Hi,
The "ipsec purgeike" command is no longer working for me on strongSwan 4.5.2dr2
or 4.5.1. Note that this was working for me in 4.4.1.
For example, let's say I have started a connection between two hosts. ipsec
statusall returns the following SA's:
...
Security Associations:
conn-10.41.42.210-10.41.42.215[1]: ESTABLISHED 3 seconds ago,
10.41.42.210[10.41.42.210]...10.41.42.215[10.41.42.215]
conn-10.41.42.210-10.41.42.215[1]: IKE SPIs: be923fd77841ea9e_i*
fc5722748eb29467_r, public key reauthentication in 51 minutes
conn-10.41.42.210-10.41.42.215[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
conn-10.41.42.210-10.41.42.215{1}: INSTALLED, TUNNEL, ESP SPIs: c007624c_i
c7bf7897_o
conn-10.41.42.210-10.41.42.215{1}: NULL/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 14 minutes
conn-10.41.42.210-10.41.42.215{1}: 10.41.42.210/32 === 10.41.42.215/32
Then I call "ipsec down conn-10.41.42.210-10.41.42.215{1}" to delete the child
SA, and then ipsec statusall returns:
...
Security Associations:
conn-10.41.42.210-10.41.42.215[1]: ESTABLISHED 3 minutes ago,
10.41.42.210[10.41.42.210]...10.41.42.215[10.41.42.215]
conn-10.41.42.210-10.41.42.215[1]: IKE SPIs: be923fd77841ea9e_i*
fc5722748eb29467_r, public key reauthentication in 48 minutes
conn-10.41.42.210-10.41.42.215[1]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Now, I call 'ipsec purgeike' which should remove the remaining IKE_SA because
it has no child SA's. However, nothing appears to happen. Those three lines
still appear when I call 'ipsec statusall'.
Any idea why it is not working for me?
Thanks,
Clifton
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
