[strongSwan-dev] [PATCH] starter: cleanup SAs when deleting a connection
Emeric POUPON
emeric.poupon at stormshield.eu
Wed Mar 11 12:16:16 CET 2015
Helo,
> Note that a hard delete without a confirmed exchange is something we
> should avoid when possible; The peer might think that the tunnel is
> still alive, and sends traffic to a black hole.
>
> Having that said, you may try to issue two subsequent "down" commands.
> The first will trigger a graceful tunnel shutdown with confirmation.
> Once in the DELETING state, an additional "down" command will
> immediately remove the IKE_SA.
Thanks for the tip!
In order to make it work, I had to modify the terminate command of the stroke plugin in order to delete the IKE SA if a CHILD SA exists with the same name.
The second call indeed remove the IKE SA immediately.
> In my opinion, I think we should focus more on the swanctl interface and
> the underlying vici IPC mechanism. It avoids many problems by closer
> resembling the configuration hierarchy in swanctl.conf. When reloading
> connections, it inverses any specified start_action, and so basically
> affects established connection (not manually initiated). This is all
> relatively new, and certainly far away from perfect. But as we have a
> better configuration format and a proper return channel in vici, the
> foundation is much better to implement such functionality.
I will take some time to have a look at this new configuration interface, but I'm afraid we are likely to hit trouble too.
Best Regards,
Emeric
More information about the Dev
mailing list