[Swan] ipsec whack individual connections

Paul Wouters paul at nohats.ca
Fri Feb 20 01:36:33 EET 2015

On Thu, 19 Feb 2015, John Crisp wrote:

> are fine, but would like to be able to individually stop/restart
> connections.

ipsec auto --down name and ipsec auto --up name will do that.

> First is how to identify connections that are 'up' (though I guess that
> I could ignore this and restart them regardless of state)
> ipsec status does not provide a simple "myConnection up" type status
> that you can grep
> I thought the closest might be in this line :
> #1: "MyConnection":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established).....
> But I am not sure.

That's just the phase1/parent. You should look for:


000 #2: "westnet-eastnet-ipv4-psk-ikev2":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REPLACE in 28043s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "westnet-eastnet-ipv4-psk-ikev2" esp.a194716e at esp.80915c6 at tun.1000 at tun.1001 at ref=3 refhim=1 Traffic:! ESPmax=0B

Note that in IKEv2 currently both the parent and child are marked as
STATE_PARENT_I3 or STATE_PARENT_R2. That is a bug :(


000 #2: "westnet-eastnet":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28044s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "westnet-eastnet" esp.3e92c85e at esp.cf6e76ec at tun.1000 at tun.1001 at ref=3 refhim=1 Traffic:! ESPmax=4194303B

Here you can rely on "IPsec SA established" to pick the right state

> Next is how to restart and individual connection using whack. I don't
> seem to be able to easily identify the various connections.

Why use whack directly? Why not "ipsec auto --replace name" followed
by "ipsec auto --up name" ?

> I have tried 'myid' in /etc/ipsec.d/ipsec.conf but can't seem to get
> something working.

That value is not related to this.

> Surely if I have a conn entry in the ipsec.conf file I should be able to
> do something like
> ipsec whack MyConnection
> But it seems that this is far too simplistic !

You should. We _are_ working on a replacement command that will be much
more consise and friendly to the administrator.

Note that you can get state changes to your custom scripts by setting
the statsbin= value to your binary/shell script. That way you are
notified of state changes without needing to call ipsec status or grep
the logs.


More information about the Swan mailing list