fix: conn is not active after restart ipsec.

dist/rootfs/var/openlan/script/install.sh

@@ -12,9 +12,9 @@ fi
 archive=$(grep -a -n "__ARCHIVE_BELOW__:$" $installer | cut -f1 -d:)
 
 OS="linux"
-if type yum > /dev/null; then
+if type yum 2> /dev/null; then
   OS="centos"
-elif type apt > /dev/null; then
+elif type apt 2> /dev/null; then
   OS="ubuntu"
 fi
 
@@ -40,37 +40,42 @@ function requires() {
 function install() {
   echo "Installing files ..."
   local source=$(find $tmp -maxdepth 1 -name 'openlan-*')
-  cd $source && {
+  pushd $source
-    /usr/bin/env \cp -rf ./{etc,usr,var} /
+  /usr/bin/env \cp -rf ./{etc,usr,var} /
-    chmod +x /var/openlan/script/*.sh
+  chmod +x /var/openlan/script/*.sh
-    /usr/bin/env find ./ -type f > /usr/share/openlan.db
+  /usr/bin/env find ./ -type f > /usr/share/openlan.db
-  }
+  popd
 }
 
 function post() {
-  echo "Initlizing ..."
+  echo "Initializing ..."
   if [ x"$DOCKER" == x"no" ] || [ x"$DOCKER" == x"" ]; then
     sysctl -p /etc/sysctl.d/90-openlan.conf
   fi
-  [ -e "/etc/openlan/switch/switch.json" ] || {
-    cp -rf /etc/openlan/switch/switch.json.example /etc/openlan/switch/switch.json
-  }
-  [ -e "/var/openlan/openvpn/dh.pem" ] || {
-    openssl dhparam -out /var/openlan/openvpn/dh.pem 2048
-  }
-  [ -e "/var/openlan/openvpn/ta.key" ] || {
-    openvpn --genkey --secret /var/openlan/openvpn/ta.key
-  }
 
   if [ "$OS"x == "centos"x ]; then
+    ## Prepare openvpn.
+    [ -e "/var/openlan/openvpn/dh.pem" ] || {
+      openssl dhparam -out /var/openlan/openvpn/dh.pem 1024
+    }
+    [ -e "/var/openlan/openvpn/ta.key" ] || {
+      openvpn --genkey --secret /var/openlan/openvpn/ta.key
+    }
+    ## Install CA.
     cp -rf /var/openlan/cert/ca.crt /etc/pki/ca-trust/source/anchors/OpenLAN_CA.crt
     update-ca-trust
   elif [ "$OS"x == "ubuntu"x ]; then
+    ## Prepare openvpn.
+    [ -e "/var/openlan/openvpn/dh.pem" ] || {
+      openssl dhparam -out /var/openlan/openvpn/dh.pem 2048
+    }
+    [ -e "/var/openlan/openvpn/ta.key" ] || {
+      openvpn --genkey > /var/openlan/openvpn/ta.key
+    }
+    ## Install CA.
     cp -rf /var/openlan/cert/ca.crt /usr/local/share/ca-certificates/OpenLAN_CA.crt
     update-ca-certificates
   fi
-  ## Initialize NSS database
-  certutil -N -d sql:/var/lib/ipsec/nss --empty-password
 }
 
 function finish() {

dist/rootfs/var/openlan/script/ipsec.sh

@@ -2,8 +2,15 @@
 
 set -ex
 
+## Clear xfrm
 /sbin/ip xfrm policy flush
 /sbin/ip xfrm state flush
 
+## Checking ipsec
 /usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig
+
+/usr/libexec/ipsec/_stackmanager start
+/usr/sbin/ipsec --checknss
+
+## Start pluto
 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

docker/centos/Dockerfile

@@ -4,9 +4,7 @@ ARG linux_bin
 
 WORKDIR /root
 
-RUN yum update -y && \
+RUN yum update -y && yum install -y epel-release
-    yum install -y epel-release centos-release-openstack-train && \
-    yum install -y rdma-core libibverbs
 
 ADD ${linux_bin} /tmp
 RUN DOCKER=yes /tmp/${linux_bin}

pkg/switch/network.go

@@ -322,7 +322,6 @@ func (w *WorkerImpl) loadRoute(rt co.PrefixRoute) {
 		w.out.Info("WorkerImpl.loadRoute: %v success", rt_c.String())
 		return nil
 	})
-
 }
 
 func (w *WorkerImpl) loadRoutes() {
@@ -1014,16 +1013,13 @@ func (w *WorkerImpl) findRoute(rt co.PrefixRoute) (co.PrefixRoute, int) {
 }
 
 func (w *WorkerImpl) AddRoute(route *schema.PrefixRoute, switcher api.Switcher) error {
-
 	rt := w.correctRoute(route)
-
 	if _, index := w.findRoute(rt); index != -1 {
 		w.out.Warn("WorkerImpl.AddRoute: route exist")
 		return nil
 	}
 
 	w.cfg.Routes = append(w.cfg.Routes, rt)
-
 	w.out.Info("WorkerImpl.AddRoute: %v", rt)
 
 	w.addIpSet(rt)
@@ -1039,9 +1035,7 @@ func (w *WorkerImpl) AddRoute(route *schema.PrefixRoute, switcher api.Switcher)
 }
 
