
<div>Hi,</div>

<div> </div>

<div>My configuration creates 3 IKE SAs and 6 IPsec SAs. Configuration file attached.</div>

<div> </div>

<div>Now when I change the esp encryption algorithm for IpSecMPlane then I fire the following commands in the given below order:-</div>

<div>1. ipsec down IpSecMPlane</div>

<div>2. Write the new esp encryption algorithm for IpSecMPlane in ipsec.conf.</div>

<div>3 Ipsec update </div>

<div>4. ipsec up IpSecMPlane</div>

<div> </div>

<div>When I executed the above steps more than three times, after the third time the stack is not able to bring down the IpSecMPlane SA.</div>

<div>After debugging the problem I found following things:-</div>

<div>1. The control comes to the listen_ function of bus.c where it queue the job into the processor and waits on wait command.</div>

<div>2. I think the processor is not able to process this queued job.</div>

<div> </div>

<div>What could be the reason for this?</div>

<div> </div>

<div>Here's the ipsec.conf file I was using:-</div>

<div>config setup<br> cachecrls=no<br> charonstart=yes<br> plutostart=no<br> strictcrlpolicy=no<br> uniqueids=no</div>

<div> </div>

<div>ca AllPlanes<br> cacert=/tmp/RootCert3801_7349bbdb.pem<br> auto=add</div>

<div> </div>

<div>conn IpSecMPlane<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br>

 esp=3des-sha1-modp1024,aes128-sha1-modp1024!<br> authby=rsasig<br> left=20.20.20.21<br> leftsubnet=<a href="http://15.15.15.2/32">15.15.15.2/32</a><br> right=10.10.10.2<br> rightsubnet=<a href="http://14.14.14.2/32">14.14.14.2/32</a><br>

 leftprotoport=sctp/9901<br> rightprotoport=sctp/9901<br> leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add</div>

<div> </div>

<div>conn IpSecSSEPlane<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br>

 esp=aes128-sha1-modp1024,3des-sha1-modp1024!<br> authby=rsasig<br> left=22.22.22.23<br> leftsubnet=<a href="http://15.15.15.5/32">15.15.15.5/32</a><br> right=12.12.12.2<br> rightsubnet=<a href="http://0.0.0.0/32">0.0.0.0/32</a><br>

 leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add</div>

<div> </div>

<div>conn IpSecCPlane<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br>

 esp=null-sha1-modp1024!<br> authby=rsasig<br> left=21.21.21.22<br> leftsubnet=<a href="http://16.16.16.2/32">16.16.16.2/32</a><br> right=11.11.11.2<br> rightsubnet=<a href="http://16.16.16.3/32,16.16.16.4/32">16.16.16.3/32,16.16.16.4/32</a><br>

 leftprotoport=sctp<br> rightprotoport=sctp<br> leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add</div>

<div> </div>

<div>conn IpSecUPSPlane<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br>

 esp=null-sha1-modp1024!<br> authby=rsasig<br> left=21.21.21.22<br> leftsubnet=<a href="http://16.16.16.2/32">16.16.16.2/32</a><br> right=11.11.11.2<br> rightsubnet=<a href="http://17.17.17.3/32">17.17.17.3/32</a><br> leftprotoport=udp/49156<br>

 rightprotoport=udp/49156<br> leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add</div>

<div> </div>

<div>conn IpSecUCSPlane<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br>

 esp=aes128-sha1-modp1024,3des-sha1-modp1024!<br> authby=rsasig<br> left=21.21.21.22<br> leftsubnet=<a href="http://16.16.16.2/32">16.16.16.2/32</a><br> right=11.11.11.2<br> rightsubnet=<a href="http://17.17.17.3/32">17.17.17.3/32</a><br>

 leftprotoport=udp/49154<br> rightprotoport=udp/49154<br> leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add</div>

<div> </div>

<div>conn IpSecToPPlane<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br>

 esp=null-sha1-modp1024!<br> authby=rsasig<br> left=21.21.21.22<br> leftsubnet=<a href="http://16.16.16.2/32">16.16.16.2/32</a><br> right=11.11.11.2<br> rightsubnet=<a href="http://17.17.17.5/32">17.17.17.5/32</a><br> leftprotoport=udp<br>

 rightprotoport=udp<br> leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add</div>

<div> </div>

<div> </div>

<div>Thanks in advance.</div>

<div> </div>

<div>Regards,</div>

<div>Vivek</div>

<div> </div>

<div> </div>