Current File : //lib/systemd/system/ipsec.service

[Unit]
Description=Internet Key Exchange (IKE) Protocol Daemon for IPsec
Wants=network-online.target
After=network-online.target
Documentation=man:ipsec(8) man:pluto(8) man:ipsec.conf(5)

[Service]
Type=notify
Restart=on-failure
# 12 is the shutdown while leaving kernel state. Restarting would still kill kernel state
RestartPreventExitStatus=12

#RestartPreventExitStatus=137 143 SIGTERM SIGKILL

# Set WatchdogSec to the amount of time (in seconds) that systemd will wait
# before restarting an unresponsive pluto.
# EVENT_SD_WATCHDOG updates the heartbeat every 15 seconds, recommended values
# are 60, 90, 120. WatchdogSec=0 disables the action
NotifyAccess=all
WatchdogSec=200

# Check configuration file
ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig
# Check for kernel modules
ExecStartPre=/usr/libexec/ipsec/_stackmanager start
# Check for nss database status and migration
ExecStartPre=/usr/sbin/ipsec --checknss
# Check for nflog setup
ExecStartPre=/usr/sbin/ipsec --checknflog
# Start the actual IKE daemon
ExecStart=/usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
# Enable for portexcludes support
# ExecStartPost=/usr/libexec/ipsec/portexcludes
ExecStop=/usr/libexec/ipsec/whack --shutdown
# 12 is the exit code of pluto for shutting down "leaving state"
ExecStopPost=/bin/bash -c 'if test "$EXIT_STATUS" != "12"; then /sbin/ip xfrm policy flush; /sbin/ip xfrm state flush; fi'
ExecStopPost=/usr/sbin/ipsec --stopnflog

[Install]
WantedBy=multi-user.target