On 02/25/10 20:45, Stefan Bauer wrote:
> Am 25.02.2010 18:02, Jan Sievers schrieb:
>> In your sample session you removed together with ipsec-tools also
>> racoon, which calls setkey to flush SP database, if and only if, you
>> have configured it to use racoon-tool.
>
> Again, i was just trying to reproduce this. If i do a
> dpkg-reconfigure racoon and select "direct" which is already the
> default and purge afterwards the ipsec-tools and racoon, the SA/SD
> database flushed.
Ok. First of all you do not have to install racoon, but could just use
ipsec-tools without ISAKMP. Just to mention it.
> How did you come to the conclusion, that it does not flush? Mind,
> providing your apt-get/aptitude remove output?
As you see I use dpkg directly, since I just have lenny machines around
here. And I have to say, that I even build the package on the lenny
machine without having the newest debhelper library.
But using racoon in direct mode, I get the following on removal:
r...@host: dpkg -i ipsec-tools_0.7.3-1_i386.deb racoon_0.7.3-1_i386.deb
Selecting previously deselected package ipsec-tools.
(Reading database ... 50663 files and directories currently installed.)
Unpacking ipsec-tools (from ipsec-tools_0.7.3-1_i386.deb) ...
Selecting previously deselected package racoon.
Unpacking racoon (from racoon_0.7.3-1_i386.deb) ...
Setting up ipsec-tools (1:0.7.3-1) ...
Processing triggers for man-db ...
Setting up racoon (1:0.7.3-1) ...
Starting IKE (ISAKMP/Oakley) server: racoon.
r...@host: cat /etc/ipsec-tools.conf
#!/usr/sbin/setkey -f
# NOTE: Do not use this file if you use racoon with racoon-tool
# utility. racoon-tool will setup SAs and SPDs automatically using
# /etc/racoon/racoon-tool.conf configuration.
#
## Flush the SAD and SPD
#
flush;
spdflush;
spdadd 192.0.2.1 192.0.2.2 any -P out ipsec esp/transport//require;
r...@host: /etc/init.d/setkey start
Loading IPsec SA/SP database from /etc/ipsec-tools.conf: done.
r...@host: setkey -DP
192.0.2.1[any] 192.0.2.2[any] any
out ipsec
esp/transport//require
created: Feb 26 10:29:29 2010 lastused:
lifetime: 0(s) validtime: 0(s)
spid=513 seq=0 pid=4682
refcnt=1
r...@host: grep CONFIG_MODE /etc/default/racoon
CONFIG_MODE="direct"
r...@host: dpkg -r racoon ipsec-tools
(Reading database ... 50733 files and directories currently installed.)
Removing racoon ...
Stopping IKE (ISAKMP/Oakley) server: racoon.
Removing ipsec-tools ...
Processing triggers for man-db ...
r...@host: ping 192.0.2.2
connect: No such process
As you see the SP database is still no empty. The ping fails.
And with purge I get:
r...@host: dpkg -i ipsec-tools_0.7.3-1_i386.deb racoon_0.7.3-1_i386.deb
Selecting previously deselected package ipsec-tools.
(Reading database ... 50654 files and directories currently installed.)
Unpacking ipsec-tools (from ipsec-tools_0.7.3-1_i386.deb) ...
Selecting previously deselected package racoon.
Unpacking racoon (from racoon_0.7.3-1_i386.deb) ...
Setting up ipsec-tools (1:0.7.3-1) ...
Processing triggers for man-db ...
Setting up racoon (1:0.7.3-1) ...
Generating /etc/default/racoon...
Starting IKE (ISAKMP/Oakley) server: racoon.
r...@host: /etc/init.d/setkey start
Loading IPsec SA/SP database from /etc/ipsec-tools.conf: done.
r...@host: dpkg --purge racoon ipsec-tools
(Reading database ... 50733 files and directories currently installed.)
Removing racoon ...
Stopping IKE (ISAKMP/Oakley) server: racoon.
Purging configuration files for racoon ...
dpkg - warning: while removing racoon, directory `/var/lib/racoon' not
empty so not removed.
Removing ipsec-tools ...
Purging configuration files for ipsec-tools ...
Processing triggers for man-db ...
> Right now, i just dont get it, why it doesnt work in your case.
And I don't get it how it could possibly work :-)
Who is calling the setkey init-script on removal or purge?
Am I missing something?
Thanks,
Jan
--
Jan Sievers |
Freie Universität Berlin | siev...@zedat.fu-berlin.de
Zentraleinrichtung für Datenverarbeitung | http://www.zedat.fu-berlin.de
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
