So nobody can help me ?
 
Wilfried
----- Original Message -----
From: Wilfried BARNAVON
To: ipsec-tools-devel@lists.sourceforge.net
Sent: Wednesday, November 22, 2006 9:21 PM
Subject: [Ipsec-tools-devel] How to to drop tunnels without killingeverybody ?

Hello all !
 
I have built many tunnels from satellites sites to one central site.
 
My central site has 10.26.1.0/24 as network address. Each satellite site has 10.26.x.0/24 as network address.
My tunnels are up and all is OK but sometimes I need to drop only one tunnel. Today I can't do that:  I have to kill racoon in order to drop one tunnel. This makes all tunnels down .... which is not really what I want and is also wery tedious !
 
I had planned racoonctl usage. But it seems broken. I use Linux kernel 2.6.15.6 and ipsec-tools-0.6.6
 
First here is a part of my racoon.conf
--racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
 
log notify;
 
listen {
        isakmp A.B.C.D [500];
        isakmp_natt A.B.C.D [4500];
        adminsock "/var/racoon/racoon.sock" "root" "root" 0600 ;
}
padding {
  maximum_length 20;
  randomize off;
  strict_check off;
  exclusive_tail off;
}
 
timer {
  counter 5;
  interval 10 sec;
  persend 1;
  phase1 30 sec;
  phase2 30 sec;
}
remote E.F.G.H {
  exchange_mode main;
  doi ipsec_doi;
  ike_frag on;
  situation identity_only;
  proposal_check strict;
  peers_identifier address E.F.G.H;
  my_identifier address A.B.C.D;
  verify_identifier on;
  lifetime time 28800 seconds;
  nat_traversal on;
  proposal {
    encryption_algorithm 3des;
    hash_algorithm md5;
    authentication_method pre_shared_key;
    dh_group modp768;
 }
}
 
sainfo address 10.26.1.0/24 any address 10.26.3.0/24 any {
  pfs_group modp1024;
  lifetime time 28800 seconds;
  encryption_algorithm 3des;
  authentication_algorithm hmac_sha1;
  compression_algorithm deflate;
}
remote I.J.K.L {
  exchange_mode main;
  doi ipsec_doi;
  ike_frag on;
  situation identity_only;
  proposal_check strict;
  peers_identifier address I.J.K.L;
  my_identifier address A.B.C.D;
  verify_identifier on;
  lifetime time 28800 seconds;
  nat_traversal on;
  dpd_delay=30;
  proposal {
    encryption_algorithm 3des;
    hash_algorithm md5;
    authentication_method pre_shared_key;
    dh_group modp1024;
  }
}
 
sainfo address 10.26.1.0/24 any address 10.26.2.0/24 any {
  pfs_group modp1024;
  lifetime time 28800 seconds;
  encryption_algorithm 3des;
  authentication_algorithm hmac_md5;
  compression_algorithm deflate;
}
# .... and so on...
--end of racoon.conf
 
I have also an ipsec.conf file that builds the Security Pocily Database:
 
-- ipsec.conf
#!/sbin/setkey -f
#
# Flush SAD and SPD
flush;
spdflush;
 
# Create policies for racoon
 
spdadd 10.26.1.0/24 10.26.3.0/24 any -P out ipsec
           esp/tunnel/A.B.C.D-E.F.G.H/unique;
spdadd 10.26.3.0/24 10.26.1.0/24  any -P in ipsec
           esp/tunnel/E.F.G.H-A.B.C.D/unique;
 
spdadd 10.26.1.0/24 10.26.2.0/24 any -P out ipsec
           esp/tunnel/A.B.C.D-I.J.K.L/unique;
spdadd 10.26.2.0/24 10.26.1.0/24  any -P in ipsec
           esp/tunnel/I.J.K.L-A.B.C.D/unique;
# and so on ...
-- end of ipsec.conf

With racoonctl, I intend to drop IPSEC-SA (this should set down the IPSEC tunnel):
 
[root@phoenix ~]#racoonctl delete-sa esp inet 10.26.1.0/24/any 10.26.2.0/24/any any
 
And here is what racoon says in the logs:
ERROR: phase 1 for 10.26.1.0 -> 10.26.2.0 not found
 
Where is my error ? I read in racoonctl man page:
 
     delete-sa saopts
             Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec AH SA.
 
             saopts has the following format:
 
             isakmp {inet|inet6} src dst
 
             {esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port
               {icmp|tcp|udp|any}
 
If racoonctl is buggy .... is there another way to drop one tunnel but all ?
 
Thank you for your answers... I'm sure that I will get one, because ipsec-tools are used in commercial firewall/vpngateway like NetASQ, and they can drop only one tunnel.
 
 
Wilfried
 


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV


_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel