[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: isakmpd and reboots
since "keep-alive" is not part of ipsec, another solution is to have
separate daemons on the vpn gateways doing a ping type check - when no
packets return restart isakmpd to initiate a new negotiation.
i agree - this is a "practicality" shortcoming of the standards.
tariq
-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]On Behalf Of
Lars Hansson
Sent: 20 March 2002 02:27
To: misc@openbsd.org
Subject: Re: isakmpd and reboots
On Tue, 19 Mar 2002 16:26:59 +0100
"Philipp Buehler" <lists@fips.de> wrote:
> On 19/03/2002, Lars Hansson <lars@unet.net.ph> wrote To misc@openbsd.org:
> > > The by far easiest way is to 'kill <isakmpd-pid>' before you reboot.
> >
> > Hmm...probably a good idea to put that in rc.shutdown then.
>
> "No" .. isakmpd stays "alive" for quite a while (waiting for
> responses of the notifications?).
Yeah, I noticed that. I created a shell function that simply waits for it
to finish
rc.shutdown:
waitpid () {
while [ 0 -eq 0 ]; do
if kill -0 $1 2> /dev/null ; then
echo -n "."
else
break;
fi
sleep 1
done
}
if [ -r /var/run/isakmpd.pid ]; then
pid=`head -n 1 /var/run/isakmpd.pid`
kill $pid
echo -n "Waiting for isakmpd to exit"
waitpid $pid
echo "done"
fi
Still, it would be nice with a complete renegotiation on restart.
We have offices in the provinces and the power there is anything but
reliable and an UPS only saves you so long...
--
Lars Hansson
Universal Joint Network Technologies, Inc
16/F Equitable Bank Tower, 8751 Paseo de Roxas, Makati City, Philippines
PGP Key http://www.unet.net.ph/~lars/pubkey.asc
intY (www.inty.com) has automatically scanned this email using Sophos
Anti-Virus
intY (www.inty.com) has automatically scanned this email using Sophos Anti-Virus