[Openswan dev] Patch for review

Tuomo Soini tis at foobar.fi
Fri Apr 23 06:52:09 EDT 2010

David McCullough wrote:

>> I'm actually quite sure that state didn't work for you. I did more
>> changes. Now it might work with both klips and netkey but interface for
>> that must be somehow changed to be cleaner.
> So if I set up a tunnel with dpdaction=hold,  what is the sequence I need to
> reproduce the use of that state ?  (saves me thinking about it too hard :-)

Then you need to cause dpd to tear tunnel into hold and then get network
back up and give ping or other traffic reason to get tunnel up so that
pluto will renegotiate.

> I only use dpdaction = clear | restart(_by_peer) as a rule,  I haven't seen a
> reason to use hold before now,  but happy to test it if I have process to
> try,

Hold is used for static tunnels when you don't want traffic to pass
clear over internet.

Real problem with the initate code is that netkey does generate acquires
even when you have permanent, working ipsec tunnel up and running and
packets are traveling tunnel. That's why I needed to make sure rekeying
won't happen with CK_PERMANENT state. On one system I got 500 tunnels
instead of one in some minutes without that check and traffic was not
flowin because of continues rekeyings - each packet caused rekeying
after your changes. On 2.6.24 same situation caused tons of unhandled
acquire states which were visible with ipsec auto --status but there was
no way to remove them.

Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>

More information about the Dev mailing list