Swanctl not starting on boot? status = active with no instances

So i've spent quite a bit of time getting strongswan/ipsec working using the newer swanctl.conf approach only to now realized - it does not seem to want to start properly on boot on its own w/o an extra nudge (manual restart).

I don't know if there's a race condition somewhere keeping it from coming up, but it basically requires me to log into the router and run /etc/init.d/swanctl restart once each boot.

After rebooting the router, logging and checking the status shows me:

$ ssh rtr
  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 Divested-WRT SNAPSHOT, r24041+11-74e7f8ebbd
root@router-main:~# /etc/init.d/swanctl status
active with no instances
root@router-main:~# /etc/init.d/swanctl restart
root@router-main:~# /etc/init.d/swanctl status

Restarting it just once works fine. I've gone so far as to set START to 99 in the swanctl init script just to see if it made any difference, and it hasn't :-/ I also logged in as soon as i could over wifi (was already 30 seconds since the kernel boot, per logread) and i did not see ANY messages related to ipsec until i ran that restart..

Before I resort to other hackey workarounds like @reboot (which i'm not sure even works with busybox).. does anyone have any idea what the reason might be and how to correct it (hopefully without hacks).

Ok so i caved for now, added this into my /etc/rc.local just before the last line where it says exit 0

(  /etc/init.d/swanctl stop; sleep 10; /etc/init.d/swanctl start ) &

and this seems to work ok, don't have to manually swanctl restart anymore.

unless anyone has any better ideas?

Analyze the log to determine the cause of the issue, increase the log verbosity if necessary, insert own debugging commands to the init script if the built-in logging is still not enough.


meaning I've looked at the output of logread as soon as i logged in and,

  • verbosity level already was set high enough that that restarting it manually would show log messages during the manual restart..

  • is there perhaps another log i should be looking at? if enough other messages (looking at you dnsmasq, you verbose daemon you..) come into the log, then the earlier ones are no longer there

is there some place older log message no longer being shown from logread get persisted?

You can read about debugging procd scripts here:

In general case, you need to analyze the init script for the binary invocations and read the manual for each of them paying particular attention to logging, debugging, verbosity options, and the relevant diagnostic commands like list, show, status, dump, export, etc.
Then customize the init script appending the mentioned options, inserting diagnostic commands, and redirecting stdout and stderr to a separate log.
Finally, collect the logs for normal and failed init and compare them to find the difference which should help you deduce the cause of the issue.