I was hoping someone could help me with an issue I'm having regarding ipsecctl and multiple tunnels.
I'm trying to delete a tunnel without restarting or flushing the SAs that are already in place. When I use: ipsecctl -d -vv -f /etc/ipsec-remove.conf, the routes remain and the SAs do not get deleted. My ipsec-remove.conf file: # Houston to Corpus ike esp from 192.168.2.0/25 to 192.168.82.0/24 peer xx.xx.xx.xx \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk "xxxxxxxxxx" \ tag vpn-corpus ike esp from 192.168.2.128/25 to 192.168.82.0/24 peer xx.xx.xx.xx \ main auth hmac-sha1 enc 3des group modp1024 \ quick auth hmac-sha1 enc 3des \ psk "xxxxxxxxxx" \ tag vpn-corpus Output of ipsecctl -s sa: esp tunnel from <some remote host> to <local site> spi 0x03761967 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x1cdd21a3 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x2e4aad48 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x3134cfbd auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x358e5310 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x47780dca auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x4e3069cf auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x56903d1d auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x617705c8 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x61e67eb3 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x6d29d48b auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x6e00df06 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x710e2a8f auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x74db2d10 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x834bdee7 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x93eb83e8 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0x984be19f auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xa0a8e08d auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xa1fd5966 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xa77f3834 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xaeab91ab auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xbdf1207d auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xbefa6c9f auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xce30ad17 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xe0d81015 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xe175e9c6 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xe460c5ce auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xef15c229 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xf0711651 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xf3d67ab8 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xfb031187 auth hmac-sha1 enc 3des-cbc esp tunnel from <some remote host> to <local site> spi 0xff1bb0e6 auth hmac-sha1 enc 3des-cbc Output of netstat -rn (pertaining to the route in question): Encap: Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 192.168.82/24 0 192.168.2.0/25 0 0 xx.xx.xx.xx/esp/use/in 192.168.2.0/25 0 192.168.82/24 0 0 xx.xx.xx.xx/esp/require/out 192.168.82/24 0 192.168.2.128/25 0 0 xx.xx.xx.xx/esp/use/in 192.168.2.128/25 0 192.168.82/24 0 0 xx.xx.xx.xx/esp/require/out Shouldn't the SA and route get removed with the ipsecctl -d command? If not, how should I go about doing this without interrupting the other existing tunnels? Thanks, Kevin Pate RHCE - CCNA Pate Consulting, Inc. www.pateconsulting.com<http://www.pateconsulting.com> [email protected]<mailto:[email protected]> M 713.823.8845 Skype kevdpate AIM lnxcnsltng
