From: Doug O. <Dou...@ra...> - 2007-11-28 23:01:36
|
I am developing on Linux 2.6.17 with ipsec-tools 0.6.6 for an embedded product. It is important that this product be self-maintaining in real-time and not require human intervention. When an IPSec SA has been established, and the remote end reboots, I find the SA cannot be re-established. =20 It is a requirement that the lifetimes be zero (I know, not secure, but it is a requirement for now) so there is no attempt on the side which did not reboot to re-establish the SA's as it thinks they are just fine. I am using PSK ESP. =20 I have a daemon which can detect that communication with the remote party is no longer possible (due it the remote rebooting) and take some sort of action (like purging the isakmp and ipsec SA's for that remote party). I thought the perfect tool for this would be to invoke "racoonctl vpn-disconnect <addr>". However, when I do this, only the isakmp SA gets deleted; the ipsec SA's persist (and keep getting used preventing re-negotiation). Likewise, "racoonctl delete-sa" will only affect the isakmp SA's. I looked over the code and this is certainly the case. =20 I take it that a solution like the one described here did not happen: http://article.gmane.org/gmane.network.ipsec.tools.devel/426 =20 Does anyone have a good suggestion on how I can achieve what I want? =20 Doug |