Re: [Users] why doesn't `ipsec auto --down <connection>` work?

From: Ken Bantoft (ken_at_freeswan.ca)
Date: Thu Nov 28 2002 - 01:26:43 CET

• Next message: Jordan Share: "RE: [Users] Samba Authentication"
• Previous message: martin f krafft: "[Users] VPN between two dynamic IPs"
• In reply to: martin f krafft: "[Users] why doesn't `ipsec auto --down <connection>` work?"
• Next in thread: martin f krafft: "Re: [Users] why doesn't `ipsec auto --down <connection>` work?"
• Reply: martin f krafft: "Re: [Users] why doesn't `ipsec auto --down <connection>` work?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Thu, 28 Nov 2002, martin f krafft wrote:

> two machines, both are auto=add. i now start the connection by typing
>
> ipsec auto --up <connection>
>
> on one, and the SA is established. why does
>
> ipsec auto --down <connection>

- --down just takes the tunnel down. If you want to remove it so it never
comes back up, use --delete

>
> not take the SA down? sure, it terminates the SA:
>
> terminating SAs using connection
> deleting state (STATE_QUICK_I2)
> deleting state (STATE_MAIN_I4)
>
> but the next packet to cross the line causes the SA to be
> reestablished. this isn't too bad, but i am wondering how one can
> reset the relationship between two VPN hosts to before --up was issued
> (i.e. before phase 1 happened, right?), short of restarting pluto...
> --delete doesn't really do what i want ;^>.
>
> thanks,

The Notify/DeleteSA patches also come in handy here, for telling the other
end that you're going away, and to drop the tunnel on it's end.

- --
Ken Bantoft The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca http://www.freeswan.ca
                           PGP Key: finger ken_at_bantoft.org
"We can factor the number 15 with quantum computers. We
can also factor the number 15 with a dog trained to bark
three times." -- Robert Harley, 5/12/01, Sci.crypt
"It is dangerous to be right when the government is wrong."
                    -- Voltaire
"The obvious mathematical breakthrough would be development
of an easy way to factor large prime numbers."
                    -- Bill Gates from The Road Ahead, p265
"An essential element of freedom is the right to privacy,
a right that cannot be expected to stand against an
unremitting technological attack." -- Whitfield Diffie
"Anyone who considers arithmetical methods of producing
random digits is, of course, in a state of sin."
                    -- John Von Neumann, 1951
"Random numbers should not be generated with a method
chosen at random." -- Donald Knuth,

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPeVixViWUusaxGxpAQFwdAQAvpMGE6MeEX384wB2/b8Z1XT1NiOgaxXr
YO6zD3494xu9CdTkUrNKwKG8cVPDFg/bFECdyUHi3uyluIxn5UEwhbvxj4/+n5YE
p0F2BAc6T/sR8h+GTAjb7a9/wbktho6q07RlejtKAuzrZ98GIR3YOO6c/WUhoRmP
53Knv7MyJVU=
=icqp
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Jordan Share: "RE: [Users] Samba Authentication"
• Previous message: martin f krafft: "[Users] VPN between two dynamic IPs"
• In reply to: martin f krafft: "[Users] why doesn't `ipsec auto --down <connection>` work?"
• Next in thread: martin f krafft: "Re: [Users] why doesn't `ipsec auto --down <connection>` work?"
• Reply: martin f krafft: "Re: [Users] why doesn't `ipsec auto --down <connection>` work?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Fri Nov 29 2002 - 05:21:11 CET