[Openswan dev] Regarding openswan interaction with setkey tool on RHEL5 32 bit system...

Paul Wouters paul at xelerance.com
Mon Nov 22 14:23:53 EST 2010


On Mon, 22 Nov 2010, Somashekar S V (svs) wrote:

> With Racoon, when we delete the SA using the setkey command, we have seen that the deleted SA’s gets recreated
> immedietly as per the logs below.
> 
> Nov 16 22:43:20 cucmsso217 daemon 6 racoon: 2010-11-16 22:43:20: ERROR: pfkey DELETE received: ESP 10.78.85.217->10.78.85.218 spi=262494940(0xfa55adc)
> Nov 16 22:43:21 cucmsso217 daemon 6 racoon: 2010-11-16 22:43:21: INFO: initiate new phase 2 negotiation: 10.78.85.217[0]<=>10.78.85.218[0]
> Nov 16 22:43:21 cucmsso217 daemon 6 racoon: 2010-11-16 22:43:21: INFO: IPsec-SA established: ESP/Transport 10.78.85.218->10.78.85.217 spi=87257782(0x53372b6)
> Nov 16 22:43:21 cucmsso217 daemon 6 racoon: 2010-11-16 22:43:21: INFO: IPsec-SA established: ESP/Transport 10.78.85.217->10.78.85.218 spi=53285836(0x32d13cc)
> 
> However with OpenSWAN, when I delete the SA using the setkey command, I don’t see the deleted SA’s getting recreated, basically I don’t see phase 2 re-negotiation
> happening. Any configuration that we need to do for this?

Do you have auto=start ?

It is likely that we are not monitoring/processing SA's removed outside of our IKE daemon.
Probably netkey did not have that feature in the past, or we did not know about it.

Perhaps behaviour with this should be coupled to our failureshunt= option?

I am not sure if immediately setting up a new SA is the right thing to do. You could end up creating
a loop if adding/removing the same SA over and over again.

Are you depending on this behaviour? If so, why are you maintaining SA's outside the IKE daemon?

Paul


More information about the Dev mailing list