[Openswan dev] Patch for review

David McCullough david_mccullough at mcafee.com
Tue Apr 27 00:20:09 EDT 2010

Jivin Tuomo Soini lays it down ...
> David McCullough wrote:
> >> I'm actually quite sure that state didn't work for you. I did more
> >> changes. Now it might work with both klips and netkey but interface for
> >> that must be somehow changed to be cleaner.
> > 
> > So if I set up a tunnel with dpdaction=hold,  what is the sequence I need to
> > reproduce the use of that state ?  (saves me thinking about it too hard :-)
> Then you need to cause dpd to tear tunnel into hold and then get network
> back up and give ping or other traffic reason to get tunnel up so that
> pluto will renegotiate.
> > I only use dpdaction = clear | restart(_by_peer) as a rule,  I haven't seen a
> > reason to use hold before now,  but happy to test it if I have process to
> > try,
> Hold is used for static tunnels when you don't want traffic to pass
> clear over internet.

Is that under netkey only ?

I ask because using klips I haven't seen this behaviour.  Esp. on a static
tunnel.  I think the only cases on clear text I have seen with klips are
before pluto has started, or before the tunnel has been started (most likely
routed).  If this isn't right I'd like to know ;-)

> Real problem with the initate code is that netkey does generate acquires
> even when you have permanent, working ipsec tunnel up and running and
> packets are traveling tunnel. That's why I needed to make sure rekeying
> won't happen with CK_PERMANENT state. On one system I got 500 tunnels
> instead of one in some minutes without that check and traffic was not
> flowin because of continues rekeyings - each packet caused rekeying
> after your changes. On 2.6.24 same situation caused tons of unhandled
> acquire states which were visible with ipsec auto --status but there was
> no way to remove them.

At the time I made those changes I dodn't even think netkey used eroutes ;-)
I thought the netkey backend just played long to make life easier for pluto.
Definately been an education in what netkey does.


David McCullough,      david_mccullough at mcafee.com,  Ph:+61 734352815
McAfee - SnapGear      http://www.mcafee.com         http://www.uCdot.org

More information about the Dev mailing list