1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
This test will succeed if notify_delete-2.00.diff is applied to pluto. This
patch worked without failed HUNKs as of February 6th.
From the Design list:
Expect the test to fail when formally running it; I haven't figured out how to
suppress the variable elements from the ping test I employ (the summary line,
which will almost always vary).
The test uses whack commands to set up a roadwarrior config on east and a
VPN config with an absurdly low keylife (20 seconds) and no rekeying on west.
Once the IPSec SA expires, west shuts down IPSec.
Using Mathieu's Notify-Delete SA patch - thanks to Ken for porting it to 2.00
- this prompts a Delete SA request for the ISAKMP SA, killing the conn
instance, unrouting the conn, and allowing a clear traffic ping to succeed.
Without Delete SA code, the ping fails, as the peer still has a %trap eroute
in place.
Why the requirement for the low IPSec SA lifetime? It appears that on "ipsec
auto --delete connname", a Delete SA request for the ISAKMP SA gets issued...
but never for the IPSec SA. As a result, the Delete SA is received, but the
Roadwarrior conn stays up.
|
