[strongSwan] Can't take down connection instance

Germán Salvador gsalvador at zitralia.com
Mon Oct 17 16:36:16 CEST 2011 

Hi,

I am trying to create an inactive connection cleanup script for 
strongswan. My clients sometimes just unplug their 3G modem so I'm not 
getting a proper VPN shutdown. I'm using IKEv1.

The problem is that I can't take down just one instance of a connection, 
it seem that I need to take down all the connections that share the same 
name:


root at debian:~# ipsec status
000 "vista_psk": 
192.168.0.0/24===77.209.245.65[77.209.245.65]---10.64.64.64...%any[%any]==={0.0.0.0/0}; 
unrouted; eroute owner: #0
000 "vista_psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "vista_psk"[3]: 
192.168.0.0/24===77.209.245.65[77.209.245.65]---10.64.64.64...178.139.0.125[178.139.0.125]===178.139.0.125/32; 
erouted; eroute owner: #6
000 "vista_psk"[3]:   newest ISAKMP SA: #0; newest IPsec SA: #6;
000 "vista_psk"[4]: 
192.168.0.0/24===77.209.245.65[77.209.245.65]---10.64.64.64...77.209.209.224[77.209.209.224]===77.209.209.224/32; 
erouted; eroute owner: #8
000 "vista_psk"[4]:   newest ISAKMP SA: #0; newest IPsec SA: #8;
000
000 #6: "vista_psk"[3] 178.139.0.125 STATE_QUICK_R2 (IPsec SA 
established); EVENT_SA_REPLACE in 616s; newest IPSEC; eroute owner
000 #6: "vista_psk"[3] 178.139.0.125 ah.c6653251 at 178.139.0.125 
ah.78f9cf42 at 77.209.245.65 esp.c8fa985d at 178.139.0.125 (15600 bytes, 2454s 
ago) esp.634022f3 at 77.209.245.65 (15780 bytes, 2454s ago); tunnel
000 #8: "vista_psk"[4] 77.209.209.224 STATE_QUICK_R2 (IPsec SA 
established); EVENT_SA_REPLACE in 1236s; newest IPSEC; eroute owner
000 #8: "vista_psk"[4] 77.209.209.224 ah.5148cbf6 at 77.209.209.224 
ah.ed1bb4e2 at 77.209.245.65 esp.88b244ac at 77.209.209.224 (125280 bytes, 1s 
ago) esp.2a065ed2 at 77.209.245.65 (125460 bytes, 1s ago); tunnel
000


For example, with two clients, one of them disconnected a lot time ago...

root at debian:~# ipsec down vista_psk[3]
021 no connection named "vista_psk[3]"

root at debian:~# ipsec down "vista_psk"[3]
021 no connection named "vista_psk[3]"

root at debian:~# ipsec down vista_psk
002 "vista_psk"[4] 77.209.209.224: terminating SAs using this connection
002 "vista_psk" #8: deleting state (STATE_QUICK_R2)
002 "vista_psk" #8: down-client output: 200 OK
002 "vista_psk"[4] 77.209.209.224: deleting connection "vista_psk" 
instance with peer 77.209.209.224 {isakmp=#0/ipsec=#0}
002 "vista_psk"[3] 178.139.0.125: terminating SAs using this connection
002 "vista_psk" #6: deleting state (STATE_QUICK_R2)
002 "vista_psk" #6: down-client output: 200 OK
002 "vista_psk"[3] 178.139.0.125: deleting connection "vista_psk" 
instance with peer 178.139.0.125 {isakmp=#0/ipsec=#0}

root at debian:~# ipsec status
000 "vista_psk": 
192.168.0.0/24===77.209.245.65[77.209.245.65]---10.64.64.64...%any[%any]==={0.0.0.0/0}; 
unrouted; eroute owner: #0
000 "vista_psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000


What am I doing wrong?


Thanks in advance,
  Germán

More information about the Users mailing list