[strongSwan] purgeike not working for me in 4.5.2dr2 or 4.5.1
Lin, Clifton (US SSA)
clifton.lin at baesystems.com
Tue Mar 22 17:32:49 CET 2011
Hi,
The "ipsec purgeike" command is no longer working for me on strongSwan 4.5.2dr2 or 4.5.1. Note that this was working for me in 4.4.1.
For example, let's say I have started a connection between two hosts. ipsec statusall returns the following SA's:
...
Security Associations:
conn-10.41.42.210-10.41.42.215[1]: ESTABLISHED 3 seconds ago, 10.41.42.210[10.41.42.210]...10.41.42.215[10.41.42.215]
conn-10.41.42.210-10.41.42.215[1]: IKE SPIs: be923fd77841ea9e_i* fc5722748eb29467_r, public key reauthentication in 51 minutes
conn-10.41.42.210-10.41.42.215[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
conn-10.41.42.210-10.41.42.215{1}: INSTALLED, TUNNEL, ESP SPIs: c007624c_i c7bf7897_o
conn-10.41.42.210-10.41.42.215{1}: NULL/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 14 minutes
conn-10.41.42.210-10.41.42.215{1}: 10.41.42.210/32 === 10.41.42.215/32
Then I call "ipsec down conn-10.41.42.210-10.41.42.215{1}" to delete the child SA, and then ipsec statusall returns:
...
Security Associations:
conn-10.41.42.210-10.41.42.215[1]: ESTABLISHED 3 minutes ago, 10.41.42.210[10.41.42.210]...10.41.42.215[10.41.42.215]
conn-10.41.42.210-10.41.42.215[1]: IKE SPIs: be923fd77841ea9e_i* fc5722748eb29467_r, public key reauthentication in 48 minutes
conn-10.41.42.210-10.41.42.215[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Now, I call 'ipsec purgeike' which should remove the remaining IKE_SA because it has no child SA's. However, nothing appears to happen. Those three lines still appear when I call 'ipsec statusall'.
Any idea why it is not working for me?
Thanks,
Clifton
More information about the Users
mailing list