Red Hat Bugzilla – Bug 444743
ipsec auto --replace brings down the tunnel
Last modified: 2008-09-19 10:29:21 EDT
Description of problem:
If I configure an IPSec tunnel and later use "ipsec auto --replace", the
tunnel remains down, i.e. I cannot ping the gateways anymore. ipsec
auto --status still lists the connection and I have to restart the ipsec
service to bring it back up (ipsec auto --add $conn; ipsec auto --up $conn
does not work).
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. configure an ipsec tunnel
2. ipsec auto --replace
3. ping the second gateway - not reachable
I can see warning that replacing a policy is not supported with neykey:
000 "west-east" #3: request to replace with shunt a prospective erouted policy
with netkey kernel --- not yet implemented
000 "west-east": request to delete a unrouted policy with netkey kernel ---
not yet implemented
But if replacing/deleting isn't implemented, the tunnel should remain up..
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
Warning is wrong, ignore it.
ipsec auto --replace will always take tunnel down. --replace is synonym for
ipsec auto --delete conn
ipsec auto --add conn
If you want tunnel back up you should use:
ipsec auto --replace conn && ipsec auto --up conn
replacing/deleting has two parts. The kernel policies (phase 2 / ipsec SA) and
the userland policies (phase 1 / ISAKMP). The scripts do both, but the warnings
you see are about the kernel component.
Furthermore, openswan-2.6.14 (and its "rc" pre-releases) do have those
operations implemented for netkey, and they now give 'warnings' about being
experimental. (this is all code in programs/pluto/kernel_netlink.c, related to
the kernel_ops functions)
also, in openswan-2.5.x and up, the "--add" operation is equivalent to
"--replace", as it always does a "--delete" plus "--add".
Does this problem still exist in 2.6.14 and current kernel?
See previous comments. This is expected behaviour.
ok, closing as not a bug. Thanks for the info.