Hi Ido, - first, pluto is not supposed to crash. Please provide us with debug information so that we can fixed your problem.
- second, starter flushes all SPD/SAD entries in the kernel using starter_netkey_cleanup() after pluto and/or charon are terminated: http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/starter/starter.c;h=d86da21b83f758c1824c312ede7f1caf42fd61a9;hb=HEAD#l429 http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/starter/netkey.c;h=e0449f0b2599f0c1a40c10f6428b8b6353507c87;hb=HEAD#l67 If you want to flush the SPD/SAD before starting pluto then insert starter_netkey_cleanup() somewhere here: http://git.strongswan.org/?p=strongswan.git;a=blob;f=src/starter/starter.c;h=d86da21b83f758c1824c312ede7f1caf42fd61a9;hb=HEAD#l364 Regards Andreas On 05/30/2011 02:00 PM, Goshen, Ido (Ido) wrote: > Hi Andreas, > > Thanx for the quick response, and for exposing me to the "ip xfrm" > option. I like it a lot better than mixing ipsec-tools setkey with > StrongSWAN. > > As you suggested I would rather not having to manually touch the > SPD/SAD. But I'm having a problem when pluto crashes it leaves behind > entries in the kernel that may break further negotiation after pluto is > restarted. > More details were posted in: > 1. http://www.mail-archive.com/[email protected]/msg02447.html > 2. https://lists.strongswan.org/pipermail/users/2011-May/006236.html > > Is it known issue? > > Any ideas how to fix/recover? > > Thanx, > - Ido > > > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > [email protected] > Sent: Monday, May 30, 2011 1:00 PM > To: [email protected] > Subject: Dev Digest, Vol 16, Issue 5 > > Send Dev mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.strongswan.org/mailman/listinfo/dev > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Dev digest..." > > > Today's Topics: > > 1. kernel SPD/SAD tool (Goshen, Ido (Ido)) > 2. Re: kernel SPD/SAD tool (Andreas Steffen) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 30 May 2011 10:07:43 +0200 > From: "Goshen, Ido (Ido)" <[email protected]> > Subject: [strongSwan-dev] kernel SPD/SAD tool > To: <[email protected]> > Message-ID: > > <edc652a26fb23c4eb6384a4584434a04032bc...@307622anex5.global.avaya.com> > > Content-Type: text/plain; charset="us-ascii" > > Hi, > > > > Does StrongSWAN supply a shell tool like "setkey" from ipsec-tools to > monitor and/or manipulate the kernel's SPD/SAD or it's all done > programmatically via hydra (netlink plugin in my case)? > > > > Thanx, > > - Ido > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.strongswan.org/pipermail/dev/attachments/20110530/55a852a3/ > attachment-0001.html > > ------------------------------ > > Message: 2 > Date: Mon, 30 May 2011 11:50:21 +0200 > From: Andreas Steffen <[email protected]> > Subject: Re: [strongSwan-dev] kernel SPD/SAD tool > To: "Goshen, Ido (Ido)" <[email protected]> > Cc: [email protected] > Message-ID: <[email protected]> > Content-Type: text/plain; charset=windows-1252; format=flowed > > Hi Ido, > > strongSwan manages the kernel SPD/SAD via the XFRM Netlink kernel > interface. The built-in "ipsec statusall" command can be used to > monitor the established IPsec SAs but if you want to see all the > details you can also use "setkey" or "ip xfrm state|policy". > > If you manipulate SPD/SAD entries via "setkey" or "ip xfrm" then you > are on your own since strongSwan will not be aware of any such changes. > > Regards > > Andreas > > On 05/30/2011 10:07 AM, Goshen, Ido (Ido) wrote: >> Hi, >> >> Does StrongSWAN supply a shell tool like ?setkey? from ipsec-tools to >> monitor and/or manipulate the kernel?s SPD/SAD or it?s all done >> programmatically via hydra (netlink plugin in my case)? >> >> Thanx, >> >> -Ido >> > ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
