[Openswan dev] Patch for review
Herbert Xu
herbert at gondor.apana.org.au
Sun May 2 22:42:37 EDT 2010
On Mon, Apr 26, 2010 at 01:30:04PM -0400, Paul Wouters wrote:
> On Mon, 26 Apr 2010, D. Hugh Redelmeier wrote:
>
>> | Real problem with the initate code is that netkey does generate acquires
>> | even when you have permanent, working ipsec tunnel up and running and
>> | packets are traveling tunnel.
>>
>> That sounds odd. Why does it do that?
>>
>> (Note: I know very little about netkey so this may be a very naive
>> question.)
>
> We don't know. I assume this is a kernel bug. Perhaps Herbert can tell us
> more?
I suspect that was either a bug or a misconfiguration.
If you keep getting acquires then that means your tunnel simply
can't transmit. Ignoring the acquires isn't going to make the
tunnel magically work :)
On the other hand, it is known that while you still have an ongoing
negotiation, that you may get new acquires. This is because each
acquire only establishes a larval (what you'd call hold) state for
the exact flow that triggered it. So if we get a different flow
then we can trigger a new acquire for the same connection.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the Dev
mailing list