An important note if you want to totally stop an IKE IPSec connection

April 4, 2015

Suppose, hypothetically, that you think your IPSec GRE tunnel may be contributing to some weird connection problem you're having. In order to get it out of the picture, you want to shut it down (which will still leave you able to reach things). There are three ways you can do this: you can use 'ipsec whack --terminate' to ask your local pluto to shut down this specific IKE connection (which you've engineered to stop the GRE tunnel), you can shut your local pluto down entirely with 'systemctl stop pluto' (or equivalent), or you can stop pluto on both ends.

I will skip to the punchline: if you have no *protoport set (so that you're doing IPSec on all traffic just because you might as well), you need to shut pluto down on both ends. Merely shutting down the IKE IPSec stuff for your GRE tunnel (and taking down the tunnel itself) will leave the overall IPSec security policy intact and this policy specifically instructs the kernel to drop any non-IPSec packets between your left and right IPs. Only shutting down pluto itself will get rid of the security policy, and you need to get rid of it on both ends so you need to shut down pluto on both.

(If pluto is handling more than one connection for you on one of the ends, you're going to need to do something more complicated. My situation is usefully simple here.)

If you shut down pluto on only one end and then keep trying to test things, you can get into very puzzling and head-scratching problems. For instance, if you try to make a connection from the shut-down side to the side with pluto still running, tcpdump on both ends will tell you that SYN packets are being send and arriving at their destination but are getting totally ignored despite there being no firewall rules and so on that would do this.

(If you have a selective *protoport set, any traffic that would normally be protected by IPSec will be affected by this because the security policy says 'drop any of this traffic that is not protected with IPSec'.)

PS: your current IPSec security policies can be examined with 'setkey -DP'. There's probably some way to get a counter of how many packets have been dropped for violating IPSec security policies, but I don't know what it is (maybe it's hiding somewhere in 'ip xfrm', which has low-level details of this stuff, although /proc/net/xfrm_stat doesn't seem to be it).

Written on 04 April 2015.
« A weird new IKE IPSec problem that I just had on Fedora 21's latest kernel
A note on the argument about the 'morality' of adblockers »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Apr 4 03:30:31 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.