Hi List, I'm trying to delete a specific flow from the SAD using ipsecctl. I've read about the -d option and the -k option needed when deleting flows. I've tried following the instructions in http://readlist.com/lists/openbsd.org/misc/12/60081.html but I still seem to be missing something. I first tried to delete the flow:
# ipsecctl -sf | grep 192.168.113.0/24 | ipsecctl -d -f- stdin: 1: syntax error stdin: 2: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded Which makes sense because that output is not valid ipsec.conf(5) syntax. Do I need to create a file with the exact ipsec.conf(5) syntax of the flow I want to delete? I'm dealing with these kinds of entries in ipsec.conf: ike esp from 192.168.xxx.0/24 to 192.168.113.0/24 peer nnn.nnn.nnn.nnn\ main auth hmac-sha1 enc aes group modp1024 \ quick auth hmac-sha1 enc aes group modp1024 \ psk "mytopsecretpresharedkey" tag "my-connection" The background of this post is that I'm in the process of migrating a number of VPN's to new DSL connections. This means the ipsec peer changes but the other flow data does not. This seems to confuse ipsecctl and while the IP address is indeed changed in ipsec.conf, reloaded with ipsecctl -f /etc/ipsec.conf and a check with "ipsecctl -v -v -f /etc/ipsec.conf" confirms ipsecctl is using the new IP address the old flow and old peer address still sticks around in the SAD. In the past ipsecctl would establish the new flow correctly when the tag was changed along with the peer address but I've had no such luck this time. I'm using OpenBSD 4.2 by the way. Kind regards, -- Michiel van der Kraats
