[Ipsec-tools-devel] Re: deletion of automatically generated policies and ISAKMP mode config

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Fri, 10 Sep 2004, Emmanuel Dreyfus wrote:

> On Fri, Sep 10, 2004 at 03:18:30PM +0900, Shoichi Sakane wrote:
> > i made the patch for the current racoon in the repository
> > to support the features.  i attached it to this mail.
>
> I discovered a small problem when testing with multiple users:
>
> racoon allocates internal IP addresses that are configured on the
> client through ISAKMP mode config. In racoon.conf, I have
> generate_policy set to on so that the policy gets created according to
> the allocated IP.
>
> Problem: that policy is not deleted when the client disconnects. When
> another client will connect from another external IP and will get the
> same internal IP, phase 2 will break because the older policy is still
> around.

In other words the policy is not deleted after the client properly shuts
down the connection?

> Is there a config trick to have the automatically generated policies
> deleted on SA deletion, or should I take care of it on my own in ISAKMP
> mode config code?

It should probably be solved in the generic SA deletion code. Would you
mind fixing it there?

Michal Ludvig
-- 
* A mouse is a device used to point at the xterm you want to type in.
* Personal homepage - http://www.logix.cz/michal