Remark below...
Am 14.05.18 um 13:38 schrieb Andre Ruppert:
Hello @misc,I use a CARPed pair of 6.2 gateways as vpn access nodes, running "plain" ISAKMPD/ipsec.The peering vpn gateways have different brandings from OpenBSD, linux, cisco to watchguard appliances etc...Interoperability works most like a charm and is a no-brainer in most cases.I have only access to the OpenBSD peering gateways, but most other brands belong to partners / customers.Sometimes I first have problems with some of these peering boxes and only partial tunnels came up (only phase 1 or - more bad - phase 1 only partial).Then I check the logs and - if I got wrong credentials or parameters from the peering partner - I change the configs on my side. It needs mostly much less time than to discuss with the technicians from the peering partners - their problems have to te solved by them by clicking somewhere in a webinterface *sigh*.Ok, back to _my_ problem: If a ipsec tunnel is running with phase 1 and 2, I can stop it with "ipsecctl -d -f <configfile>". Works.If the ipsec tunnel is only partial working, I can delete it by using the fifo mechanism. Sometimes.( I got the tips from this 2013 undeadly.org article: Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway https://undeadly.org/cgi?action=article&sid=20131125041429 ) But I have always problems if only a part of phase 1 came up. 1.) sh -c "echo S > /var/run/isakmpd.fifo" 2.) less /var/run/isakmpd.result ... SA name: <unnamed> (Phase 1/Responder) src: <my_gateway_ip> dst: <peering_gateway_ip> Flags 0x00000000 icookie 9f5bf7497f0ebe10 rcookie 8a6c7b1b1f5923ec ... Feeding the fifo with sh -c "echo 't <SA-name-of-connection>' > /var/run/isakmpd.fifo" only deletes phase 2. But I didn't have an SA name at this time... ??Question to the community: how is it possible to reliable stop partial tunnels without restarting isakmpd/ipsec (e.g. disturbing all other running tunnels)?I'm clueless.... Best regards Andre
...and sh -c "echo 't main <peering-gateway-ip>' > /var/run/isakmpd.fifo" doesn't work either .../var/log/daemon reports "...ui_teardown: teardown connection "<peering-gateway-ip>", phase 1
but that doesn't do anything.
Man isakmpd reads for fifo using:
"t [phase] name"
Tear down the named connection, if active. For name, the tag
specified in isakmpd.conf(5) or the IP address of the remote host
can be used.
....
Hm.
Again clueless...
Best regards
Andre
smime.p7s
Description: S/MIME Cryptographic Signature