 func (w *WorkerImpl) DelRoute(route *schema.PrefixRoute, switcher api.Switcher) error {
-
 	correctRt := w.correctRoute(route)
-
 	delRt, index := w.findRoute(correctRt)
 	if index == -1 {
 		w.out.Warn("WorkerImpl.DelRoute: route not found")
@@ -1049,7 +1043,6 @@ func (w *WorkerImpl) DelRoute(route *schema.PrefixRoute, switcher api.Switcher)
 	}
 
 	w.cfg.Routes = append(w.cfg.Routes[:index], w.cfg.Routes[index+1:]...)
-
 	w.delIpSet(delRt)
 	if inet, err := libol.ParseNet(delRt.Prefix); err == nil {
 		w.delVPNSet(inet.String())
@@ -1091,7 +1084,7 @@ const (
 	vxlanConn = `
 conn vxlan{{ .Segment }}-in
     keyingtries=%forever
-    auto=route
+    auto=start
     ike=aes_gcm256-sha2_256
     esp=aes_gcm256
     ikev2=insist
@@ -1104,7 +1097,7 @@ conn vxlan{{ .Segment }}-in
 
 conn vxlan{{ .Segment }}-out
     keyingtries=%forever
-    auto=route
+    auto=start
     ike=aes_gcm256-sha2_256
     esp=aes_gcm256
     ikev2=insist
@@ -1118,7 +1111,7 @@ conn vxlan{{ .Segment }}-out
 	greConn = `
 conn gre{{ .Segment }}
     keyingtries=%forever
-    auto=route
+    auto=start
     ike=aes_gcm256-sha2_256
     esp=aes_gcm256
     ikev2=insist
@@ -1134,6 +1127,35 @@ conn gre{{ .Segment }}
 `
 )
 
+func (w *WorkerImpl) saveSec(name, tmpl string, data interface{}) error {
+	file := fmt.Sprintf("/etc/ipsec.d/%s", name)
+	out, err := libol.CreateFile(file)
+	if err != nil || out == nil {
+		return err
+	}
+	defer out.Close()
+	if obj, err := template.New("main").Parse(tmpl); err != nil {
+		return err
+	} else {
+		if err := obj.Execute(out, data); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (w *WorkerImpl) startSecConn(name string) {
+	promise := libol.NewPromise()
+	promise.Go(func() error {
+		if out, err := libol.Exec("ipsec", "auto", "--start", "--asynchronous", name); err != nil {
+			w.out.Warn("WorkerImpl.startSecConn: %v %s", out, err)
+			return err
+		}
+		w.out.Info("WorkerImpl.startSecConn: %v success", name)
+		return nil
+	})
+}
+
 func (w *WorkerImpl) addSecConn(port *LinuxPort) error {
 	connTmpl := ""
 	secTmpl := ""
@@ -1149,40 +1171,22 @@ func (w *WorkerImpl) addSecConn(port *LinuxPort) error {
 	}
 
 	if secTmpl != "" {
-		file := fmt.Sprintf("/etc/ipsec.d/%s.secrets", name)
+		if err := w.saveSec(name+".secrets", secTmpl, data); err != nil {
-		out, err := libol.CreateFile(file)
+			w.out.Error("WorkerImpl.addSecConn %s", err)
-		if err != nil || out == nil {
 			return err
 		}
-		defer out.Close()
-		if tmpl, err := template.New("main").Parse(secTmpl); err != nil {
-			return err
-		} else {
-			if err := tmpl.Execute(out, data); err != nil {
-				return err
-			}
-		}
 		libol.Exec("ipsec", "auto", "--rereadsecrets")
 	}
 	if connTmpl != "" {
-		file := fmt.Sprintf("/etc/ipsec.d/%s.conf", name)
+		if err := w.saveSec(name+".conf", connTmpl, data); err != nil {
-		out, err := libol.CreateFile(file)
+			w.out.Error("WorkerImpl.addSecConn %s", err)
-		if err != nil || out == nil {
 			return err
 		}
-		defer out.Close()
-		if tmpl, err := template.New("main").Parse(connTmpl); err != nil {
-			return err
-		} else {
-			if err := tmpl.Execute(out, data); err != nil {
-				return err
-			}
-		}
 		if data.Protocol == "vxlan" {
-			libol.Exec("ipsec", "auto", "--start", "--asynchronous", name+"-in")
+			w.startSecConn(name + "-in")
-			libol.Exec("ipsec", "auto", "--start", "--asynchronous", name+"-out")
+			w.startSecConn(name + "-out")
 		} else if data.Protocol == "gre" {
-			libol.Exec("ipsec", "auto", "--start", "--asynchronous", name)
+			w.startSecConn(name)
 		}
 	}
 

pkg/switch/switch.go

@@ -211,7 +211,7 @@ func (v *Switch) GetPort(listen string) string {
 func (v *Switch) openPorts() {
 	port := v.GetPort(v.cfg.Listen)
 	UdpPorts := []string{"500", "4500", "8472", "4789", port}
-	TcpPorts := []string{"10000", port}
+	TcpPorts := []string{port}
 	if v.cfg.Http != nil {
 		TcpPorts = append(TcpPorts, v.GetPort(v.cfg.Http.Listen))
 	}