[Openswan dev] Regarding openswan interaction with setkey tool on RHEL5 32 bit system...
paul at xelerance.com
Mon Nov 22 23:59:11 EST 2010
On Tue, 23 Nov 2010, Somashekar S V (svs) wrote:
> It is likely that we are not monitoring/processing SA's removed outside of our IKE daemon.
> Probably netkey did not have that feature in the past, or we did not know about it.
> ^^ Looks like, setkey SA deletion is not notifying the IKE deamon Pluto in openSWAN whereas it was notifying Racoon.
> Why this change in behavior?
setkey does not notify. I suspect the kernel XFRM does the notification.
> I am not sure if immediately setting up a new SA is the right thing to do. You could end up creating
> a loop if adding/removing the same SA over and over again.
> Are you depending on this behaviour? If so, why are you maintaining SA's outside the IKE daemon?
> ^^ We are not maintaining SA's outside the IKE daemon. These are the SA;s created using IKE daemon Pluto. We just used
> setkey tool to delete an SA to find out if re-negotiation happens very much similar to Racoon just to find this missing
> functionality with openSWAN.
Okay. Then the real question still remains. Is automatically trying to bring the SA up when it
"magically disappears" a good thing to do or could it lead to problems?
But at a minimum, we should process the kernel event, and log a message, and perhaps setup a
new %trap to avoid packet leaks (or do whatever our failureshunt= mode is).
I've assigned this: http://bugs.openswan.org/issues/1171
More information about the Dev