Hi, My configuration creates 3 IKE SAs and 6 IPsec SAs. Configuration file attached.
Now when I change the esp encryption algorithm for IpSecMPlane then I fire the following commands in the given below order:- 1. ipsec down IpSecMPlane 2. Write the new esp encryption algorithm for IpSecMPlane in ipsec.conf. 3 Ipsec update 4. ipsec up IpSecMPlane When I executed the above steps more than three times, after the third time the stack is not able to bring down the IpSecMPlane SA. After debugging the problem I found following things:- 1. The control comes to the listen_ function of bus.c where it queue the job into the processor and waits on wait command. 2. I think the processor is not able to process this queued job. What could be the reason for this? Here's the ipsec.conf file I was using:- config setup cachecrls=no charonstart=yes plutostart=no strictcrlpolicy=no uniqueids=no ca AllPlanes cacert=/tmp/RootCert3801_7349bbdb.pem auto=add conn IpSecMPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=3des-sha1-modp1024,aes128-sha1-modp1024! authby=rsasig left=20.20.20.21 leftsubnet=15.15.15.2/32 right=10.10.10.2 rightsubnet=14.14.14.2/32 leftprotoport=sctp/9901 rightprotoport=sctp/9901 leftcert=/tmp/BTScert.pem rightid=%any auto=add conn IpSecSSEPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=aes128-sha1-modp1024,3des-sha1-modp1024! authby=rsasig left=22.22.22.23 leftsubnet=15.15.15.5/32 right=12.12.12.2 rightsubnet=0.0.0.0/32 leftcert=/tmp/BTScert.pem rightid=%any auto=add conn IpSecCPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=null-sha1-modp1024! authby=rsasig left=21.21.21.22 leftsubnet=16.16.16.2/32 right=11.11.11.2 rightsubnet=16.16.16.3/32,16.16.16.4/32 leftprotoport=sctp rightprotoport=sctp leftcert=/tmp/BTScert.pem rightid=%any auto=add conn IpSecUPSPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=null-sha1-modp1024! authby=rsasig left=21.21.21.22 leftsubnet=16.16.16.2/32 right=11.11.11.2 rightsubnet=17.17.17.3/32 leftprotoport=udp/49156 rightprotoport=udp/49156 leftcert=/tmp/BTScert.pem rightid=%any auto=add conn IpSecUCSPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=aes128-sha1-modp1024,3des-sha1-modp1024! authby=rsasig left=21.21.21.22 leftsubnet=16.16.16.2/32 right=11.11.11.2 rightsubnet=17.17.17.3/32 leftprotoport=udp/49154 rightprotoport=udp/49154 leftcert=/tmp/BTScert.pem rightid=%any auto=add conn IpSecToPPlane ikelifetime=24h keyexchange=ikev2 keyingtries=%forever keylife=90m reauth=no rekey=yes mobike=no dpddelay=0 rekeymargin=4m ike=aes128-sha1-modp1024,3des-sha1-modp1024! esp=null-sha1-modp1024! authby=rsasig left=21.21.21.22 leftsubnet=16.16.16.2/32 right=11.11.11.2 rightsubnet=17.17.17.5/32 leftprotoport=udp rightprotoport=udp leftcert=/tmp/BTScert.pem rightid=%any auto=add Thanks in advance. Regards, Vivek
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users