[Openswan dev] Phase 2 Negotiation Reliability
Herbert Xu
herbert at gondor.apana.org.au
Fri Sep 17 10:22:03 CEST 2004
On Thu, Sep 16, 2004 at 09:27:27AM -0400, Michael Richardson wrote:
>
> Upon receiption of such a notify, look up each SPI# and see if we are
> using it. If we are *not* using it then send a delete.
Yes that sounds like a good way to do it.
> I was also thinking ... why is it that message 2 of the phase 2 isn't
> getting retransmitted longer when message 3 gets lost. The original
> thread had some comments from about only 3 retransmits...
Message 2 is sent by the responder who cannot retry indefinitely.
In IKEv2 each transaction is initiated by the initiator who can
retry indefinitely or give up.
The problem is exacerbated by the fact that openswan only retries
3 times. In our case we extended this to 20 times and it's worked
around the problem for now.
> Can anyone suggest any netfilter modules that might help to build a
> test case? I.e. something that will drop the first n-packets of a
> stream. Or maybe I should use QoS for that.
You just need a rule that drops the last message in QM. Something
based on the size of the message should do the trick.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Dev
mailing list