<br clear="all"><div><br></div><div>Hi,</div><div><br></div><div>I configured dpdaction=restart and dpddelay = 30 and auto=route. Please see the below ipsec.conf file</div><div><br></div><div><br></div><div>config setup</div>
<div> charonstart=yes</div><div> plutostart=no</div><div> uniqueids=no</div><div> charondebug="knl 0,enc 0,net 0"</div><div>conn %default</div><div> auto=route</div><div> keyexchange=ikev2</div>
<div> reauth=no</div><div>conn rule20-1~vpn20</div><div> rekeymargin=180</div><div> rekeyfuzz=100%</div><div> left=10.0.0.1</div><div> right=10.0.0.2</div><div> leftsubnet=<a href="http://10.0.0.1/32">10.0.0.1/32</a></div>
<div> rightsubnet=<a href="http://10.0.0.2/32">10.0.0.2/32</a></div><div> authby=secret</div><div> leftid=10.0.0.1</div><div> rightid=%any</div><div> ike=aes128-md5-modp1536!</div><div> esp=aes128-md5!</div>
<div> type=tunnel</div><div> ikelifetime=3600s</div><div> keylife=1800s</div><div> dpdaction=restart</div><div> dpddelay=30</div><div> mobike=no</div><div> auto=route</div>
<div> reauth=no</div><div> encapdscp=yes</div><div> </div><div><br></div><div>conn rule21-1~vpn21</div><div> rekeymargin=180</div><div> rekeyfuzz=100%</div><div> left=20.0.0.1</div><div>
right=20.0.0.2</div><div> leftsubnet=<a href="http://20.0.0.1/32">20.0.0.1/32</a></div><div> rightsubnet=<a href="http://20.0.0.2/32">20.0.0.2/32</a></div><div> authby=secret</div><div> leftid=20.0.0.1</div>
<div> rightid=%any</div><div> ike=aes128-md5-modp1536!</div><div> esp=aes128-md5!</div><div> type=tunnel</div><div> ikelifetime=3600s</div><div> keylife=1800s</div><div> dpdaction=restart</div>
<div> dpddelay=30</div><div> mobike=no</div><div> auto=route</div><div> reauth=no</div><div> encapdscp=yes</div><div> </div><div>There are two conn sections and I have started the traffic for the conn rule20-1~vpn20, CHILD_SA's are getting established .And logs are..</div>
<div><br></div><div><br></div><div>Feb 12 00:21:19.816015 info charon: 15[IKE] IKE_SA rule20-1~vpn20[1] established between 10.0.0.2[(vr*)10.0.0.2]...10.0.0.1[(vr*)10.0.0.1]</div><div>Feb 12 00:21:19.816451 info charon: 15[IKE] scheduling rekeying in 3411s</div>
<div>Feb 12 00:21:19.816677 info charon: 15[IKE] maximum IKE_SA lifetime 3591s</div><div>Feb 12 00:21:19.817671 info charon: 15[IKE] CHILD_SA rule20-1~vpn20{4} established with SPIs c1dd2c2f_i c56e7496_o and TS <a href="http://10.0.0.2/32">10.0.0.2/32</a> === <a href="http://10.0.0.1/32">10.0.0.1/32</a> </div>
<div>Feb 12 00:21:19.851876 info charon: 07[IKE] authentication of '(vr*)10.0.0.2' with pre-shared key successful</div><div>Feb 12 00:21:19.852125 info charon: 07[IKE] IKE_SA rule20-1~vpn20[1] established between 10.0.0.1[(vr*)10.0.0.1]...10.0.0.2[(vr*)10.0.0.2]</div>
<div>Feb 12 00:21:19.852501 info charon: 07[IKE] scheduling rekeying in 3366s</div><div>Feb 12 00:21:19.852702 info charon: 07[IKE] maximum IKE_SA lifetime 3546s</div><div>Feb 12 00:21:19.853516 info charon: 07[IKE] CHILD_SA rule20-1~vpn20{1} established with SPIs c56e7496_i c1dd2c2f_o and TS <a href="http://10.0.0.1/32">10.0.0.1/32</a> === <a href="http://10.0.0.2/32">10.0.0.2/32</a> </div>
