Restart single iked connections

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Restart single iked connections

Stephan Mending
Hi *,

I am in a situation where I've got hosts that handle IPsec connection
with multiple endpoints.

So I've wondered if it was possible to restart single connections
without rebuilding the rest of the connections.
For example Machine A has a tunnel to machine B and machine C.
The Tunnel to C is up and running as intended  but the tunnel to B is
broken (icmp echos don't return -> for example). How do I rebuilt the tunnel to B
without restarting iked for all connections and interrupting my tunnel to
C?

Thank you for your time.

g Stephan

Reply | Threaded
Open this post in threaded view
|

Re: Restart single iked connections

Peter Müller
Hello openbsd-misc,

I am strongly interested in this, too.

Since the iked manpage does not mention this, I suppose it is not possible.
In combination with ifstated, however, this might result in a DoS scenario
if one peer becomes unreachable - on purpose or by chance - and any other
IPsec connections break down due to an iked restart, as Stephan already pointed
out.

So any advice on this is appreciated a lot. :-)

Thanks, and best regards,
Peter Müller


> Hi *,
>
> I am in a situation where I've got hosts that handle IPsec connection
> with multiple endpoints.
>
> So I've wondered if it was possible to restart single connections
> without rebuilding the rest of the connections.
> For example Machine A has a tunnel to machine B and machine C.
> The Tunnel to C is up and running as intended  but the tunnel to B is
> broken (icmp echos don't return -> for example). How do I rebuilt the tunnel to B
> without restarting iked for all connections and interrupting my tunnel to
> C?
>
> Thank you for your time.
>
> g Stephan
>

Reply | Threaded
Open this post in threaded view
|

Re: Restart single iked connections

Tobias Heider-2
I sent a diff to tech@ that should solve your problem:
https://marc.info/?l=openbsd-tech&m=158447623916319&w=2

On Sun, Jan 26, 2020 at 04:12:00PM +0000, Peter Müller wrote:

> Hello openbsd-misc,
>
> I am strongly interested in this, too.
>
> Since the iked manpage does not mention this, I suppose it is not possible.
> In combination with ifstated, however, this might result in a DoS scenario
> if one peer becomes unreachable - on purpose or by chance - and any other
> IPsec connections break down due to an iked restart, as Stephan already pointed
> out.
>
> So any advice on this is appreciated a lot. :-)
>
> Thanks, and best regards,
> Peter Müller
>
>
> > Hi *,
> >
> > I am in a situation where I've got hosts that handle IPsec connection
> > with multiple endpoints.
> >
> > So I've wondered if it was possible to restart single connections
> > without rebuilding the rest of the connections.
> > For example Machine A has a tunnel to machine B and machine C.
> > The Tunnel to C is up and running as intended  but the tunnel to B is
> > broken (icmp echos don't return -> for example). How do I rebuilt the tunnel to B
> > without restarting iked for all connections and interrupting my tunnel to
> > C?
> >
> > Thank you for your time.
> >
> > g Stephan
> >
>