Greetings, I have an isakmpd process that's not letting go of old SADs. While it doesn't seem to be causing issues with the tunnels, it is causing higher than normal system utilization. It seems to be occurring on the tunnels which have multiple subnets defined (e.g. VPNA and VPNB, but not VPNC). Any insight would be appreciated.
fw1$ sudo ipsecctl -sa |grep tunnel |wc 24 312 2184 fw1$ sudo ipsecctl -sa |grep tunnel |wc 32 416 2890 fw1$ sudo ipsecctl -sa |grep tunnel |wc 36 468 3258 fw1$ sudo ipsecctl -sa |grep tunnel |wc 58 754 5212 kern.version=OpenBSD 4.0-stable (GENERIC) #6: Fri Apr 13 07:23:48 EDT 2007 /var/log/messages: May 14 06:19:06 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists May 14 06:19:21 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists May 14 06:20:40 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists May 14 06:36:16 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists May 14 06:38:45 fw1 last message repeated 4 times May 14 06:56:27 fw1 last message repeated 6 times /etc/ipsec.conf: # VPNA from Here to ThereA PIX ike esp from { 10.1.0.0/16 , 10.5.0.0/24 } to 10.99.10.192/28 \ peer 192.168.40.17 \ local 192.168.3.4 \ main auth hmac-md5 enc aes group modp1024 \ quick auth hmac-md5 enc aes \ psk "stupidkeyA" # VPNB from Here to ThereB OBSD ike esp from { 10.1.0.0/26, 10.5.0.0/24 } to { 10.224.0.0/24, 10.99.10.208/28 } \ peer 192.168.40.19 \ local 192.168.3.4 \ psk "stupidkeyB" # VPNC from Here to ThereC PIX ike esp from 10.1.0.0/16 to 10.0.0.0/16 \ peer 192.168.95.80 \ local 192.168.3.4 \ main auth hmac-md5 enc des \ quick auth hmac-md5 enc des \ psk "stupidkeyC" -Steve S.