Project

General

Profile

Issue #1555

purge specific IKE_SA

Added by heidi rao over 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.0.1
Resolution:
No change required

Description

Hi,
I config two connections as below, and I also configured keyingtries=%forever, so after charon start up, these two rules will try to connect to peer again and again when peer is down. Then I remove RULE1~VPN1, how can I purge its IKE_SA? If use command "ipsec purgeike", the IKE_SA of RULE2~VPN2 will also be purged, then it stop trying to connect to peer. How can I only purge IKE_SA of RULE1~VPN1? Thanks!

conn RULE1~VPN1
        rekeymargin=3
        rekeyfuzz=100%
        keyexchange=ikev2
        left=35.2.2.200
        right=35.2.2.100
        leftsubnet=35.2.2.201/32
        rightsubnet=35.2.2.101/32
        authby=rsasig
        leftcert="/etc/ipsec.d//certs/fpccert.pem" 
        leftid=35.3.3.200
        rightid=%any
        ike=aes128-sha1-modp768!
        esp=aes128-sha1!
        type=tunnel
        ikelifetime=5000s
        keylife=5000s
        mobike=no
        auto=start
        reauth=no

conn RULE2~VPN2
        rekeymargin=3
        rekeyfuzz=100%
        keyexchange=ikev2
        left=35.3.3.200
        right=35.3.3.100
        leftsubnet=35.3.3.201/32
        rightsubnet=35.3.3.101/32
        authby=rsasig
        leftcert="/etc/ipsec.d//certs/fpccert.pem" 
        leftid=35.3.3.200
        rightid=%any
        ike=aes128-sha1-modp768!
        esp=aes128-sha1!
        type=tunnel
        ikelifetime=5000s
        keylife=5000s
        mobike=no
        auto=start
        reauth=no

History

#1 Updated by Tobias Brunner over 4 years ago

  • Description updated (diff)
  • Status changed from New to Feedback

Use ipsec down RULE1~VPN1 (see IpsecCommand).

#2 Updated by Noel Kuntze over 3 years ago

  • Status changed from Feedback to Closed
  • Resolution set to No change required

Also available in: Atom PDF