Issue #2339
How to kill a particular active IKE_SA
Description
Please let me know how to clear a strongswan sesion of a particular user.
ikev2-with-eap[20]: ESTABLISHED 3 minutes ago, 172.16.32.10[OU=Domain Control Validated, OU=PositiveSSL, CN=vpn.staging.at.testorh.co]...137.97.15.107[test2]
ikev2-with-eap{10}: INSTALLED, TUNNEL, reqid 10, ESP in UDP SPIs: cfce69e7_i 8eaa63aa_o
ikev2-with-eap{10}: 0.0.0.0/0 === 10.0.0.1/32
History
#1 Updated by Tobias Brunner over 8 years ago
- Description updated (diff)
- Status changed from New to Feedback
- Priority changed from Immediate to Normal
#2 Updated by augustine champara over 8 years ago
But there would be many users for a connection config right then how could I kill a particular user session.
Security Associations (1 up, 0 connecting):
ikev2-with-eap[24]: ESTABLISHED 3 seconds ago, 172.16.32.10[OU=Domain Control Validated, OU=PositiveSSL, CN=vpn.staging.at.test.co]...137.97.15.107[test2]
ikev2-with-eap[24]: IKEv2 SPIs: 73f1001306ecfc24_i e577a2fccbd2f115_r*, rekeying disabled
ikev2-with-eap[24]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
ikev2-with-eap{16}: INSTALLED, TUNNEL, reqid 16, ESP in UDP SPIs: c75e37b5_i ba4a99ac_o
ikev2-with-eap{16}: AES_CBC_128/HMAC_SHA2_256_128, 652 bytes_i (9 pkts, 0s ago), 1158 bytes_o (10 pkts, 0s ago), rekeying disabled
ikev2-with-eap{16}: 0.0.0.0/0 === 10.0.0.1/32
Suppose this (test2) is one user, I want to clear/disconnect the strongswan connection from server. How to do that.
#3 Updated by Tobias Brunner over 8 years ago
Did you read the page I linked above? Did you notice how ipsec down may be called with different arguments?
#4 Updated by augustine champara over 8 years ago
Oh sorry got.
But what I have seen is that it is just waiting for the retransmits ( 5 we have set in configuration ) , after that only the session is stopped.
[root@vpn1 ~]# time strongswan down [31] retransmit 4 of request with message ID 0 sending packet: from 172.16.32.10[4500] to 137.97.10.135[51913] (128 bytes) sending keep alive to 137.97.10.135[51913] retransmit 5 of request with message ID 0 sending packet: from 172.16.32.10[4500] to 137.97.10.135[51913] (128 bytes) sending keep alive to 137.97.10.135[51913] sending keep alive to 137.97.10.135[51913] sending keep alive to 137.97.10.135[51913] giving up after 5 retransmits sending RADIUS Accounting-Request to server 'radd1' received RADIUS Accounting-Response from server 'radd1' lease 10.0.0.1 by 'test2' went offline closing IKE_SA [31] failed real 2m9.667s user 0m0.002s sys 0m0.004s
#5 Updated by Tobias Brunner over 8 years ago
But what I have seen is that it is just waiting for the retransmits ( 5 we have set in configuration ) , after that only the session is stopped.
Yes, the daemon will try to delete the SA with a regular DELETE, and that requires a bunch of retransmits to finish. If you want the command to return immediately try using ipsec stroke down-nb (the daemon will still send multiple packets in the background).
Also, you might want to consider using VICI.
#6 Updated by augustine champara over 8 years ago
[root@vpn4 ~]# time strongswan stroke down [17] sending keep alive to 73.189.181.148[4500] sending keep alive to 73.189.181.148[4500] retransmit 5 of request with message ID 0 sending packet: from 172.16.32.149[4500] to 73.189.181.148[4500] (68 bytes) sending keep alive to 73.189.181.148[4500]
Done but again retransmits
#7 Updated by Tobias Brunner over 8 years ago
Done but again retransmits
You really have to learn to read.
#8 Updated by Noel Kuntze over 7 years ago
- Status changed from Feedback to Closed
- Resolution set to No change required