[strongSwan] charon and ipsec down name

Wolfgang Walter wolfgang.walter at stwm.de
Thu Nov 11 23:58:00 CET 2010 

Hello Andreas,

On Thursday 11 November 2010, you wrote:
> Hello Wolfgang,
> 
> please have a look at our HOWTO which explains how you can take
> down individual instances of IKE_SAs and CHILD_SAs:
> 
> http://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand
> 

I read it and understood it (but wrong, though).

I thought that it will behave semantically the same for ikev1 and ikev2:

This howto says:

===
ipsec down <name>

tells the responsible IKE daemon to terminate connection <name>. Implemented 
by calling the ipsec whack --name <name> --terminate and/or ipsec stroke down 
<name> commands.
====

This suggerates that if you have

conn <name>
	....

in your ipsec.conf this coommand will terminate this connection (and only this 
connection). It does so for pluto, it doesn't for charon. For charon it either 
does nothing or kills practically every connection whith the same endpoints as 
connection <name>. So it makes a big difference if it is a ikev1 or an ikev2 
connection.

Maybe a clarification in this howto would be good. When I migrated from ikev1 
to ikev2 it would have been good to know that I had to modify some scripts. 
Maybe something like:

"For IKEv2 this command will probably not do what you expect. Use ipsec down 
<name>{*} and/or ipsec down <name>[*] instead."


> Regards
> 
> Andreas
> 
> On 11/11/2010 08:15 PM, Wolfgang Walter wrote:
> > Hello,
> > 
> > I use strongswan 4.4.1.
> > 
> > The manual says that
> > 
> > 	 ipsec down <name>
> > 
> > will terminate connection <name>.
> > 
> > This is not really true with charon:
> > 
> > If there are serveral connections between two routers, then
> > ipsec down <name> does nothing if <name> uses the IKE SA of another 
connection 
> > or kills all this and all other connections which also the IKE SA of 
<name>.
> > 
> > I think it would be better if charon behaved like that:
> > 
> > ipsec down <name>{*}
> > and for every IKE SA <name>[<n>] which has no other childs
> > ipsec down <name>[<n>]
> > 
> > Or the documentation is changed.
> > 
> > Regards
> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
> 
> 

Regards,
-- 
Wolfgang Walter
Studentenwerk München
Anstalt des öffentlichen Rechts

More information about the Users mailing list