This might help: http://undeadly.org/cgi?action=article&sid=20131125041429
2014-10-08 23:18 GMT+02:00 Kevin Pate <[email protected]>: > I was hoping someone could help me with an issue I'm having regarding > ipsecctl and multiple tunnels. > > I'm trying to delete a tunnel without restarting or flushing the SAs that > are already in place. > > When I use: > > ipsecctl -d -vv -f /etc/ipsec-remove.conf, the routes remain and the SAs > do not get deleted. > > My ipsec-remove.conf file: > > # Houston to Corpus > ike esp from 192.168.2.0/25 to 192.168.82.0/24 peer xx.xx.xx.xx \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des \ > psk "xxxxxxxxxx" \ > tag vpn-corpus > ike esp from 192.168.2.128/25 to 192.168.82.0/24 peer xx.xx.xx.xx \ > main auth hmac-sha1 enc 3des group modp1024 \ > quick auth hmac-sha1 enc 3des \ > psk "xxxxxxxxxx" \ > tag vpn-corpus > > Output of ipsecctl -s sa: > > esp tunnel from <some remote host> to <local site> spi 0x03761967 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x1cdd21a3 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x2e4aad48 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x3134cfbd auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x358e5310 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x47780dca auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x4e3069cf auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x56903d1d auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x617705c8 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x61e67eb3 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x6d29d48b auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x6e00df06 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x710e2a8f auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x74db2d10 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x834bdee7 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x93eb83e8 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0x984be19f auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xa0a8e08d auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xa1fd5966 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xa77f3834 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xaeab91ab auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xbdf1207d auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xbefa6c9f auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xce30ad17 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xe0d81015 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xe175e9c6 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xe460c5ce auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xef15c229 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xf0711651 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xf3d67ab8 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xfb031187 auth > hmac-sha1 enc 3des-cbc > esp tunnel from <some remote host> to <local site> spi 0xff1bb0e6 auth > hmac-sha1 enc 3des-cbc > > Output of netstat -rn (pertaining to the route in question): > > Encap: > Source Port Destination Port Proto > SA(Address/Proto/Type/Direction) > 192.168.82/24 0 192.168.2.0/25 0 0 > xx.xx.xx.xx/esp/use/in > 192.168.2.0/25 0 192.168.82/24 0 0 > xx.xx.xx.xx/esp/require/out > 192.168.82/24 0 192.168.2.128/25 0 0 > xx.xx.xx.xx/esp/use/in > 192.168.2.128/25 0 192.168.82/24 0 0 > xx.xx.xx.xx/esp/require/out > > Shouldn't the SA and route get removed with the ipsecctl -d command? If > not, how should I go about doing this without interrupting the other > existing tunnels? > > Thanks, > > Kevin Pate > RHCE - CCNA > Pate Consulting, Inc. > www.pateconsulting.com<http://www.pateconsulting.com> > [email protected]<mailto:[email protected]> > M 713.823.8845 > Skype kevdpate > AIM lnxcnsltng > > -- May the most significant bit of your life be positive.
