Menu
▾
▴
Re: [Ipsec-tools-devel] How to to drop tunnels without killing everybody ?
|
From: VANHULLEBUS Y. <va...@fr...> - 2006-11-25 22:11:27
|
On Wed, Nov 22, 2006 at 09:21:13PM +0100, Wilfried BARNAVON wrote: > Hello all ! Hi. > I have built many tunnels from satellites sites to one central site. > > My central site has 10.26.1.0/24 as network address. Each satellite > site has 10.26.x.0/24 as network address. > My tunnels are up and all is OK but sometimes I need to drop only > one tunnel. Today I can't do that: I have to kill racoon in order > to drop one tunnel. This makes all tunnels down .... which is not > really what I want and is also wery tedious ! What do you mean exactly by "drop" ? Just removing SAs, or completly disable the tunnel ? In the first case, you can just try to delete the SAs directly by using setkey, but that won't send DELETE-SAs to the peer. In the second case, you can use the config reload function, but you'll need to use HEAD version to have it, or wait for the 0.7 branch. [.....] > With racoonctl, I intend to drop IPSEC-SA (this should set down the > IPSEC tunnel): [...] Can't help you for that, I don't use racoonctl.... > Thank you for your answers... I'm sure that I will get one, because > ipsec-tools are used in commercial firewall/vpngateway like NetASQ, > and they can drop only one tunnel. Are you talking about the conf reload mode, or about the "purge SAs" in the monitor ? I reported the first one to HEAD (so it will be included in 0.7.x), but the second uses a custom PFKey message, which is not (yet ?) public (as I didn't expect other people would need it), which is mainly a kernel patch. Yvan. -- NETASQ http://www.netasq.com |
