Bug #2719
closed
Deleting IPsec tunnel does not remove SPDs
100%
Description
When you remove an IPsec tunnel, Phase 1 or Phase 2, its SPDs are left active.
Thus if you are moving from IPsec to something else, you manually have to clear the associated SPDs for traffic to flow again, or restart racoon/flush via setkey.
Logically it seems like this should result in:
When removing a Phase 2, if the Phase 2 was enabled, the SPD entries matching that phase 2 should be removed.
When removing a Phase 1, all SPDs matching its former enabled Phase 2 entries should be removed.
Updated by Anonymous almost 12 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 100
Applied in changeset 6fd8526b6b051529642500a38e272d4711bc6a33.
Updated by Anonymous almost 12 years ago
Applied in changeset fc8c7084e9ae69dce7f000dbf9c459397ea2b04c.
Updated by Renato Botelho almost 12 years ago
- Status changed from Feedback to Resolved
Updated by Grischa Zengel about 11 years ago
The problem still exists.
After deleting IPsec tunnels routing didn't work for these subnets.
I first deleted phase2 and than phase1 and routing over openvpn didn't work until reboot.
Updated by Renato Botelho about 11 years ago
- Status changed from Resolved to New
Updated by Renato Botelho about 11 years ago
- Status changed from New to Feedback
Grischa Zengel wrote:
The problem still exists.
After deleting IPsec tunnels routing didn't work for these subnets.
I first deleted phase2 and than phase1 and routing over openvpn didn't work until reboot.
When you delete the IPSec tunnel, did you check and confirm that SPD is still there?
Updated by Grischa Zengel about 11 years ago
I didn't check if the SPDs still be there but I had the conclusion of this.
From both sides I could ping both ends of openvpn gateways because I didn't use these IPs in phase2.
The IPs I used in phase2 before didn't answer until reboot.
I was in hurry to bring up the tunnel again so I hadn't time to investigate.
Updated by Grischa Zengel about 11 years ago
Now I checked it:
If I disable IPsec phase1 the ping goes thru openvpn.
If I only delete phase2 the SPD still exists and no ping over openvpn is possible.
Last time I deleted first phase2 and than phase1, so it didn't know to delete the SPDs.
Updated by Renato Botelho about 11 years ago
Grischa Zengel wrote:
Now I checked it:
If I disable IPsec phase1 the ping goes thru openvpn.
If I only delete phase2 the SPD still exists and no ping over openvpn is possible.Last time I deleted first phase2 and than phase1, so it didn't know to delete the SPDs.
Could you paste the output of 'setkey -DP' after you delete phase2?
Updated by Chris Buechler about 11 years ago
- Status changed from Feedback to New
this works with one exception, if you disable a P2 entry, its SPD is not removed. Deleting a P2 or P1 works fine, and disabling the P1 also correctly removes those SPD entries.
Updated by Renato Botelho about 11 years ago
- Status changed from New to Feedback
Applied in changeset 03131eb95c975ed990ddf955c762ef51137288a0.
Updated by Renato Botelho about 11 years ago
Applied in changeset 3cb55704924734aa19de58349198ca99d15e00ea.
Updated by Chris Buechler about 11 years ago
- Status changed from Feedback to Resolved