[Ipsec-tools-devel] Deleting Phase 2 SA's

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I am developing on Linux 2.6.17 with ipsec-tools 0.6.6 for an embedded
product.  It is important that this product be self-maintaining in
real-time and not require human intervention.  When an IPSec SA has been
established, and the remote end reboots, I find the SA cannot be
re-established.

=20

It is a requirement that the lifetimes be zero (I know, not secure, but
it is a requirement for now) so there is no attempt on the side which
did not reboot to re-establish the SA's as it thinks they are just fine.
I am using PSK ESP.

=20

I have a daemon which can detect that communication with the remote
party is no longer possible (due it the remote rebooting) and take some
sort of action (like purging the isakmp and ipsec SA's for that remote
party).  I thought the perfect tool for this would be to invoke
"racoonctl vpn-disconnect <addr>".  However, when I do this, only the
isakmp SA gets deleted; the ipsec SA's persist (and keep getting used
preventing re-negotiation).  Likewise, "racoonctl delete-sa" will only
affect the isakmp SA's.  I looked over the code and this is certainly
the case.

=20

I take it that a solution like the one described here did not happen:
http://article.gmane.org/gmane.network.ipsec.tools.devel/426

=20

Does anyone have a good suggestion on how I can achieve what I want?

=20

Doug