Hi Indira, > I configured ipsec tunnel between (H1 and H2) using ikev2 template. And > when I send some traffic, the IPSec-SAs are getting established with out > any issues. > But when I issue "setkey -F" on the local node (H1), the remote node(H2) > SADs are not getting flushed. > There is no delete message sent to the remote end(H2) from H1.
First let me clarify that strongSwan assumes full control of the kernel's SAD and SPD. There is support to give up some control of the SPD via the reqid and installpolicy keywords, but apart from that strongSwan does not expect external changes to both of these stores. Actually, due to the fact that the IKEv1 and IKEv2 protocols are being handled by two separate daemons it would currently not be possible to do it otherwise. Now, setkey is a tool completely unrelated to strongSwan (it's from the ipsec-tools package, same as racoon). Since it modifies the kernel's SAD and SPD directly (similar to iproute2 with 'ip xfrm') strongSwan is simply not aware of those changes. > And after this when i send traffic from my local node(H1) to the remoted > node, a new ipsec-sa is established and there will be two SAD entries on > host H1 but there are 4 SAD entries on H2. > > Is this correct behaviour? This is correct. Since the policies are still installed new acquires will be triggered which then cause strongSwan to initiate a new SA. Those duplicates shouldn't cause any problems as the policies will correctly point to the new SAs. > Could you please help me in fixing this issue The fix is to use 'ipsec down' to tear down SAs manually (see [1]). Regards, Tobias [1] http://wiki.strongswan.org/projects/strongswan/wiki/IpsecCommand _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users