diff --git a/pkg/libol/kcpsocket.go b/pkg/libol/kcpsocket.go
index 95b299c..83fb4d1 100755
--- a/pkg/libol/kcpsocket.go
+++ b/pkg/libol/kcpsocket.go
@@ -1,9 +1,10 @@
 package libol
 
 import (
-	"github.com/xtaci/kcp-go/v5"
 	"net"
 	"time"
+
+	"github.com/xtaci/kcp-go/v5"
 )
 
 type KcpConfig struct {
@@ -91,7 +92,7 @@ func (k *KcpServer) Accept() {
 		MinInt: 5 * time.Second,
 		MaxInt: 30 * time.Second,
 	}
-	promise.Done(func() error {
+	promise.Do(func() error {
 		if err := k.Listen(); err != nil {
 			Warn("KcpServer.Accept: %s", err)
 			return err
diff --git a/pkg/libol/promise.go b/pkg/libol/promise.go
index 4f01347..86b315d 100755
--- a/pkg/libol/promise.go
+++ b/pkg/libol/promise.go
@@ -27,7 +27,7 @@ func NewPromiseAlways() *Promise {
 	}
 }
 
-func (p *Promise) Done(call func() error) {
+func (p *Promise) Do(call func() error) {
 	for {
 		p.Count++
 		if p.MaxTry > 0 && p.Count > p.MaxTry {
@@ -45,6 +45,13 @@ func (p *Promise) Done(call func() error) {
 
 func (p *Promise) Go(call func() error) {
 	Go(func() {
-		p.Done(call)
+		p.Do(call)
+	})
+}
+
+func (p *Promise) Goto(call func() error, close func()) {
+	Go(func() {
+		p.Do(call)
+		close()
 	})
 }
diff --git a/pkg/libol/tcpsocket.go b/pkg/libol/tcpsocket.go
index 9cc15b7..4178023 100755
--- a/pkg/libol/tcpsocket.go
+++ b/pkg/libol/tcpsocket.go
@@ -66,7 +66,7 @@ func (t *TcpServer) Accept() {
 		MinInt: 5 * time.Second,
 		MaxInt: 30 * time.Second,
 	}
-	promise.Done(func() error {
+	promise.Do(func() error {
 		if err := t.Listen(); err != nil {
 			Warn("TcpServer.Accept: %s", err)
 			return err
diff --git a/pkg/libol/udpsocket.go b/pkg/libol/udpsocket.go
index 639d63c..f5adb46 100755
--- a/pkg/libol/udpsocket.go
+++ b/pkg/libol/udpsocket.go
@@ -63,7 +63,7 @@ func (k *UdpServer) Accept() {
 		MinInt: 5 * time.Second,
 		MaxInt: 30 * time.Second,
 	}
-	promise.Done(func() error {
+	promise.Do(func() error {
 		if err := k.Listen(); err != nil {
 			Warn("UdpServer.Accept: %s", err)
 			return err
diff --git a/pkg/libol/websocket.go b/pkg/libol/websocket.go
index 373576d..2faa512 100755
--- a/pkg/libol/websocket.go
+++ b/pkg/libol/websocket.go
@@ -3,11 +3,12 @@ package libol
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"golang.org/x/net/websocket"
 	"io/ioutil"
 	"net"
 	"net/http"
 	"time"
+
+	"golang.org/x/net/websocket"
 )
 
 type wsConn struct {
@@ -101,7 +102,7 @@ func (t *WebServer) Accept() {
 		MinInt: 5 * time.Second,
 		MaxInt: 30 * time.Second,
 	}
-	promise.Done(func() error {
+	promise.Do(func() error {
 		if t.webCfg.Cert == nil {
 			if err := t.listener.ListenAndServe(); err != nil {
 				Error("WebServer.Accept on %s: %s", t.address, err)
diff --git a/pkg/proxy/tcp.go b/pkg/proxy/tcp.go
index 755e9c7..3bd8400 100755
--- a/pkg/proxy/tcp.go
+++ b/pkg/proxy/tcp.go
@@ -1,11 +1,12 @@
 package proxy
 
 import (
-	"github.com/luscis/openlan/pkg/config"
-	"github.com/luscis/openlan/pkg/libol"
 	"io"
 	"net"
 	"time"
+
+	"github.com/luscis/openlan/pkg/config"
+	"github.com/luscis/openlan/pkg/libol"
 )
 
 type TcpProxy struct {
@@ -62,7 +63,7 @@ func (t *TcpProxy) Start() {
 		MaxInt: time.Minute,
 		MinInt: time.Second * 10,
 	}
-	promise.Done(func() error {
+	promise.Do(func() error {
 		var err error
 		listen, err = net.Listen("tcp", t.listen)
 		if err != nil {
diff --git a/pkg/switch/http.go b/pkg/switch/http.go
index 101c092..6db8eeb 100755
--- a/pkg/switch/http.go
+++ b/pkg/switch/http.go
@@ -172,7 +172,7 @@ func (h *Http) Start() {
 		MaxInt: time.Minute,
 		MinInt: time.Second * 10,
 	}
-	promise.Done(func() error {
+	promise.Go(func() error {
 		if h.keyFile == "" || h.crtFile == "" {
 			if err := h.server.ListenAndServe(); err != nil {
 				libol.Error("Http.Start on %s: %s", h.listen, err)
diff --git a/pkg/switch/ipsec.go b/pkg/switch/ipsec.go
index 3591709..5237d2a 100644
--- a/pkg/switch/ipsec.go
+++ b/pkg/switch/ipsec.go
@@ -3,6 +3,7 @@ package cswitch
 import (
 	"fmt"
 	"os"
+	"os/exec"
 	"text/template"
 
