Restart single iked connections

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Restart single iked connections

List
Hi *,

I am in a situation where I've got hosts that handle IPsec connection
with multiple endpoints.

So I've wondered if it was possible to restart single connections
without rebuilding the rest of the connections.
For example Machine A has a tunnel to machine B and machine C.
The Tunnel to C is up and running as intended  but the tunnel to B is
broken (icmp echos don't return -> for example). How do I rebuilt the tunnel to B
without restarting iked for all connections and interrupting my tunnel to
C?

Thank you for your time.

g Stephan

Reply | Threaded
Open this post in threaded view
|

Re: Restart single iked connections

Peter Müller
Hello openbsd-misc,

I am strongly interested in this, too.

Since the iked manpage does not mention this, I suppose it is not possible.
In combination with ifstated, however, this might result in a DoS scenario
if one peer becomes unreachable - on purpose or by chance - and any other
IPsec connections break down due to an iked restart, as Stephan already pointed
out.

So any advice on this is appreciated a lot. :-)

Thanks, and best regards,
Peter Müller


> Hi *,
>
> I am in a situation where I've got hosts that handle IPsec connection
> with multiple endpoints.
>
> So I've wondered if it was possible to restart single connections
> without rebuilding the rest of the connections.
> For example Machine A has a tunnel to machine B and machine C.
> The Tunnel to C is up and running as intended  but the tunnel to B is
> broken (icmp echos don't return -> for example). How do I rebuilt the tunnel to B
> without restarting iked for all connections and interrupting my tunnel to
> C?
>
> Thank you for your time.
>
> g Stephan
>