Re: [Ipsec-tools-devel] How to to drop tunnels without killingeverybody ?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

So nobody can help me ?

Wilfried
  ----- Original Message -----=20
  From: Wilfried BARNAVON=20
  To: ips...@li...=20
  Sent: Wednesday, November 22, 2006 9:21 PM
  Subject: [Ipsec-tools-devel] How to to drop tunnels without =
killingeverybody ?

  Hello all !

  I have built many tunnels from satellites sites to one central site.

  My central site has 10.26.1.0/24 as network address. Each satellite =
site has 10.26.x.0/24 as network address.=20
  My tunnels are up and all is OK but sometimes I need to drop only one =
tunnel. Today I can't do that:  I have to kill racoon in order to drop =
one tunnel. This makes all tunnels down .... which is not really what I =
want and is also wery tedious !

  I had planned racoonctl usage. But it seems broken. I use Linux kernel =
2.6.15.6 and ipsec-tools-0.6.6

  First here is a part of my racoon.conf
  --racoon.conf
  path include "/etc/racoon";
  path pre_shared_key "/etc/racoon/psk.txt";
  path certificate "/etc/racoon/certs";

  log notify;

  listen {
          isakmp A.B.C.D [500];
          isakmp_natt A.B.C.D [4500];
          adminsock "/var/racoon/racoon.sock" "root" "root" 0600 ;

  }
  padding {
    maximum_length 20;
    randomize off;
    strict_check off;
    exclusive_tail off;
  }

  timer {
    counter 5;
    interval 10 sec;
    persend 1;
    phase1 30 sec;
    phase2 30 sec;
  }

  remote E.F.G.H {
    exchange_mode main;
    doi ipsec_doi;
    ike_frag on;
    situation identity_only;
    proposal_check strict;
    peers_identifier address E.F.G.H;
    my_identifier address A.B.C.D;
    verify_identifier on;
    lifetime time 28800 seconds;
    nat_traversal on;
    proposal {
      encryption_algorithm 3des;
      hash_algorithm md5;
      authentication_method pre_shared_key;
      dh_group modp768;
   }
  }

  sainfo address 10.26.1.0/24 any address 10.26.3.0/24 any {
    pfs_group modp1024;
    lifetime time 28800 seconds;
    encryption_algorithm 3des;
    authentication_algorithm hmac_sha1;
    compression_algorithm deflate;
  }

  remote I.J.K.L {
    exchange_mode main;
    doi ipsec_doi;
    ike_frag on;
    situation identity_only;
    proposal_check strict;
    peers_identifier address I.J.K.L;
    my_identifier address A.B.C.D;
    verify_identifier on;
    lifetime time 28800 seconds;
    nat_traversal on;
    dpd_delay=3D30;
    proposal {
      encryption_algorithm 3des;
      hash_algorithm md5;
      authentication_method pre_shared_key;
      dh_group modp1024;
    }
  }

  sainfo address 10.26.1.0/24 any address 10.26.2.0/24 any {
    pfs_group modp1024;
    lifetime time 28800 seconds;
    encryption_algorithm 3des;
    authentication_algorithm hmac_md5;
    compression_algorithm deflate;
  }

  # .... and so on...
  --end of racoon.conf

  I have also an ipsec.conf file that builds the Security Pocily =
Database:

  -- ipsec.conf
  #!/sbin/setkey -f
  #
  # Flush SAD and SPD
  flush;
  spdflush;

  # Create policies for racoon

  spdadd 10.26.1.0/24 10.26.3.0/24 any -P out ipsec
             esp/tunnel/A.B.C.D-E.F.G.H/unique;
  spdadd 10.26.3.0/24 10.26.1.0/24  any -P in ipsec
             esp/tunnel/E.F.G.H-A.B.C.D/unique;

  spdadd 10.26.1.0/24 10.26.2.0/24 any -P out ipsec
             esp/tunnel/A.B.C.D-I.J.K.L/unique;
  spdadd 10.26.2.0/24 10.26.1.0/24  any -P in ipsec
             esp/tunnel/I.J.K.L-A.B.C.D/unique;

  # and so on ...
  -- end of ipsec.conf

  With racoonctl, I intend to drop IPSEC-SA (this should set down the =
IPSEC tunnel):

  [root@phoenix ~]#racoonctl delete-sa esp inet 10.26.1.0/24/any =
10.26.2.0/24/any any

  And here is what racoon says in the logs:
  ERROR: phase 1 for 10.26.1.0 -> 10.26.2.0 not found

  Where is my error ? I read in racoonctl man page:

       delete-sa saopts
               Delete an SA, either an ISAKMP SA, IPsec ESP SA, or IPsec =
AH SA.

               saopts has the following format:

               isakmp {inet|inet6} src dst

               {esp|ah} {inet|inet6} src/prefixlen/port =
dst/prefixlen/port
                 {icmp|tcp|udp|any}

  If racoonctl is buggy .... is there another way to drop one tunnel but =
all ?

  Thank you for your answers... I'm sure that I will get one, because =
ipsec-tools are used in commercial firewall/vpngateway like NetASQ, and =
they can drop only one tunnel.

  Wilfried=20

-------------------------------------------------------------------------=
-----

  =
-------------------------------------------------------------------------=

  Take Surveys. Earn Cash. Influence the Future of IT
  Join SourceForge.net's Techsay panel and you'll get the chance to =
share your
  opinions on IT & business topics through brief surveys - and earn cash
  =
http://www.techsay.com/default.php?page=3Djoin.php&p=3Dsourceforge&CID=3D=
DEVDEV

-------------------------------------------------------------------------=
-----

  _______________________________________________
  Ipsec-tools-devel mailing list
  Ips...@li...
  https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel