Re: Deleting SAs with ipsecctl
On Thu, Apr 12 2007 at 19:14, Martin Hedenfalk wrote: Hello misc, Hello, I'm trying to delete individual tunnels with ipsecctl: This is on the 4.1 snapshots from April 6. [...] Then I try to delete the SAs: # ipsecctl -ss esp tunnel from 192.168.5.5 to 192.168.5.12 spi 0x17661dae auth hmac- sha2-256 enc aes esp tunnel from 192.168.5.12 to 192.168.5.5 spi 0x268063a2 auth hmac- sha2-256 enc aes # ipsecctl -ss | ipsecctl -d -f- stdin: 1: no authentication key specified stdin: 2: no authentication key specified ipsecctl: Syntax error in config file: ipsec rules not loaded What authentication key is needed? How can I remove a specific SA? Starting from 4.1, ipsecctl no longer show the SA keys with 'ipsecctl -s sa'. To show them, there is a new -k flag. I should add that this is on a passive IPsec aggregator with many dynamic tunnels from road warrior type peers. I didn't try roadw arriors yet. What client software do you use ? Claer
Re: Deleting SAs with ipsecctl
On 4/13/07, Claer [EMAIL PROTECTED] wrote: On Thu, Apr 12 2007 at 19:14, Martin Hedenfalk wrote: Hello misc, Hello, I'm trying to delete individual tunnels with ipsecctl: This is on the 4.1 snapshots from April 6. [...] Then I try to delete the SAs: # ipsecctl -ss esp tunnel from 192.168.5.5 to 192.168.5.12 spi 0x17661dae auth hmac- sha2-256 enc aes esp tunnel from 192.168.5.12 to 192.168.5.5 spi 0x268063a2 auth hmac- sha2-256 enc aes # ipsecctl -ss | ipsecctl -d -f- stdin: 1: no authentication key specified stdin: 2: no authentication key specified ipsecctl: Syntax error in config file: ipsec rules not loaded What authentication key is needed? How can I remove a specific SA? Starting from 4.1, ipsecctl no longer show the SA keys with 'ipsecctl -s sa'. To show them, there is a new -k flag. Of course. And it's nicely documented too. Thank you! I should add that this is on a passive IPsec aggregator with many dynamic tunnels from road warrior type peers. I didn't try roadw arriors yet. What client software do you use ? Clients run OpenBSD / isakmpd too, with x509 certs and pre-allocated tunneled networks. -martin
Deleting SAs with ipsecctl
Hello misc, I'm trying to delete individual tunnels with ipsecctl: This is on the 4.1 snapshots from April 6. # uname -a OpenBSD localhost 4.1 GENERIC#1466 i386 First I delete the flows: # ipsecctl -sf flow esp in from 10.0.0.0/29 to 0.0.0.0/0 peer 192.168.5.12 srcid [EMAIL PROTECTED] dstid test type use flow esp out from 0.0.0.0/0 to 10.0.0.0/29 peer 192.168.5.12 srcid [EMAIL PROTECTED] dstid test type require # ipsecctl -sf | ipsecctl -d -f- # ipsecctl -sf That works fine. Then I try to delete the SAs: # ipsecctl -ss esp tunnel from 192.168.5.5 to 192.168.5.12 spi 0x17661dae auth hmac- sha2-256 enc aes esp tunnel from 192.168.5.12 to 192.168.5.5 spi 0x268063a2 auth hmac- sha2-256 enc aes # ipsecctl -ss | ipsecctl -d -f- stdin: 1: no authentication key specified stdin: 2: no authentication key specified ipsecctl: Syntax error in config file: ipsec rules not loaded # What authentication key is needed? How can I remove a specific SA? I should add that this is on a passive IPsec aggregator with many dynamic tunnels from road warrior type peers. -martin