11 19:04:57 charon: 13[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts' 
Feb 11 19:04:57 charon: 13[CFG] loaded ca certificate "C=EH, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx@xxx.com from '/var/etc/ipsec/ipsec.d/cacerts/df28683a.0.crt' 
Feb 11 19:04:57 charon: 13[CFG] loaded ca certificate "C=AT, ST=yy, L=yyy, O=yyy, E=yyy@yyy.com, CN=yyy" from '/var/etc/ipsec/ipsec.d/cacerts/a9025906.0.crt' 
Feb 11 19:04:57 charon: 13[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts' 
Feb 11 19:04:57 charon: 13[CFG] loaded IKE secret for %any nnn.nnn.nnn.nnn 
Feb 11 19:04:57 charon: 13[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'

What is wrong here?

Only with the Buttons <Stop Ipsec Service> and then <Start Ipsec Service> the tunnel works.

Have you any idea what I can do? Maybe a script that stops AND restarts the Connection …

The reason why I need a solution is, that my internet connection stops every 24 hours (daily at 05:10), I get a new IP and the DynDNS will be updated. IPsec tries to establish the tunnel with the old IP - I don't know why.

I'm thankful for any tipps.

Best regards
esquire1968

doktornotor

@esquire1968:

What is wrong here?
Only with the Buttons <Stop Ipsec Service> and then <Start Ipsec Service> the tunnel works.
Have you any idea what I can do? Maybe a script that stops AND restarts the Connection …

No, NFC. Nada. Nothing. Zero. Strongswan suxxx…

https://redmine.pfsense.org/issues/4268
https://redmine.pfsense.org/issues/4353

jimp

pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec

The restart action was set to only refresh the configuration, to minimize disruption to running tunnels.

esquire1968

Sorry, I'm a Little bit confused!  :-[

Now, I've 2 links to new files …

https://redmine.pfsense.org/projects/pfsense/repository/revisions/01f3438e7ab91d29751fc27a4627a98c8cba2b4b

... and ...

https://redmine.pfsense.org/projects/pfsense/repository/revisions/41da54ce14d2d43a5ce9738bd80b73355fa26180

Witch are the right one?

Should I set a cron-job with the following command 1 Minute after the new Internet Connection has been started:

[code]pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec

Best regards
esquire1968

doktornotor

@esquire1968:

Sorry, I'm a Little bit confused!  :-[
Now, I've 2 links to new files …
[/quote]

Does not matter. Plus, the "restart" is apparently useless so just ignore the patch.

esquire1968

Hi again!

When I start the following command via SSH, it works!

pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec

The same command as a cron-job does nothing!

12   5   *   *   *   root   pfSsh.php playback svc stop ipsec; pfSsh.php playback svc start ipsec

Why? Pls help!

Thx
esquire1968

doktornotor

Always use full paths with cron…

doktornotor

@doktornotor:

Always use full paths (like /usr/local/sbin/pfSsh.php) with cron…

esquire1968

Thanks! Now it works!

How can I reduce the log entries für IPsec. I've a lot of logs like this …

Feb 16 13:35:02 charon: 07[NET] sending packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (92 bytes) 
Feb 16 13:35:02 charon: 07[ENC] generating INFORMATIONAL_V1 request 851016784 [ HASH N(DPD_ACK) ] 
Feb 16 13:35:02 charon: 07[ENC] parsed INFORMATIONAL_V1 request 703088055 [ HASH N(DPD) ] 
Feb 16 13:35:02 charon: 07[NET] received packet: from xxx.xxx.xxx.xxx[500] to yyy.yyy.yyy.yyy[500] (92 bytes) 

'IPsec debug' is 'silent'.

Chreers
esquire1968

kapara

With the new version 2.3 are we able to take advantage of all the strongswan commands?

I am running 2.2.6 and I lost all connectivity to the GUI during setup of a VPN.  Since I cannot reboot (Business Hours) I wanted to check the status of the VPN's and I was able to run from shell:  ipsec status and was able to get details on all configured tunnels.

https://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand

Can we use this to restart the ipsec or is that not recommended?