| From: Hugh Daniel <hugh_at_road.toad.com>
| So I have various OE eroutes and maybe related conn's that I happen
| to want gone, how do I do this other then restarting the entire IPsec
| subsystem?
Michael gave the current answer. He also recognized that there could
be a better one: a new tool. I agree.
The current answer is not only crude, it is incomplete. In
particular, what you might wish to do is delete a %pass eroute
installed by Pluto. Just deleting it with a manual command will
confuse Pluto -- not a good idea. There is no way to tell Pluto to
get rid of a %pass and do nothing else.
Before we design a command, I'd like to step back and ask what tasks
are trying to be solved. We may find that different tasks suggest
different tools.
For example, in many cases what you want is to try the OE connection
again. Perhaps the best current way to do this is:
ipsec whack --oppohere 1.2.3.4 --oppothere 5.6.7.8
Even if there is a %pass or IPsec SA's, this will try again. It
probably won't fix a broken ISAKMP SA. This reflects the fact that
this command was actually intended for a quite different purpose.
So what capability do we wish to have? For OE, probably a command
saying "this pair of IP addresses has a bunged up connection -- fix
it". Perhaps "I think that this pair of IP addresses has a bunged up
connection -- check and fix it." If we can do that, why not do
automatic monitoring? Well, the protocols don't lend themselves to
this. But there may be some 90% solutions. A big topic.
HD: can you explain why you wanted this capability? What was the
context of your request?
Hugh Redelmeier
hugh_at_mimosa.com voice: +1 416 482-8253
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:06 CEST