[Openswan dev] Patch for review

Herbert Xu herbert at gondor.apana.org.au
Sun May 2 22:42:37 EDT 2010


On Mon, Apr 26, 2010 at 01:30:04PM -0400, Paul Wouters wrote:
> On Mon, 26 Apr 2010, D. Hugh Redelmeier wrote:
>
>> | Real problem with the initate code is that netkey does generate acquires
>> | even when you have permanent, working ipsec tunnel up and running and
>> | packets are traveling tunnel.
>>
>> That sounds odd.  Why does it do that?
>>
>> (Note: I know very little about netkey so this may be a very naive
>> question.)
>
> We don't know. I assume this is a kernel bug. Perhaps Herbert can tell us
> more?

I suspect that was either a bug or a misconfiguration.

If you keep getting acquires then that means your tunnel simply
can't transmit.  Ignoring the acquires isn't going to make the 
tunnel magically work :)

On the other hand, it is known that while you still have an ongoing
negotiation, that you may get new acquires.  This is because each
acquire only establishes a larval (what you'd call hold) state for
the exact flow that triggered it.  So if we get a different flow
then we can trigger a new acquire for the same connection.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt


More information about the Dev mailing list