Greetings,
I have an isakmpd process that's not letting go of old SADs. While it
doesn't seem to be causing issues with the tunnels, it is causing higher
than normal system utilization. It seems to be occurring on the tunnels
which have multiple subnets defined (e.g. VPNA and VPNB, but not VPNC).
Any insight would be appreciated.
fw1$ sudo ipsecctl -sa |grep tunnel |wc
24 312 2184
fw1$ sudo ipsecctl -sa |grep tunnel |wc
32 416 2890
fw1$ sudo ipsecctl -sa |grep tunnel |wc
36 468 3258
fw1$ sudo ipsecctl -sa |grep tunnel |wc
58 754 5212
kern.version=OpenBSD 4.0-stable (GENERIC) #6: Fri Apr 13 07:23:48 EDT
2007
/var/log/messages:
May 14 06:19:06 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists
May 14 06:19:21 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists
May 14 06:20:40 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists
May 14 06:36:16 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists
May 14 06:38:45 fw1 last message repeated 4 times
May 14 06:56:27 fw1 last message repeated 6 times
/etc/ipsec.conf:
# VPNA from Here to ThereA PIX
ike esp from { 10.1.0.0/16 , 10.5.0.0/24 } to 10.99.10.192/28 \
peer 192.168.40.17 \
local 192.168.3.4 \
main auth hmac-md5 enc aes group modp1024 \
quick auth hmac-md5 enc aes \
psk "stupidkeyA"
# VPNB from Here to ThereB OBSD
ike esp from { 10.1.0.0/26, 10.5.0.0/24 } to { 10.224.0.0/24,
10.99.10.208/28 } \
peer 192.168.40.19 \
local 192.168.3.4 \
psk "stupidkeyB"
# VPNC from Here to ThereC PIX
ike esp from 10.1.0.0/16 to 10.0.0.0/16 \
peer 192.168.95.80 \
local 192.168.3.4 \
main auth hmac-md5 enc des \
quick auth hmac-md5 enc des \
psk "stupidkeyC"
-Steve S.
