Project

General

Profile

Actions

Bug #2719

closed

Deleting IPsec tunnel does not remove SPDs

Added by Jim Pingle over 11 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
IPsec
Target version:
Start date:
12/13/2012
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.1
Affected Architecture:
All

Description

When you remove an IPsec tunnel, Phase 1 or Phase 2, its SPDs are left active.

Thus if you are moving from IPsec to something else, you manually have to clear the associated SPDs for traffic to flow again, or restart racoon/flush via setkey.

Logically it seems like this should result in:
When removing a Phase 2, if the Phase 2 was enabled, the SPD entries matching that phase 2 should be removed.
When removing a Phase 1, all SPDs matching its former enabled Phase 2 entries should be removed.

Actions #1

Updated by Anonymous about 11 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Anonymous about 11 years ago

Actions #3

Updated by Renato Botelho about 11 years ago

  • Status changed from Feedback to Resolved
Actions #4

Updated by Grischa Zengel over 10 years ago

The problem still exists.

After deleting IPsec tunnels routing didn't work for these subnets.
I first deleted phase2 and than phase1 and routing over openvpn didn't work until reboot.

Actions #5

Updated by Renato Botelho over 10 years ago

  • Status changed from Resolved to New
Actions #6

Updated by Renato Botelho over 10 years ago

  • Status changed from New to Feedback

Grischa Zengel wrote:

The problem still exists.

After deleting IPsec tunnels routing didn't work for these subnets.
I first deleted phase2 and than phase1 and routing over openvpn didn't work until reboot.

When you delete the IPSec tunnel, did you check and confirm that SPD is still there?

Actions #7

Updated by Grischa Zengel over 10 years ago

I didn't check if the SPDs still be there but I had the conclusion of this.
From both sides I could ping both ends of openvpn gateways because I didn't use these IPs in phase2.
The IPs I used in phase2 before didn't answer until reboot.

I was in hurry to bring up the tunnel again so I hadn't time to investigate.

Actions #8

Updated by Grischa Zengel over 10 years ago

Now I checked it:
If I disable IPsec phase1 the ping goes thru openvpn.
If I only delete phase2 the SPD still exists and no ping over openvpn is possible.

Last time I deleted first phase2 and than phase1, so it didn't know to delete the SPDs.

Actions #9

Updated by Renato Botelho over 10 years ago

Grischa Zengel wrote:

Now I checked it:
If I disable IPsec phase1 the ping goes thru openvpn.
If I only delete phase2 the SPD still exists and no ping over openvpn is possible.

Last time I deleted first phase2 and than phase1, so it didn't know to delete the SPDs.

Could you paste the output of 'setkey -DP' after you delete phase2?

Actions #10

Updated by Chris Buechler over 10 years ago

  • Status changed from Feedback to New

this works with one exception, if you disable a P2 entry, its SPD is not removed. Deleting a P2 or P1 works fine, and disabling the P1 also correctly removes those SPD entries.

Actions #11

Updated by Renato Botelho over 10 years ago

  • Status changed from New to Feedback
Actions #13

Updated by Chris Buechler over 10 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF