<div>Hi,</div>
<div> </div>
<div>My configuration creates 3 IKE SAs and 6 IPsec SAs. Configuration file attached.</div>
<div> </div>
<div>Now when I change the esp encryption algorithm for IpSecMPlane then I fire the following commands in the given below order:-</div>
<div>1. ipsec down IpSecMPlane</div>
<div>2. Write the new esp encryption algorithm for IpSecMPlane in ipsec.conf.</div>
<div>3 Ipsec update </div>
<div>4. ipsec up IpSecMPlane</div>
<div> </div>
<div>When I executed the above steps more than three times, after the third time the stack is not able to bring down the IpSecMPlane SA.</div>
<div>After debugging the problem I found following things:-</div>
<div>1. The control comes to the listen_ function of bus.c where it queue the job into the processor and waits on wait command.</div>
<div>2. I think the processor is not able to process this queued job.</div>
<div> </div>
<div>What could be the reason for this?</div>
<div> </div>
<div>Here's the ipsec.conf file I was using:-</div>
<div>config setup<br> cachecrls=no<br> charonstart=yes<br> plutostart=no<br> strictcrlpolicy=no<br> uniqueids=no</div>
<div> </div>
<div>ca AllPlanes<br> cacert=/tmp/RootCert3801_7349bbdb.pem<br> auto=add</div>
<div> </div>
<div>conn IpSecMPlane<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br>
esp=3des-sha1-modp1024,aes128-sha1-modp1024!<br> authby=rsasig<br> left=20.20.20.21<br> leftsubnet=<a href="http://15.15.15.2/32">15.15.15.2/32</a><br> right=10.10.10.2<br> rightsubnet=<a href="http://14.14.14.2/32">14.14.14.2/32</a><br>
leftprotoport=sctp/9901<br> rightprotoport=sctp/9901<br> leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add</div>
<div> </div>
<div>conn IpSecSSEPlane<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br>
esp=aes128-sha1-modp1024,3des-sha1-modp1024!<br> authby=rsasig<br> left=22.22.22.23<br> leftsubnet=<a href="http://15.15.15.5/32">15.15.15.5/32</a><br> right=12.12.12.2<br> rightsubnet=<a href="http://0.0.0.0/32">0.0.0.0/32</a><br>
leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add</div>
<div> </div>
<div>conn IpSecCPlane<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br>
esp=null-sha1-modp1024!<br> authby=rsasig<br> left=21.21.21.22<br> leftsubnet=<a href="http://16.16.16.2/32">16.16.16.2/32</a><br> right=11.11.11.2<br> rightsubnet=<a href="http://16.16.16.3/32,16.16.16.4/32">16.16.16.3/32,16.16.16.4/32</a><br>
leftprotoport=sctp<br> rightprotoport=sctp<br> leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add</div>
<div> </div>
<div>conn IpSecUPSPlane<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br>
esp=null-sha1-modp1024!<br> authby=rsasig<br> left=21.21.21.22<br> leftsubnet=<a href="http://16.16.16.2/32">16.16.16.2/32</a><br> right=11.11.11.2<br> rightsubnet=<a href="http://17.17.17.3/32">17.17.17.3/32</a><br> leftprotoport=udp/49156<br>
rightprotoport=udp/49156<br> leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add</div>
<div> </div>
<div>conn IpSecUCSPlane<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br>
esp=aes128-sha1-modp1024,3des-sha1-modp1024!<br> authby=rsasig<br> left=21.21.21.22<br> leftsubnet=<a href="http://16.16.16.2/32">16.16.16.2/32</a><br> right=11.11.11.2<br> rightsubnet=<a href="http://17.17.17.3/32">17.17.17.3/32</a><br>
leftprotoport=udp/49154<br> rightprotoport=udp/49154<br> leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add</div>
<div> </div>
<div>conn IpSecToPPlane<br> ikelifetime=24h<br> keyexchange=ikev2<br> keyingtries=%forever<br> keylife=90m<br> reauth=no<br> rekey=yes<br> mobike=no<br> dpddelay=0<br> rekeymargin=4m<br> ike=aes128-sha1-modp1024,3des-sha1-modp1024!<br>
esp=null-sha1-modp1024!<br> authby=rsasig<br> left=21.21.21.22<br> leftsubnet=<a href="http://16.16.16.2/32">16.16.16.2/32</a><br> right=11.11.11.2<br> rightsubnet=<a href="http://17.17.17.5/32">17.17.17.5/32</a><br> leftprotoport=udp<br>
rightprotoport=udp<br> leftcert=/tmp/BTScert.pem<br> rightid=%any<br> auto=add</div>
<div> </div>
<div> </div>
<div>Thanks in advance.</div>
<div> </div>
<div>Regards,</div>
<div>Vivek</div>
<div> </div>
<div> </div>