Greetings,
I have an isakmpd process that's not letting go of old SADs. While it
doesn't seem to be causing issues with the tunnels, it is causing higher
than normal system utilization. It seems to be occurring on the tunnels
which have multiple subnets defined (e.g. VPNA and VPNB, but not VPNC).
Any insight would be appreciated.
fw1$ sudo ipsecctl -sa |grep tunnel |wc
24 3122184
fw1$ sudo ipsecctl -sa |grep tunnel |wc
32 4162890
fw1$ sudo ipsecctl -sa |grep tunnel |wc
36 4683258
fw1$ sudo ipsecctl -sa |grep tunnel |wc
58 7545212
kern.version=OpenBSD 4.0-stable (GENERIC) #6: Fri Apr 13 07:23:48 EDT
2007
/var/log/messages:
May 14 06:19:06 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists
May 14 06:19:21 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists
May 14 06:20:40 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists
May 14 06:36:16 fw1 isakmpd[3337]: pf_key_v2_flow: ADDFLOW: File exists
May 14 06:38:45 fw1 last message repeated 4 times
May 14 06:56:27 fw1 last message repeated 6 times
/etc/ipsec.conf:
# VPNA from Here to ThereA PIX
ike esp from { 10.1.0.0/16 , 10.5.0.0/24 } to 10.99.10.192/28 \
peer 192.168.40.17 \
local 192.168.3.4 \
main auth hmac-md5 enc aes group modp1024 \
quick auth hmac-md5 enc aes \
psk stupidkeyA
# VPNB from Here to ThereB OBSD
ike esp from { 10.1.0.0/26, 10.5.0.0/24 } to { 10.224.0.0/24,
10.99.10.208/28 } \
peer 192.168.40.19 \
local 192.168.3.4 \
psk stupidkeyB
# VPNC from Here to ThereC PIX
ike esp from 10.1.0.0/16 to 10.0.0.0/16 \
peer 192.168.95.80 \
local 192.168.3.4 \
main auth hmac-md5 enc des \
quick auth hmac-md5 enc des \
psk stupidkeyC
-Steve S.