Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disconnect IPsec connection from CLI

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 697 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SenseiNYC
      last edited by

      Let me clear up the title. Much like in the GUI - Status - IPsec, when you have an active connection, to the far right you have the red button Disconnect. I would like to initiate that connection from the CLI. Is there a direct command?

      I am asking because one of my IPsec connections is to an older Sonicwall at a client site but their Sonicwall keeps dropping the P2, so currently my only option is to go to GUI - Status - IPsec then click Disconnect and it re-establishes the P2 immediately. I have written a monitoring script in Powershell that will notify of a P2 disconnect but it would be better if the script can perform the Disconnect action forcing PFS to reinitialize the P1 and P2.

      Thanks.

      K 1 Reply Last reply Reply Quote 0
      • K
        Konstanti @SenseiNYC
        last edited by

        @SenseiNYC

        ipsec down <name>

tells the IKE daemon to terminate connection <name>. Implemented by calling the ipsec stroke down <name> command.

ipsec down <name>{n}

terminates CHILD_SA instance n of connection <name>. Since {n} uniquely identifis a CHILD_SA the name is optional.

ipsec down <name>{*}

terminates all CHILD_SA instances of connection <name>.

ipsec down <name>[n]

terminates IKE_SA instance n of connection <name> plus dependent CHILD_SAs. Since [n] uniquely identifis an IKE_SA the name is optional.

ipsec down <name>[*]

terminates all IKE_SA instances of connection <name>.

        or

        [2.4.4-RELEASE][admin@pfSense.localdomain]/root: swanctl --terminate --help
strongSwan 5.7.1 swanctl
usage:
  swanctl --terminate --child <name> | --ike <name | --child-id <id> | --ike-id <id>
                 [--timeout <s>] [--raw|--pretty]
           --help            (-h)  show usage information
           --child           (-c)  terminate by CHILD_SA name
           --ike             (-i)  terminate by IKE_SA name
           --child-id        (-C)  terminate by CHILD_SA reqid
           --ike-id          (-I)  terminate by IKE_SA unique identifier
        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.