I'm not sure if my problem is user/configuration related or if there is a problem with isakmpd... I'd like to only initiate connections using the isakmpd.fifo as needed. When finished with the connection I was planning on tearing it down using the fifo too.
When I tear down the phase 2 connection, phase 1 remains. Nothing I do seems to be able to tear down the phase 1 connection. The remote side tears down its phase 1 connection when the phase 2 one is gone (remote is a SonicWall in this case). When I attempt to reconnect to the remote site, isakmpd uses the old phase 1 and can't connect. I think this is a problem with isakmpd. Below are the commands I'm issuing and the isakmpd.result info after each step. Also the -DA=90 output for this sequence is available here: http://intricatesoftware.com:81/OpenBSD/misc/isakmpd.log $ sudo ksh -c "echo c IPsec-Site1 >> /var/run/isakmpd.fifo" $ sudo ksh -c "echo S >> /var/run/isakmpd.fifo" $ more /var/run/isakmpd.result SA name: ISAKMP-Site1 (Phase 1/Initiator) src: 172.16.1.24 dst: x.x.x.x Lifetime: 28800 seconds Soft timeout in 26429 seconds Hard timeout in 28791 seconds icookie af2b308c6583a724 rcookie 32ea88cc20420661 SA name: IPsec-Site1 (Phase 2) src: 172.16.1.24 dst: x.x.x.x Lifetime: 1200 seconds Soft timeout in 1056 seconds Hard timeout in 1191 seconds SPI 0: f3d26409 SPI 1: bda5bb6e Transform: IPsec ESP Encryption key length: 8 Authentication key length: 16 Encryption algorithm: DES Authentication algorithm: HMAC-MD5 Everything is working ok at this point. Now tear down IPsec-Site1 and check if phase 1 is still there. $ sudo ksh -c "echo t IPsec-Site1 >> /var/run/isakmpd.fifo" $ sudo ksh -c "echo S >> /var/run/isakmpd.fifo" $ more /var/run/isakmpd.result SA name: ISAKMP-Site1 (Phase 1/Initiator) src: 172.16.1.24 dst: x.x.x.x Lifetime: 28800 seconds Soft timeout in 26385 seconds Hard timeout in 28747 seconds icookie af2b308c6583a724 rcookie 32ea88cc20420661 I can't get rid of this entry using 't ISAKMP-Site1' or 'd af2b308c6583a724 -' or 'd 32ea88cc20420661 -' or even 'T'. Attempting to reconnect fails and looks like this: $ sudo ksh -c "echo c IPsec-Site1 >> /var/run/isakmpd.fifo" $ sudo ksh -c "echo S >> /var/run/isakmpd.fifo" $ more /var/run/isakmpd.result SA name: ISAKMP-Site1 (Phase 1/Initiator) src: 172.16.1.24 dst: x.x.x.x Lifetime: 28800 seconds Soft timeout in 26282 seconds Hard timeout in 28644 seconds icookie af2b308c6583a724 rcookie 32ea88cc20420661 SA name: <unnamed> (Phase 2) src: 172.16.1.24 dst: x.x.x.x SPI 0 not defined. SPI 1: bd55249b Transform: IPsec ESP Encryption key length: 0 Authentication key length: 0 Encryption algorithm: unknown (0) Authentication algorithm: none Note the Phase 2 garbage. I have to shutdown isakmpd to clean this up. Here's my isakmpd.conf: [General] Default-phase-1-lifetime= 28800,60:86400 [Phase 1] x.x.x.x= ISAKMP-Site1 [Phase 2] Passive-connections= IPsec-Site1 # Phase 1 ####################### [ISAKMP-Site1] Phase= 1 Address= x.x.x.x Configuration= SonicWall-main-mode Default= IPsec-Site1 Authentication= not ID= SonicWall-Phase1-ID # Phase 2 sections ################## [IPsec-Site1] Phase= 2 ISAKMP-peer= ISAKMP-Site1 Configuration= SonicWall-quick-mode Local-ID= Default-Phase2-Local-ID Remote-ID= Site1-Phase2-Remote-ID # Client ID sections #################### [SonicWall-Phase1-ID] ID-type= USER_FQDN Name= GroupVPN [Default-Phase2-Local-ID] ID-type= IPV4_ADDR Address= default [Site1-Phase2-Remote-ID] ID-type= IPV4_ADDR_SUBNET Network= 172.31.5.0 Netmask= 255.255.255.0 # Transform descriptions ######################## [SonicWall-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-MD5 [SonicWall-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-DES-MD5-SUITE
