SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0000438: IPsec VPNs closed after reboot - MantisBT
MantisBT - Endian Firewall
View Issue Details
0000438Endian FirewallNetwork related (VPN, uplinks)public2008-01-09 22:552008-02-02 07:28
Sota 
peter-endian 
immediateblockalways
closedfixed 
2.2-beta2 
2.2-beta32.2-beta3 
0000438: IPsec VPNs closed after reboot
After rebooting Endian, all the net-to-net VPNs show status as "Closed". Clicking on "Save" in Global Settings starts most of them, but usually a few will require a restart.
Problem experienced on two different sites. Logs attached.
No tags attached.
txt vpn-logs.txt (1,943) 2008-01-09 22:55
https://bugs.endian.com/file_download.php?file_id=73&type=bug
Issue History
2008-01-09 22:55SotaNew Issue
2008-01-09 22:55SotaStatusnew => assigned
2008-01-09 22:55SotaAssigned To => peter-endian
2008-01-09 22:55SotaFile Added: vpn-logs.txt
2008-01-10 09:40ra-endianPrioritynormal => immediate
2008-01-10 09:40ra-endianSeveritymajor => block
2008-01-10 11:07peter-endianNote Added: 0000761
2008-01-10 11:14SotaNote Added: 0000762
2008-01-10 11:51peter-endianNote Added: 0000767
2008-01-10 11:51peter-endianStatusassigned => confirmed
2008-01-10 11:57SotaNote Added: 0000769
2008-01-24 14:08peter-endianTarget Version => 2.2-beta3
2008-01-24 16:22peter-endianStatusconfirmed => resolved
2008-01-24 16:22peter-endianFixed in Version => 2.2-beta3
2008-01-24 16:22peter-endianResolutionopen => fixed
2008-01-24 16:22peter-endianNote Added: 0000849
2008-02-02 07:28raphael-endianStatusresolved => closed

Notes
(0000761)
peter-endian   
2008-01-10 11:07   
this happens only directly after reboot, correct?

Because the error message tells me that the uplink is not yet up correctly, so ipsec is not able to find the default gateway.

After the uplink is up, does *this* ipsec connection work when you start it manually?
(0000762)
Sota   
2008-01-10 11:14   
Correct. On both sites, all VPN connections show status as closed after reboot and will remain that way until I restart them. Clicking on save or just restarting one of them is enough to bring most, if not all of them up. Once they are open they seem to be as reliable as previous versions.
(0000767)
peter-endian   
2008-01-10 11:51   
ah, great
so this is a timing problem
ipsec needs to wait a little bit longer on boot until the uplink is really up.
will fix it.
(0000769)
Sota   
2008-01-10 11:57   
I should add that both sites use fairly fast PCs (one is a P4 2.3GHz, the other is Core 2 Duo) in case that has any bearing on the timing issue.
(0000849)
peter-endian   
2008-01-24 16:22   
happens because /etc/uplinksdaemon/mainchanged will be triggered *before* /etc/uplinksdaemon/addrchanged

but the default gateway will be set in addrchanged and ipsec will be restarted during mainchanged, so ipsec starts without a default gateway set.