Hello Philipp, sorry for the late answer....
Thanks for the hint with the cookies. Works in my environment.... I'm much happier now ;-) Best regards Andre Am 15.05.18 um 05:15 schrieb Philipp Buehler:
Hello Andre, Am 14.05.2018 13:38 schrieb Andre Ruppert:I got the tips from this 2013 undeadly.org article: Managing Individual IPsec Tunnels On A Multi-Tunnel Gateway https://undeadly.org/cgi?action=article&sid=20131125041429Apparently I wrote that article, and I feel your pain :-)2.) less /var/run/isakmpd.result ... SA name: <unnamed> (Phase 1/Responder) src: <my_gateway_ip> dst: <peering_gateway_ip> Flags 0x00000000 icookie 9f5bf7497f0ebe10 rcookie 8a6c7b1b1f5923ec ... Feeding the fifo with sh -c "echo 't <SA-name-of-connection>' > /var/run/isakmpd.fifo" only deletes phase 2. But I didn't have an SA name at this time... ??The problem here is you only have an 'unnamed' SA, indeed; but you have cookies.. What you can do - found that a bit later after the undeadly article: echo 'd 9f5bf7497f0ebe108a6c7b1b1f5923ec -' > isakmpd.fifo which is "d $icookie$rcookie -" (no space between the cookie values). If I am changing a peer configuration, I also block 500/udp for the time being to avoid these 'Responder' SAs altogether. Think along pf.conf:pass in proto udp from <vpn_peers> to $myself port 500 pfctl -T delete -t vpn_peers $thatpeer pfctl -k $thatpeer ipsecctl -d -f $thatpeer.conf vi $thatpeer.conf ipsecctl -f $thatpeer.conf pfctl -T add -t vpn_peers $thatpeer HTH,
smime.p7s
Description: S/MIME Cryptographic Signature