[Openswan dev] OpenSwan 2.6.10-1 on OpenWrt 7.09 consistently hangs on large HTTP file transfer

Michael Richardson mcr at sandelman.ottawa.on.ca
Thu Dec 6 23:10:49 EST 2007

Hash: SHA1

>>>>> "starlight" == starlight  <starlight at binnacle.cx> writes:
    starlight> At 07:02 PM 12/6/2007 -0500, Michael Richardson wrote:
    >> Most people rekey sooner based upon time.

    starlight> Quite a cavalier way to put it.  Most people?  Like whom?
    starlight> How may people do multi-gigabyte file transfers that take
    starlight> a day or more and then find it blows up in their face?

  I thought I agreed that it appears to be a bug.
  The rekeying issues with IPsec are hardly obscure. 

  Openswan doesn't support rekeying by transfer size. 
  I don't really know why your system doesn't obsolete the SA, find it
has no SA, and then create a new one. Usually, it never has to get to
that point, by default, it rekeys the IPsec SA every 8 hours.  

  *I* do multi-gigabyte transfers regularily, and they don't blow up.
I'm pretty sure that I've transfered more than 4G across IPsec
connections.  By my calculations, if I have 1Mbit/s link, I can
transfer 4G in 8 hours, so I can't see how I wouldn't have hit this, as
the transfer that I did just now ran much faster than that, so it should
have caused a rekey long before.
  (Or maybe my calculation are wrong)

  (I use rsync. Which means that I can resume if I have to, usually I
don't have to. The internet could also fail during your transfer)

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list