[Openswan dev] OpenSwan 2.6.10-1 on OpenWrt 7.09 consistently hangs on large HTTP file transfer
mcr at sandelman.ottawa.on.ca
Thu Dec 6 23:10:49 EST 2007
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "starlight" == starlight <starlight at binnacle.cx> writes:
starlight> At 07:02 PM 12/6/2007 -0500, Michael Richardson wrote:
>> Most people rekey sooner based upon time.
starlight> Quite a cavalier way to put it. Most people? Like whom?
starlight> How may people do multi-gigabyte file transfers that take
starlight> a day or more and then find it blows up in their face?
I thought I agreed that it appears to be a bug.
The rekeying issues with IPsec are hardly obscure.
Openswan doesn't support rekeying by transfer size.
I don't really know why your system doesn't obsolete the SA, find it
has no SA, and then create a new one. Usually, it never has to get to
that point, by default, it rekeys the IPsec SA every 8 hours.
*I* do multi-gigabyte transfers regularily, and they don't blow up.
I'm pretty sure that I've transfered more than 4G across IPsec
connections. By my calculations, if I have 1Mbit/s link, I can
transfer 4G in 8 hours, so I can't see how I wouldn't have hit this, as
the transfer that I did just now ran much faster than that, so it should
have caused a rekey long before.
(Or maybe my calculation are wrong)
(I use rsync. Which means that I can resume if I have to, usually I
don't have to. The internet could also fail during your transfer)
] Bear: "Me, I'm just the shape of a bear." | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr at xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
More information about the Dev