[Openswan dev] DPD issue with multiple tunnels between two pe ers

Michael Richardson mcr at xelerance.com
Mon Jul 9 14:48:58 EDT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>>>> "Venkat" == Venkat Yekkirala <vyekkirala at TrustedCS.com> writes:
    Venkat> But seems like only on all phase 2s for the connection
    Venkat> owning the phase 1 in question. Any phase 2s belonging to
    Venkat> other connections to the same peer (with the phase 1 SA not
    Venkat> being around) could be left lying around until they expire.

  You can't have multiple phase 1s to the same peer with different IDs.
  (it's a bug, perhaps)

    Venkat> I am running into a similar problem, but with the DPD action
    Venkat> set to "clear". When a peer goes down unexpectedly, DPD on
    Venkat> the phase 1 and RELATED phase 2s get cleared fine, but I
    Venkat> still have other phase 2s belonging to a different
    Venkat> connection to the same peer lying around without a phase 1,
    Venkat> resulting in the follwing:

  I'd have to see your entire configuration.
  In general, you can't have multiple phase 1s.

    Venkat> 1. Openswan seems to be negotiating a Phase 1 each for each
    Venkat> connection even when the connections are all to the same
    Venkat> peer. Is this the expected behaviour?

  No.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys

iQEVAwUBRpKDGYCLcPvd0N1lAQLo9wf+IuKwVT37+aL0vsw+ieHnb/jl04yMeqB0
MHx8bFg+pfVylWb8vXErUHLY7nu+ho4n9Go+2TghZ2DJJ0yb8iNKty/HMxBWG6wX
84BWEk4mAPOyIzCywuuZjlLi/FjDSD5CROfOe/m48IsT8Fkd3R7FVzCJCihouwAc
Cjn4olpUjlMnf0Oy/P4++jHHsAE/xZG7oWDKWGWxbv9/7hVWlNfjhdYSJN7ne3Zh
NdC4msV0hmsdbNYK/tNhovFOMEt2/5HFwPfJ9JKKz/lCwj5dbr9mZIrrH8hnBCLg
kuPU0cDNvjMhXFMChcNEUDUw1W4w4Va+jnTMUieX71/h3+nbLaWGLw==
=0Cmt
-----END PGP SIGNATURE-----

More information about the Dev mailing list