[strongSwan] connection disappeared from ipsec statusall
Andreas Steffen
andreas.steffen at strongswan.org
Thu Sep 22 06:36:32 CEST 2011
Hello Felix,
in the first case you remove the IKE_SA and both dependent CHILD_SAs
whereas in the second case you remove only CHILD_SA 1.
The following variations of the ipsec down command gives you
more control over the termination of multiple IKE_SAs and CHILD_SAs:
ipsec down <name>
tells the responsible IKE daemon to terminate connection <name>.
ipsec down <name>{n}
terminates IKEv2 CHILD SA instance n of connection <name>.
ipsec down <name>{*}
terminates all IKEv2 CHILD SA instances of connection <name>.
ipsec down <name>[n]
terminates IKEv2 IKE SA instance n of connection <name> plus dependent
CHILD SAs.
ipsec down <name>[*]
terminates all IKEv2 IKE SA instances of connection <name>.
Regards
Andreas
On 09/21/2011 10:17 AM, Felix Shao wrote:
> Hi
> I have two conn defined with the same IP address pair, they are shown in
> "ipsec statusall" as "parent and child"
> If I remove the "parent"(2.conn), and call an ipsec update, the "child"
> also disappeared.
> I need to restart the ipsec server to let the "child"(1.conn) show again...
>
> However if I just remove the "child", the parent still present in "ipsec
> statusall".
>
> StrongSwan version: 4.5.0
>
> below is my test:
>
> root at myserver:/etc/ipsec.d/conns# cat 1.conn 2.conn
>
> conn 1
> authby=psk
> auto=add
> left=10.2.2.2
> right=10.2.2.1
> type=tunnel
> keyexchange=ikev2
> esp=aes128-sha256
>
> conn 2
> authby=psk
> auto=add
> left=10.2.2.2
> right=10.2.2.1
> type=tunnel
> keyexchange=ikev2
> esp=aes128-sha256
>
> root at myserver:/etc/ipsec.d/conns# ipsec statusall
> Status of IKEv2 charon daemon (strongSwan 4.5.0):
> uptime: 4 minutes, since Sep 21 16:01:37 2011
> malloc: sbrk 262144, mmap 0, used 125824, free 136320
> worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
> loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
> x509 revocation pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11
> xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke
> updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-tls
> eap-ttls eap-tnc dhcp led addrblock
> Listening IP addresses:
> 10.2.2.2
> Connections:
> 2: 10.2.2.2...10.2.2.1
> 2: local: [10.2.2.2] uses pre-shared key authentication
> 2: remote: [10.2.2.1] uses any authentication
> 2: child: dynamic === dynamic
> 1: child: dynamic === dynamic
> Security Associations:
> none
>
> root at myserver:/etc/ipsec.d/conns# rm 2.conn
>
> root at myserver:/etc/ipsec.d/conns# ipsec update
> Updating strongSwan IPsec configuration...
> root at myserver:/etc/ipsec.d/conns# ipsec statusall
> Status of IKEv2 charon daemon (strongSwan 4.5.0):
> uptime: 4 minutes, since Sep 21 16:01:36 2011
> malloc: sbrk 258048, mmap 0, used 116552, free 141496
> worker threads: 6 idle of 16, job queue load: 0, scheduled events: 0
> loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
> x509 revocation pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11
> xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke
> updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-tls
> eap-ttls eap-tnc dhcp led addrblock
> Listening IP addresses:
> 10.2.2.2
> Connections:
> Security Associations:
> none
>
> Is this a known issue of StrongSwan or it just work as design?
>
> Thank you!
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
--
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list