<div><br></div><div>Now I stopped the traffic and deleting the conn section [rule20-1~vpn20] in /etc/ipsec.conf file and sending SIGHUP to the starter pid...and I am seeeing the below logs..</div><div><br></div><div>Feb 12 00:23:27.820262 info IPSec: Starter: sending SIGHUP to Starter pid 26310</div>
<div>Feb 12 00:23:27.821899 info charon: 11[CFG] received stroke: terminate 'rule20-1~vpn20{*}'</div><div>Feb 12 00:23:27.822286 info charon: 08[IKE] closing CHILD_SA rule20-1~vpn20{1} with SPIs c56e7496_i (1064 bytes) c1dd2c2f_o (588 bytes) and TS <a href="http://10.0.0.1/32">10.0.0.1/32</a> === <a href="http://10.0.0.2/32">10.0.0.2/32</a> </div>
<div>Feb 12 00:23:27.822476 info charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI c56e7496</div><div>Feb 12 00:23:27.790566 info charon: 09[IKE] received DELETE for ESP CHILD_SA with SPI c56e7496</div><div>Feb 12 00:23:27.790882 info charon: 09[IKE] closing CHILD_SA rule20-1~vpn20{4} with SPIs c1dd2c2f_i (1064 bytes) c56e7496_o (588 bytes) and TS <a href="http://10.0.0.2/32">10.0.0.2/32</a> === <a href="http://10.0.0.1/32">10.0.0.1/32</a> </div>
<div>Feb 12 00:23:27.791094 info charon: 09[IKE] sending DELETE for ESP CHILD_SA with SPI c1dd2c2f</div><div>Feb 12 00:23:27.791094 info charon: 09[IKE] CHILD_SA closed</div><div>Feb 12 00:23:27.791601 info charon: 09[IKE] establishing CHILD_SA rule20-1~vpn20</div>
<div><br></div><div>Feb 12 00:23:27.826876 info charon: 10[IKE] CHILD_SA rule20-1~vpn20{4} established with SPIs c64da587_i c53dfa9a_o and TS <a href="http://10.0.0.1/32">10.0.0.1/32</a> === <a href="http://10.0.0.2/32">10.0.0.2/32</a> </div>
<div>Feb 12 00:23:27.827289 info charon: 16[CFG] received stroke: unroute 'rule20-1~vpn20'</div><div>Feb 12 00:23:27.828274 info charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI c1dd2c2f</div><div>Feb 12 00:23:27.828462 info charon: 12[IKE] CHILD_SA closed</div>
<div>Feb 12 00:23:27.829138 info charon: 07[CFG] received stroke: delete connection 'rule20-1~vpn20'</div><div>Feb 12 00:23:27.829239 info charon: 07[CFG] deleted connection 'rule20-1~vpn20'</div><div>Feb 12 00:23:27.797011 info charon: 11[IKE] CHILD_SA rule20-1~vpn20{5} established with SPIs c53dfa9a_i c64da587_o and TS <a href="http://10.0.0.2/32">10.0.0.2/32</a> === <a href="http://10.0.0.1/32">10.0.0.1/32</a> </div>
<div>Feb 12 00:22:58.645625 info </div><div><br></div><div>Because of new child_sa getting established , still setkey -DP still shows the related policies. why this is happening?</div><div><br></div><div>if i remove dpdaction=restart then the after executing the above test i can see policies being removed from kernel.</div>
<div><br></div><div>My doubt is why policies are not being deleted when i configure dpdaction=restart??? </div><div><br></div><div>Can someone please help me in understanding this dpdaction=restart behaviour.</div><div><br>
</div><div><br></div><div>---Bhargav</div><div><font color="#282828" face="Calibri"><span style="color:#282828;font-size:11pt"></span></font></div>