Re: [Ipsec-tools-devel] How to to drop tunnels without killingeverybody ?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Fri, 24 Nov 2006, Wilfried BARNAVON wrote:

> So nobody can help me ?
>
> Wilfried
>  ----- Original Message -----
>  From: Wilfried BARNAVON
>  To: ips...@li...
>  Sent: Wednesday, November 22, 2006 9:21 PM
>  Subject: [Ipsec-tools-devel] How to to drop tunnels without killingevery=
body ?
>
>
>  Hello all !
>
>  I have built many tunnels from satellites sites to one central site.
>
>  My central site has 10.26.1.0/24 as network address. Each satellite site=
 has 10.26.x.0/24 as network address.
>  My tunnels are up and all is OK but sometimes I need to drop only one tu=
nnel. Today I can't do that:  I have to kill racoon in order to drop one tu=
nnel. This makes all tunnels down .... which is not really what I want and =
is also wery tedious !
>
>  I had planned racoonctl usage. But it seems broken. I use Linux kernel 2=
=2E6.15.6 and ipsec-tools-0.6.6

<CUT>
>  [root@phoenix ~]#racoonctl delete-sa esp inet 10.26.1.0/24/any 10.26.2.0=
/24/any any
>
>  And here is what racoon says in the logs:
>  ERROR: phase 1 for 10.26.1.0 -> 10.26.2.0 not found
>
>  Where is my error ? I read in racoonctl man page:
>
>       delete-sa saopts
>               Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec A=
H SA.
>
>
>               saopts has the following format:
>
>               isakmp {inet|inet6} src dst
>
>               {esp|ah} {inet|inet6} src/prefixlen/port dst/prefixlen/port
>                 {icmp|tcp|udp|any}
>
>
>  If racoonctl is buggy .... is there another way to drop one tunnel but a=
ll ?

How about:

racoonctl vpn-disconnect A.B.C.D

Best regards,

 =09=09=09=09Krzysztof Ol=EAdzki