Hello @misc,
I use a CARPed pair of 6.2 gateways as vpn access nodes, running "plain"
ISAKMPD/ipsec.
The peering vpn gateways have different brandings from OpenBSD, linux,
cisco to watchguard appliances etc...
Interoperability works most like a charm and is a no-brainer in most cases.
I have only access to the OpenBSD peering gateways, but most other
brands belong to partners / customers.
Sometimes I first have problems with some of these peering boxes and
only partial tunnels came up (only phase 1 or - more bad - phase 1 only
partial).
Then I check the logs and - if I got wrong credentials or parameters
from the peering partner - I change the configs on my side.
It needs mostly much less time than to discuss with the technicians from
the peering partners - their problems have to te solved by them by
clicking somewhere in a webinterface *sigh*.
Ok, back to _my_ problem:
If a ipsec tunnel is running with phase 1 and 2, I can stop it with
"ipsecctl -d -f <configfile>". Works.
If the ipsec tunnel is only partial working, I can delete it by using
the fifo mechanism. Sometimes.
(
I got the tips from this 2013 undeadly.org article:
Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway
https://undeadly.org/cgi?action=article&sid=20131125041429
)
But I have always problems if only a part of phase 1 came up.
1.) sh -c "echo S > /var/run/isakmpd.fifo"
2.) less /var/run/isakmpd.result
...
SA name: <unnamed> (Phase 1/Responder)
src: <my_gateway_ip> dst: <peering_gateway_ip>
Flags 0x00000000
icookie 9f5bf7497f0ebe10 rcookie 8a6c7b1b1f5923ec
...
Feeding the fifo with
sh -c "echo 't <SA-name-of-connection>' > /var/run/isakmpd.fifo"
only deletes phase 2.
But I didn't have an SA name at this time... ??
Question to the community: how is it possible to reliable stop partial
tunnels without restarting isakmpd/ipsec (e.g. disturbing all other
running tunnels)?
I'm clueless....
Best regards
Andre
