On 12/11/15 12:11 PM, Daniel Ouellet wrote: > One question. Is it the only way to re-key the iked process when it > reach it's 3 hours usage and/or the 500 Mb data exchange to restart a > new process? > > Isn't it possible to kill the old one then that is not use anymore and > stop having some routing problem that may be cause by it. > > I collect a HUGE amount of old process that appear to finally get clean > after a while, but I wonder if it actually need to have a process > restart instead of just the key change on that same process, or if it > needs to be a new process, then make sure they old one is killed?
Here is a small example of multiple process as a results of pushing data in a short amount of time and then sooner or later, communication will die and the only way to get it going again is to do: # /etc/rc.d/iked stop iked(ok) # /etc/rc.d/iked start iked(ok) That may be the cause if the attempt to switch to NAT-T may be. I got it to NOT see it anymore in the logs by blocking in pf any attempt to send a NAT-T request. Anyway, here is a small samples of ghost iked process that will eventually get cleaned up in a few hours possibly as long as it doesn't stop working before that and required a hard reset. # ipsecctl -sa FLOWS: flow esp in from 66.63.5.250 to 108.56.142.37 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use flow esp out from 108.56.142.37 to 66.63.5.250 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require flow esp in from 0.0.0.0/0 to 66.63.50.16/28 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type use flow esp out from 66.63.50.16/28 to 0.0.0.0/0 peer 66.63.5.250 srcid FQDN/gateway.ouellet.us dstid FQDN/tunnel.realconnect.com type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 66.63.5.250 to 108.56.142.37 spi 0x02906639 auth hmac-sha2-256 enc aes-256 esp tunnel from 66.63.5.250 to 108.56.142.37 spi 0x10698233 auth hmac-sha2-256 enc aes-256 esp tunnel from 66.63.5.250 to 108.56.142.37 spi 0x18206a04 auth hmac-sha2-256 enc aes-256 esp tunnel from 108.56.142.37 to 66.63.5.250 spi 0x1a9ee935 auth hmac-sha2-256 enc aes-256 esp tunnel from 66.63.5.250 to 108.56.142.37 spi 0x2837aa87 auth hmac-sha2-256 enc aes-256 esp tunnel from 66.63.5.250 to 108.56.142.37 spi 0x3342c878 auth hmac-sha2-256 enc aes-256 esp tunnel from 108.56.142.37 to 66.63.5.250 spi 0x34af43b9 auth hmac-sha2-256 enc aes-256 esp tunnel from 66.63.5.250 to 108.56.142.37 spi 0x4b4ae41a auth hmac-sha2-256 enc aes-256 esp tunnel from 108.56.142.37 to 66.63.5.250 spi 0x85374b48 auth hmac-sha2-256 enc aes-256 esp tunnel from 108.56.142.37 to 66.63.5.250 spi 0x85878a30 auth hmac-sha2-256 enc aes-256 esp tunnel from 108.56.142.37 to 66.63.5.250 spi 0x8dece24b auth hmac-sha2-256 enc aes-256 esp tunnel from 108.56.142.37 to 66.63.5.250 spi 0x9cd96410 auth hmac-sha2-256 enc aes-256 esp tunnel from 108.56.142.37 to 66.63.5.250 spi 0xa89c1906 auth hmac-sha2-256 enc aes-256 esp tunnel from 66.63.5.250 to 108.56.142.37 spi 0xbd5f2a88 auth hmac-sha2-256 enc aes-256 esp tunnel from 108.56.142.37 to 66.63.5.250 spi 0xc396219c auth hmac-sha2-256 enc aes-256 esp tunnel from 66.63.5.250 to 108.56.142.37 spi 0xc5992599 auth hmac-sha2-256 enc aes-256 esp tunnel from 108.56.142.37 to 66.63.5.250 spi 0xccfd0be9 auth hmac-sha2-256 enc aes-256 esp tunnel from 66.63.5.250 to 108.56.142.37 spi 0xd2d1f032 auth hmac-sha2-256 enc aes-256 esp tunnel from 108.56.142.37 to 66.63.5.250 spi 0xee1fc9bc auth hmac-sha2-256 enc aes-256 esp tunnel from 66.63.5.250 to 108.56.142.37 spi 0xf9e400a7 auth hmac-sha2-256 enc aes-256
