Re: flushing ipsec configuration

[Jim Breton <jamesb-openbsd@alongtheway.com>]

Hi, thanks for responding.


On Mon, Aug 06, 2001 at 03:20:25PM +0200, Hakan Olsson wrote:
> If you remove and recreate the SPIs the replay protection numbers will be
> reset. 'ipsecadm flush' removes all flows and all SPIs.

Are you sure?  I was running tcpdump on the remote end and I didn't see
the numbers reset at all after flushing.  I had to wait for some period
of time to pass.


> If you haven't already, read ch.13 in the OpenBSD FAQ.

Yes I had been reading it until I realized that a bunch of it was
outdated.  After doing some google searches I was turned to the man page
for 'vpn' and I took some examples from that.


> Especially looking
> at the contents of /kern/ipsec should be of interest to you.
> Also,
> 'netstat -p esp -s' should give you a hint on why packets are discarded.

Thanks, normally I don't mount /kern and I missed this section; that
will help greatly I think.  (Damn, I have to recompile the kernel
again. :)


> I assume you've looked at rc.vpn? (/usr/share/examples/ipsec/)

Yes I have but it doesn't seem appropriate for my situation.  On my end
of the connection I have the OpenBSD gateway (also doing NAT) and on
the remote end I have a single FreeBSD machine, whereas rc.vpn appears
to be for two complete networks.  I was hoping I could just take the
parts from the 'vpn' man page and omit the sections regarding the
"remote network" but that isn't working out too well so far. ;)