Hi, that's a limitation of isakmpd. I have a patch for this, but as adding support for phase 1 SA deletion using the fifo is not that straight forward it will not make the 3.8 release. I'm sorry.
HJ. On Thu, Sep 01, 2005 at 10:21:51AM -0400, Kurt Miller wrote: > I'm not sure if my problem is user/configuration related or if there > is a problem with isakmpd... I'd like to only initiate connections using > the isakmpd.fifo as needed. When finished with the connection I was > planning on tearing it down using the fifo too. > > When I tear down the phase 2 connection, phase 1 remains. Nothing > I do seems to be able to tear down the phase 1 connection. The > remote side tears down its phase 1 connection when the phase > 2 one is gone (remote is a SonicWall in this case). When I attempt > to reconnect to the remote site, isakmpd uses the old phase 1 and > can't connect. > > I think this is a problem with isakmpd. Below are the commands I'm > issuing and the isakmpd.result info after each step. Also the -DA=90 > output for this sequence is available here: > > http://intricatesoftware.com:81/OpenBSD/misc/isakmpd.log > > $ sudo ksh -c "echo c IPsec-Site1 >> /var/run/isakmpd.fifo" > $ sudo ksh -c "echo S >> /var/run/isakmpd.fifo" > $ more /var/run/isakmpd.result > SA name: ISAKMP-Site1 (Phase 1/Initiator) > src: 172.16.1.24 dst: x.x.x.x > Lifetime: 28800 seconds > Soft timeout in 26429 seconds > Hard timeout in 28791 seconds > icookie af2b308c6583a724 rcookie 32ea88cc20420661 > > SA name: IPsec-Site1 (Phase 2) > src: 172.16.1.24 dst: x.x.x.x > Lifetime: 1200 seconds > Soft timeout in 1056 seconds > Hard timeout in 1191 seconds > SPI 0: f3d26409 > SPI 1: bda5bb6e > Transform: IPsec ESP > Encryption key length: 8 > Authentication key length: 16 > Encryption algorithm: DES > Authentication algorithm: HMAC-MD5 > > Everything is working ok at this point. Now tear down IPsec-Site1 > and check if phase 1 is still there. > > $ sudo ksh -c "echo t IPsec-Site1 >> /var/run/isakmpd.fifo" > $ sudo ksh -c "echo S >> /var/run/isakmpd.fifo" > $ more /var/run/isakmpd.result > SA name: ISAKMP-Site1 (Phase 1/Initiator) > src: 172.16.1.24 dst: x.x.x.x > Lifetime: 28800 seconds > Soft timeout in 26385 seconds > Hard timeout in 28747 seconds > icookie af2b308c6583a724 rcookie 32ea88cc20420661 > > I can't get rid of this entry using 't ISAKMP-Site1' or > 'd af2b308c6583a724 -' or 'd 32ea88cc20420661 -' or > even 'T'. Attempting to reconnect fails and looks like this: > > $ sudo ksh -c "echo c IPsec-Site1 >> /var/run/isakmpd.fifo" > $ sudo ksh -c "echo S >> /var/run/isakmpd.fifo" > $ more /var/run/isakmpd.result > SA name: ISAKMP-Site1 (Phase 1/Initiator) > src: 172.16.1.24 dst: x.x.x.x > Lifetime: 28800 seconds > Soft timeout in 26282 seconds > Hard timeout in 28644 seconds > icookie af2b308c6583a724 rcookie 32ea88cc20420661 > > SA name: <unnamed> (Phase 2) > src: 172.16.1.24 dst: x.x.x.x > SPI 0 not defined. > SPI 1: bd55249b > Transform: IPsec ESP > Encryption key length: 0 > Authentication key length: 0 > Encryption algorithm: unknown (0) > Authentication algorithm: none > > Note the Phase 2 garbage. I have to shutdown isakmpd to clean this up. > > Here's my isakmpd.conf: > > [General] > Default-phase-1-lifetime= 28800,60:86400 > > [Phase 1] > x.x.x.x= ISAKMP-Site1 > > [Phase 2] > Passive-connections= IPsec-Site1 > > # Phase 1 > ####################### > > [ISAKMP-Site1] > Phase= 1 > Address= x.x.x.x > Configuration= SonicWall-main-mode > Default= IPsec-Site1 > Authentication= not > ID= SonicWall-Phase1-ID > > # Phase 2 sections > ################## > > [IPsec-Site1] > Phase= 2 > ISAKMP-peer= ISAKMP-Site1 > Configuration= SonicWall-quick-mode > Local-ID= Default-Phase2-Local-ID > Remote-ID= Site1-Phase2-Remote-ID > > # Client ID sections > #################### > > [SonicWall-Phase1-ID] > ID-type= USER_FQDN > Name= GroupVPN > > [Default-Phase2-Local-ID] > ID-type= IPV4_ADDR > Address= default > > [Site1-Phase2-Remote-ID] > ID-type= IPV4_ADDR_SUBNET > Network= 172.31.5.0 > Netmask= 255.255.255.0 > > # Transform descriptions > ######################## > > [SonicWall-main-mode] > DOI= IPSEC > EXCHANGE_TYPE= ID_PROT > Transforms= 3DES-MD5 > > [SonicWall-quick-mode] > DOI= IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= QM-ESP-DES-MD5-SUITE > -- pub 1024D/513AEFD9 1999-12-18 Hans-Joerg Hoexer <[EMAIL PROTECTED]> Key fingerprint = 83D2 436A 0D3C 34A9 E0FF 4C33 35F6 617C 513A EFD9
