I am working on automating some software tests involving IPSec and StrongSwan. These tests basically apply a swanctl.conf file to two gateway machines, then establish a tunnel between them. It then checks that the tunnel is encrypted and reports performance. However, it doesn't clean up that well. The result is that my test boxes have a bunch of unused Security Associations that appear when running ipsec statusall that I cannot figure out how to get rid of. I don't want to wait for them to expire, but I am not aware of a way to manually expire/delete them. Does such a method exist?
Asked
Active
Viewed 241 times
0
Will Nilges
- 67
- 1
- 9
-
Could you please provide more information on what you are doing and what you are seeing. – ecdsa May 28 '20 at 15:32
2 Answers
1
You can use the ip xfrm state (ip x s - short version) subcommands.
First, check security associations with ip x s ls, and then remove it with ip x s delete ....
Also there are commands to mass remove - ip x s deleteall ... and ip x s flush.
Anton Danilov
- 5,082
- 2
- 13
- 23
0
I found a potential solution.
Security Associations get deleted when IPsec restarts. If I want to be sure that I cleaned up everything (and it's fine to do this since these are test boxes that only I should be using anyway), I can simply call
ipsec restart
on each box. This'll flush the Security Associations and anything else that is potentially floating around.
Will Nilges
- 67
- 1
- 9