Make SA deletion on shutdown the default again. Use -S for failover situations where you do not want this.

jcs's openbsd hax

openbsd

Discussed and agreed on with ho, mcbride, markus, cloder,... We
will have to teach sasyncd to deal with this.

Testing by msf and hshoexer with help from mtu

ok markus cloder

hshoexer 19 years ago 85ead044 058d246a

+11 -11

4 changed files

expand all

sbin

isakmpd

conf.h

isakmpd.8

isakmpd.c

isakmpd.conf.5

+2 -2

sbin/isakmpd/conf.h

··· 1 - /* $OpenBSD: conf.h,v 1.33 2006/06/10 21:15:45 hshoexer Exp $ */ 1 + /* $OpenBSD: conf.h,v 1.34 2006/08/30 16:56:56 hshoexer Exp $ */ 2 2 /* $EOM: conf.h,v 1.13 2000/09/18 00:01:47 ho Exp $ */ 3 3 4 4 /* ··· 68 68 #define CONF_DFLT_PUBKEY_DIR ISAKMPD_ROOT "pubkeys/" 69 69 #define CONF_DFLT_KEYNOTE_CRED_DIR ISAKMPD_ROOT "keynote/" 70 70 71 - #define CONF_DFLT_DELETE_SAS "no" 71 + #define CONF_DFLT_DELETE_SAS "yes" 72 72 73 73 #define CONF_DFLT_TAG_PHASE1_CONFIG "Default-phase-1-configuration" 74 74 #define CONF_DFLT_PHASE1_EXCH_TYPE "ID_PROT"

+2 -2

sbin/isakmpd/isakmpd.8

··· 1 - .\" $OpenBSD: isakmpd.8,v 1.87 2006/06/29 10:00:49 hshoexer Exp $ 1 + .\" $OpenBSD: isakmpd.8,v 1.88 2006/08/30 16:56:56 hshoexer Exp $ 2 2 .\" $EOM: isakmpd.8,v 1.23 2000/05/02 00:30:23 niklas Exp $ 3 3 .\" 4 4 .\" Copyright (c) 1998, 1999, 2000, 2001 Niklas Hallqvist. ··· 264 264 .It Fl S 265 265 When this option is given, 266 266 .Nm 267 - will delete SAs on shutdown by sending delete messages to all peers. 267 + will not delete SAs on shutdown by sending delete messages to all peers. 268 268 .It Fl T 269 269 When this option is given, NAT-Traversal will be disabled and 270 270 .Nm

+5 -5

sbin/isakmpd/isakmpd.c

··· 1 - /* $OpenBSD: isakmpd.c,v 1.93 2006/06/10 21:15:45 hshoexer Exp $ */ 1 + /* $OpenBSD: isakmpd.c,v 1.94 2006/08/30 16:56:56 hshoexer Exp $ */ 2 2 /* $EOM: isakmpd.c,v 1.54 2000/10/05 09:28:22 niklas Exp $ */ 3 3 4 4 /* ··· 76 76 int acquire_only = 0; 77 77 78 78 /* Set when SAs shall be deleted on shutdown. */ 79 - int delete_sas = 0; 79 + int delete_sas = 1; 80 80 81 81 /* 82 82 * If we receive a SIGHUP signal, this flag gets set to show we need to ··· 214 214 break; 215 215 216 216 case 'S': 217 - delete_sas = 1; 217 + delete_sas = 0; 218 218 break; 219 219 220 220 case 'T': ··· 317 317 if (sigtermed == 1) { 318 318 log_print("isakmpd: shutting down..."); 319 319 320 - if (delete_sas || 321 - !strncmp("yes", conf_get_str("General", "Delete-SAs"), 3)) { 320 + if (delete_sas && 321 + strncmp("no", conf_get_str("General", "Delete-SAs"), 2)) { 322 322 /* 323 323 * Delete all active SAs. First IPsec SAs, then 324 324 * ISAKMPD. Each DELETE is another (outgoing) message.

+2 -2

sbin/isakmpd/isakmpd.conf.5

··· 1 - .\" $OpenBSD: isakmpd.conf.5,v 1.116 2006/06/11 11:07:41 hshoexer Exp $ 1 + .\" $OpenBSD: isakmpd.conf.5,v 1.117 2006/08/30 16:56:56 hshoexer Exp $ 2 2 .\" $EOM: isakmpd.conf.5,v 1.57 2000/12/21 14:43:17 ho Exp $ 3 3 .\" 4 4 .\" Copyright (c) 1998, 1999, 2000 Niklas Hallqvist. All rights reserved. ··· 310 310 .Xr isakmpd 8 311 311 deletes SAs on shutdown or not. 312 312 The default value is 313 - .Qq no . 313 + .Qq yes . 314 314 .El 315 315 .It Bq Sy Phase 1 316 316 ISAKMP SA negotiation parameter root