[strongSwan] charon and ipsec down name
Wolfgang Walter
wolfgang.walter at stwm.de
Thu Nov 11 23:58:00 CET 2010
Hello Andreas,
On Thursday 11 November 2010, you wrote:
> Hello Wolfgang,
>
> please have a look at our HOWTO which explains how you can take
> down individual instances of IKE_SAs and CHILD_SAs:
>
> http://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand
>
I read it and understood it (but wrong, though).
I thought that it will behave semantically the same for ikev1 and ikev2:
This howto says:
===
ipsec down <name>
tells the responsible IKE daemon to terminate connection <name>. Implemented
by calling the ipsec whack --name <name> --terminate and/or ipsec stroke down
<name> commands.
====
This suggerates that if you have
conn <name>
....
in your ipsec.conf this coommand will terminate this connection (and only this
connection). It does so for pluto, it doesn't for charon. For charon it either
does nothing or kills practically every connection whith the same endpoints as
connection <name>. So it makes a big difference if it is a ikev1 or an ikev2
connection.
Maybe a clarification in this howto would be good. When I migrated from ikev1
to ikev2 it would have been good to know that I had to modify some scripts.
Maybe something like:
"For IKEv2 this command will probably not do what you expect. Use ipsec down
<name>{*} and/or ipsec down <name>[*] instead."
> Regards
>
> Andreas
>
> On 11/11/2010 08:15 PM, Wolfgang Walter wrote:
> > Hello,
> >
> > I use strongswan 4.4.1.
> >
> > The manual says that
> >
> > ipsec down <name>
> >
> > will terminate connection <name>.
> >
> > This is not really true with charon:
> >
> > If there are serveral connections between two routers, then
> > ipsec down <name> does nothing if <name> uses the IKE SA of another
connection
> > or kills all this and all other connections which also the IKE SA of
<name>.
> >
> > I think it would be better if charon behaved like that:
> >
> > ipsec down <name>{*}
> > and for every IKE SA <name>[<n>] which has no other childs
> > ipsec down <name>[<n>]
> >
> > Or the documentation is changed.
> >
> > Regards
>
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
>
Regards,
--
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts
More information about the Users
mailing list