> I'm wondering if the "ikeadm delete rule" impacts Phase2 SAs or not ?
Nope. The only operation that affects Phase 1 and IPsec SAs is the "ipseckey flush" operation, which will wipe out the entire SADB AND the IKE SAs. > In other words, if there are 2 Phases SAs for icmp, if the phase1 > policy is removed by "ikeadm delete rule" , these icmp SA- pair will > be removed or not? Nope, the SAs are still around. > As well, how about the ipsecconf -d impacts the Phase2 SAs or not? SPD entries aren't tied to SADB entries - if you nuke the rule, the SAs will still be around until they expire. Of course, modulo connection latches, the outbound SAs won't be used. Dan
