[Pkg-swan-devel] Bug#917641: charon-systemd Fails to Stop Gracefully

Sat Dec 29 17:43:42 GMT 2018

Package: charon-systemd

Version: 5.5.1-4+deb9u4

Depends: libstrongswan (= 5.5.1-4+deb9u4), strongswan-swanctl, 
init-system-helpers (>= 1.18~), libc6 (>= 2.4), libsystemd0, 
strongswan-libcharon

Running on: Debian 9.6

Kernel: 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux

libc6 Version: 2.24-11+deb9u3

When I invoke 'systemctl stop strongswan-swanctl' the command takes 90 
seconds to execute.  Looking at the logs with 'journalctl -xfu 
strongswan-swanctl' shows that it fails to shutdown gracefully and is 
finally killed:

Dec 29 17:16:12 end-a systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 
daemon using swanctl...
-- Subject: Unit strongswan-swanctl.service has begun shutting down
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit strongswan-swanctl.service has begun shutting down.
Dec 29 17:16:12 end-a charon-systemd[3100]: deleting IKE_SA testHTTP[1] 
between 172.28.32.159[172.28.32.159]...172.28.32.2[10.0.0.200]
Dec 29 17:17:42 end-a systemd[1]: strongswan-swanctl.service: State 
'stop-sigterm' timed out. Killing.
Dec 29 17:17:42 end-a systemd[1]: strongswan-swanctl.service: Killing 
process 3100 (charon-systemd) with signal SIGKILL.
Dec 29 17:17:42 end-a systemd[1]: strongswan-swanctl.service: Main 
process exited, code=killed, status=9/KILL
Dec 29 17:17:42 end-a systemd[1]: Stopped strongSwan IPsec IKEv1/IKEv2 
daemon using swanctl.
-- Subject: Unit strongswan-swanctl.service has finished shutting down
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit strongswan-swanctl.service has finished shutting down.
Dec 29 17:17:42 end-a systemd[1]: strongswan-swanctl.service: Unit 
entered failed state.
Dec 29 17:17:42 end-a systemd[1]: strongswan-swanctl.service: Failed 
with result 'timeout'.

The configuration for 'end-a' is as follows:

connections {

    testHTTP {
       local_addrs  = 172.28.32.159
       remote_addrs = 172.28.32.2

       local {
          auth = psk
          id = %any
       }
       remote {
          auth = psk
          id = %any
       }
       children {
          testHTTP {
             local_ts  = 172.28.32.159/32
             remote_ts = 10.0.0.0/24

             start_action = start
             #updown = /usr/local/libexec/ipsec/_updown iptables
             rekey_time = 5400
             rekey_bytes = 500000000
             rekey_packets = 1000000
          }
       }
       version = 0
       mobike = yes
       reauth_time = 10800
       proposals = default
    }
}

secrets {
    ike-testHTTP {
       id=%any
       secret = 12345
    }
}

NOTE: There may be errors or bad practices in the config above - this is 
a lab environment and I'm merely testing/experimenting replacing 
'ipsec.conf' files with 'swanctl.conf' files.

I've increased logging but it doesn't shed any light - merely adds more 
noise (keepalive etc.).