[strongSwan] connection disappeared from ipsec statusall

Andreas Steffen andreas.steffen at strongswan.org
Thu Sep 22 06:36:32 CEST 2011


Hello Felix,

in the first case you remove the IKE_SA and both dependent CHILD_SAs
whereas in the second case you remove only CHILD_SA 1.

The following variations of the ipsec down command gives you
more control over the termination of multiple IKE_SAs and CHILD_SAs:

ipsec down <name>

tells the responsible IKE daemon to terminate connection <name>.

ipsec down <name>{n}

terminates IKEv2 CHILD SA instance n of connection <name>.

ipsec down <name>{*}

terminates all IKEv2 CHILD SA instances of connection <name>.

ipsec down <name>[n]

terminates IKEv2 IKE SA instance n of connection <name> plus dependent
CHILD SAs.

ipsec down <name>[*]

terminates all IKEv2 IKE SA instances of connection <name>.

Regards

Andreas

On 09/21/2011 10:17 AM, Felix Shao wrote:
> Hi
> I have two conn defined with the same IP address pair, they are shown in
> "ipsec statusall" as "parent and child"
> If I remove the "parent"(2.conn), and call an ipsec update, the "child"
> also disappeared.
> I need to restart the ipsec server to let the "child"(1.conn) show again...
> 
> However if I just remove the "child", the parent still present in "ipsec
> statusall".
> 
> StrongSwan version: 4.5.0
> 
> below is my test:
> 
> root at myserver:/etc/ipsec.d/conns# cat 1.conn 2.conn
> 
> conn 1
>         authby=psk
>         auto=add
>         left=10.2.2.2
>         right=10.2.2.1
>         type=tunnel
>         keyexchange=ikev2
>         esp=aes128-sha256
> 
> conn 2
>         authby=psk
>         auto=add
>         left=10.2.2.2
>         right=10.2.2.1
>         type=tunnel
>         keyexchange=ikev2
>         esp=aes128-sha256
> 
> root at myserver:/etc/ipsec.d/conns# ipsec statusall
> Status of IKEv2 charon daemon (strongSwan 4.5.0):
>   uptime: 4 minutes, since Sep 21 16:01:37 2011
>   malloc: sbrk 262144, mmap 0, used 125824, free 136320
>   worker threads: 7 idle of 16, job queue load: 0, scheduled events: 0
>   loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
> x509 revocation pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11
> xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke
> updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-tls
> eap-ttls eap-tnc dhcp led addrblock
> Listening IP addresses:
>   10.2.2.2
> Connections:
>            2:  10.2.2.2...10.2.2.1
>            2:   local:  [10.2.2.2] uses pre-shared key authentication
>            2:   remote: [10.2.2.1] uses any authentication
>            2:   child:  dynamic === dynamic
>            1:   child:  dynamic === dynamic
> Security Associations:
>   none
> 
> root at myserver:/etc/ipsec.d/conns# rm 2.conn
> 
> root at myserver:/etc/ipsec.d/conns# ipsec update
> Updating strongSwan IPsec configuration...
> root at myserver:/etc/ipsec.d/conns# ipsec statusall
> Status of IKEv2 charon daemon (strongSwan 4.5.0):
>   uptime: 4 minutes, since Sep 21 16:01:36 2011
>   malloc: sbrk 258048, mmap 0, used 116552, free 141496
>   worker threads: 6 idle of 16, job queue load: 0, scheduled events: 0
>   loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
> x509 revocation pubkey pkcs1 pgp pem openssl fips-prf gmp agent pkcs11
> xcbc hmac ctr ccm gcm attr kernel-netlink resolve socket-raw farp stroke
> updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-tls
> eap-ttls eap-tnc dhcp led addrblock
> Listening IP addresses:
>   10.2.2.2
> Connections:
> Security Associations:
>   none
> 
> Is this a known issue of StrongSwan or it just work as design?
> 
> Thank you!
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==




More information about the Users mailing list