 	"github.com/luscis/openlan/pkg/api"
@@ -11,6 +12,12 @@ import (
 	"github.com/luscis/openlan/pkg/schema"
 )
 
+const (
+	IPSecBin    = "/usr/sbin/ipsec"
+	IPSecEtcDir = "/etc/ipsec.d"
+	IPSecLogDir = "/var/openlan/ipsec"
+)
+
 type IPSecWorker struct {
 	*WorkerImpl
 	spec *co.IPSecSpecifies
@@ -94,10 +101,13 @@ conn {{ .Name }}-c1
 
 func (w *IPSecWorker) Initialize() {
 	w.out.Info("IPSecWorker.Initialize")
+	if err := os.Mkdir(IPSecLogDir, 0600); err != nil {
+		w.out.Warn("IPSecWorker.Initialize %s", err)
+	}
 }
 
 func (w *IPSecWorker) saveSec(name, tmpl string, data interface{}) error {
-	file := fmt.Sprintf("/etc/ipsec.d/%s", name)
+	file := fmt.Sprintf("%s/%s", IPSecEtcDir, name)
 	out, err := libol.CreateFile(file)
 	if err != nil || out == nil {
 		return err
@@ -114,14 +124,22 @@ func (w *IPSecWorker) saveSec(name, tmpl string, data interface{}) error {
 }
 
 func (w *IPSecWorker) startConn(name string) {
-	promise := libol.NewPromise()
-	promise.Go(func() error {
-		if out, err := libol.Exec("ipsec", "auto", "--start", "--asynchronous", name); err != nil {
-			w.out.Warn("IPSecWorker.startConn: %v %s", out, err)
-			return err
+	logFile := fmt.Sprintf("%s/%s.log", IPSecLogDir, name)
+	logto, err := libol.CreateFile(logFile)
+	if err != nil {
+		w.out.Warn("IPSecWorker.startConn %s", err)
+		return
+	}
+	libol.Go(func() {
+		defer logto.Close()
+		cmd := exec.Command(IPSecBin, "auto", "--start", name)
+		cmd.Stdout = logto
+		cmd.Stderr = logto
+		if err := cmd.Run(); err != nil {
+			w.out.Warn("IPSecWorker.startConn: %s", err)
+			return
 		}
 		w.out.Info("IPSecWorker.startConn: %v success", name)
-		return nil
 	})
 }
 
@@ -182,8 +200,8 @@ func (w *IPSecWorker) removeTunnel(tun *co.IPSecTunnel) error {
 	} else if tun.Transport == "gre" {
 		libol.Exec("ipsec", "auto", "--delete", "--asynchronous", name+"-c1")
 	}
-	cfile := fmt.Sprintf("/etc/ipsec.d/%s.conf", name)
-	sfile := fmt.Sprintf("/etc/ipsec.d/%s.secrets", name)
+	cfile := fmt.Sprintf("%s/%s.conf", IPSecEtcDir, name)
+	sfile := fmt.Sprintf("%s/%s.secrets", IPSecEtcDir, name)
 
 	if err := libol.FileExist(cfile); err == nil {
 		if err := os.Remove(cfile); err != nil {
diff --git a/pkg/switch/openvpn.go b/pkg/switch/openvpn.go
index a403805..f960041 100755
--- a/pkg/switch/openvpn.go
+++ b/pkg/switch/openvpn.go
@@ -18,8 +18,8 @@ import (
 )
 
 const (
-	OpenVPNBin    = "openvpn"
-	DefaultCurDir = "/var/openlan/openvpn/default"
+	OpenVPNBin = "openvpn"
+	VPNCurDir  = "/var/openlan/openvpn/default"
 )
 
 type OpenVPNData struct {
@@ -193,7 +193,7 @@ func (o *OpenVPN) Path() string {
 
 func (o *OpenVPN) Directory() string {
 	if o.Cfg == nil {
-		return DefaultCurDir
+		return VPNCurDir
 	}
 	return o.Cfg.Directory
 }
@@ -301,14 +301,14 @@ func (o *OpenVPN) Pid(full bool) string {
 
 func (o *OpenVPN) DirectoryClientConfig() string {
 	if o.Cfg == nil {
-		return path.Join(DefaultCurDir, "ccd")
+		return path.Join(VPNCurDir, "ccd")
 	}
 	return path.Join(o.Cfg.Directory, "ccd")
 }
 
 func (o *OpenVPN) ClientIvplatDir() string {
 	if o.Cfg == nil {
-		return DefaultCurDir
+		return VPNCurDir
 	}
 	return o.Cfg.Directory
 }