On 02/25/10 20:45, Stefan Bauer wrote: > Am 25.02.2010 18:02, Jan Sievers schrieb: >> In your sample session you removed together with ipsec-tools also >> racoon, which calls setkey to flush SP database, if and only if, you >> have configured it to use racoon-tool. > > Again, i was just trying to reproduce this. If i do a > dpkg-reconfigure racoon and select "direct" which is already the > default and purge afterwards the ipsec-tools and racoon, the SA/SD > database flushed.
Ok. First of all you do not have to install racoon, but could just use ipsec-tools without ISAKMP. Just to mention it. > How did you come to the conclusion, that it does not flush? Mind, > providing your apt-get/aptitude remove output? As you see I use dpkg directly, since I just have lenny machines around here. And I have to say, that I even build the package on the lenny machine without having the newest debhelper library. But using racoon in direct mode, I get the following on removal: r...@host: dpkg -i ipsec-tools_0.7.3-1_i386.deb racoon_0.7.3-1_i386.deb Selecting previously deselected package ipsec-tools. (Reading database ... 50663 files and directories currently installed.) Unpacking ipsec-tools (from ipsec-tools_0.7.3-1_i386.deb) ... Selecting previously deselected package racoon. Unpacking racoon (from racoon_0.7.3-1_i386.deb) ... Setting up ipsec-tools (1:0.7.3-1) ... Processing triggers for man-db ... Setting up racoon (1:0.7.3-1) ... Starting IKE (ISAKMP/Oakley) server: racoon. r...@host: cat /etc/ipsec-tools.conf #!/usr/sbin/setkey -f # NOTE: Do not use this file if you use racoon with racoon-tool # utility. racoon-tool will setup SAs and SPDs automatically using # /etc/racoon/racoon-tool.conf configuration. # ## Flush the SAD and SPD # flush; spdflush; spdadd 192.0.2.1 192.0.2.2 any -P out ipsec esp/transport//require; r...@host: /etc/init.d/setkey start Loading IPsec SA/SP database from /etc/ipsec-tools.conf: done. r...@host: setkey -DP 192.0.2.1[any] 192.0.2.2[any] any out ipsec esp/transport//require created: Feb 26 10:29:29 2010 lastused: lifetime: 0(s) validtime: 0(s) spid=513 seq=0 pid=4682 refcnt=1 r...@host: grep CONFIG_MODE /etc/default/racoon CONFIG_MODE="direct" r...@host: dpkg -r racoon ipsec-tools (Reading database ... 50733 files and directories currently installed.) Removing racoon ... Stopping IKE (ISAKMP/Oakley) server: racoon. Removing ipsec-tools ... Processing triggers for man-db ... r...@host: ping 192.0.2.2 connect: No such process As you see the SP database is still no empty. The ping fails. And with purge I get: r...@host: dpkg -i ipsec-tools_0.7.3-1_i386.deb racoon_0.7.3-1_i386.deb Selecting previously deselected package ipsec-tools. (Reading database ... 50654 files and directories currently installed.) Unpacking ipsec-tools (from ipsec-tools_0.7.3-1_i386.deb) ... Selecting previously deselected package racoon. Unpacking racoon (from racoon_0.7.3-1_i386.deb) ... Setting up ipsec-tools (1:0.7.3-1) ... Processing triggers for man-db ... Setting up racoon (1:0.7.3-1) ... Generating /etc/default/racoon... Starting IKE (ISAKMP/Oakley) server: racoon. r...@host: /etc/init.d/setkey start Loading IPsec SA/SP database from /etc/ipsec-tools.conf: done. r...@host: dpkg --purge racoon ipsec-tools (Reading database ... 50733 files and directories currently installed.) Removing racoon ... Stopping IKE (ISAKMP/Oakley) server: racoon. Purging configuration files for racoon ... dpkg - warning: while removing racoon, directory `/var/lib/racoon' not empty so not removed. Removing ipsec-tools ... Purging configuration files for ipsec-tools ... Processing triggers for man-db ... > Right now, i just dont get it, why it doesnt work in your case. And I don't get it how it could possibly work :-) Who is calling the setkey init-script on removal or purge? Am I missing something? Thanks, Jan -- Jan Sievers | Freie Universität Berlin | siev...@zedat.fu-berlin.de Zentraleinrichtung für Datenverarbeitung | http://www.zedat.fu-berlin.de -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org