On Thu, 19 Feb 2015, John Crisp wrote:
are fine, but would like to be able to individually stop/restart connections.
ipsec auto --down name and ipsec auto --up name will do that.
First is how to identify connections that are 'up' (though I guess that I could ignore this and restart them regardless of state) ipsec status does not provide a simple "myConnection up" type status that you can grep I thought the closest might be in this line : #1: "MyConnection":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established)..... But I am not sure.
That's just the phase1/parent. You should look for: IKEv2: 000 #2: "westnet-eastnet-ipv4-psk-ikev2":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 28043s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "westnet-eastnet-ipv4-psk-ikev2" [email protected] [email protected] [email protected] [email protected] ref=3 refhim=1 Traffic:! ESPmax=0B Note that in IKEv2 currently both the parent and child are marked as STATE_PARENT_I3 or STATE_PARENT_R2. That is a bug :( IKEv1: 000 #2: "westnet-eastnet":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28044s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "westnet-eastnet" [email protected] [email protected] [email protected] [email protected] ref=3 refhim=1 Traffic:! ESPmax=4194303B Here you can rely on "IPsec SA established" to pick the right state number.
Next is how to restart and individual connection using whack. I don't seem to be able to easily identify the various connections.
Why use whack directly? Why not "ipsec auto --replace name" followed by "ipsec auto --up name" ?
I have tried 'myid' in /etc/ipsec.d/ipsec.conf but can't seem to get something working.
That value is not related to this.
Surely if I have a conn entry in the ipsec.conf file I should be able to do something like ipsec whack MyConnection But it seems that this is far too simplistic !
You should. We _are_ working on a replacement command that will be much more consise and friendly to the administrator. Note that you can get state changes to your custom scripts by setting the statsbin= value to your binary/shell script. That way you are notified of state changes without needing to call ipsec status or grep the logs. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
