[strongSwan] Can't take down connection instance

Germán Salvador gsalvador at zitralia.com
Tue Oct 18 10:15:07 CEST 2011


That seems to work fine.

Many thanks!

   Germán

El 18/10/11 06:42, Stauffer Walter (Galexis) escribió:
> Hi Germán,
>
> you may try
>
>    ipsec whack --deletestate<nr>
>
> where<nr>  is found in the output of ipsec status: "000 #<nr>  ..."
>
> Best regards,
> Walter
>
>
> -----Original Message-----
> From: users-bounces+walter.stauffer=galexis.com at lists.strongswan.org [mailto:users-bounces+walter.stauffer=galexis.com at lists.strongswan.org] On Behalf Of Germán Salvador
> Sent: Montag, 17. Oktober 2011 16:36
> To: users at lists.strongswan.org
> Subject: [strongSwan] Can't take down connection instance
>
> Hi,
>
> I am trying to create an inactive connection cleanup script for strongswan. My clients sometimes just unplug their 3G modem so I'm not getting a proper VPN shutdown. I'm using IKEv1.
>
> The problem is that I can't take down just one instance of a connection, it seem that I need to take down all the connections that share the same
> name:
>
>
> root at debian:~# ipsec status
> 000 "vista_psk":
> 192.168.0.0/24===77.209.245.65[77.209.245.65]---10.64.64.64...%any[%any]==={0.0.0.0/0};
> unrouted; eroute owner: #0
> 000 "vista_psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000 "vista_psk"[3]:
> 192.168.0.0/24===77.209.245.65[77.209.245.65]---10.64.64.64...178.139.0.125[178.139.0.125]===178.139.0.125/32;
> erouted; eroute owner: #6
> 000 "vista_psk"[3]:   newest ISAKMP SA: #0; newest IPsec SA: #6;
> 000 "vista_psk"[4]:
> 192.168.0.0/24===77.209.245.65[77.209.245.65]---10.64.64.64...77.209.209.224[77.209.209.224]===77.209.209.224/32;
> erouted; eroute owner: #8
> 000 "vista_psk"[4]:   newest ISAKMP SA: #0; newest IPsec SA: #8;
> 000
> 000 #6: "vista_psk"[3] 178.139.0.125 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 616s; newest IPSEC; eroute owner
> 000 #6: "vista_psk"[3] 178.139.0.125 ah.c6653251 at 178.139.0.125
> ah.78f9cf42 at 77.209.245.65 esp.c8fa985d at 178.139.0.125 (15600 bytes, 2454s
> ago) esp.634022f3 at 77.209.245.65 (15780 bytes, 2454s ago); tunnel
> 000 #8: "vista_psk"[4] 77.209.209.224 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1236s; newest IPSEC; eroute owner
> 000 #8: "vista_psk"[4] 77.209.209.224 ah.5148cbf6 at 77.209.209.224
> ah.ed1bb4e2 at 77.209.245.65 esp.88b244ac at 77.209.209.224 (125280 bytes, 1s
> ago) esp.2a065ed2 at 77.209.245.65 (125460 bytes, 1s ago); tunnel
> 000
>
>
> For example, with two clients, one of them disconnected a lot time ago...
>
> root at debian:~# ipsec down vista_psk[3]
> 021 no connection named "vista_psk[3]"
>
> root at debian:~# ipsec down "vista_psk"[3]
> 021 no connection named "vista_psk[3]"
>
> root at debian:~# ipsec down vista_psk
> 002 "vista_psk"[4] 77.209.209.224: terminating SAs using this connection
> 002 "vista_psk" #8: deleting state (STATE_QUICK_R2)
> 002 "vista_psk" #8: down-client output: 200 OK
> 002 "vista_psk"[4] 77.209.209.224: deleting connection "vista_psk"
> instance with peer 77.209.209.224 {isakmp=#0/ipsec=#0}
> 002 "vista_psk"[3] 178.139.0.125: terminating SAs using this connection
> 002 "vista_psk" #6: deleting state (STATE_QUICK_R2)
> 002 "vista_psk" #6: down-client output: 200 OK
> 002 "vista_psk"[3] 178.139.0.125: deleting connection "vista_psk"
> instance with peer 178.139.0.125 {isakmp=#0/ipsec=#0}
>
> root at debian:~# ipsec status
> 000 "vista_psk":
> 192.168.0.0/24===77.209.245.65[77.209.245.65]---10.64.64.64...%any[%any]==={0.0.0.0/0};
> unrouted; eroute owner: #0
> 000 "vista_psk":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
>
>
> What am I doing wrong?
>
>
> Thanks in advance,
>    Germán
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>






More information about the Users mailing list