[Openswan dev] Regarding openswan interaction with setkey tool on RHEL5 32 bit system...

Paul Wouters paul at xelerance.com
Mon Nov 22 23:59:11 EST 2010

On Tue, 23 Nov 2010, Somashekar S V (svs) wrote:

> It is likely that we are not monitoring/processing SA's removed outside of our IKE daemon.
> Probably netkey did not have that feature in the past, or we did not know about it.
> ^^ Looks like, setkey SA deletion is not notifying the IKE deamon Pluto in openSWAN whereas it was notifying Racoon.
> Why this change in behavior?

setkey does not notify. I suspect the kernel XFRM does the notification.

> I am not sure if immediately setting up a new SA is the right thing to do. You could end up creating
> a loop if adding/removing the same SA over and over again.
> Are you depending on this behaviour? If so, why are you maintaining SA's outside the IKE daemon?
> ^^ We are not maintaining SA's outside the IKE daemon. These are the SA;s created using IKE daemon Pluto. We just used
> setkey tool to delete an SA to find out if re-negotiation happens very much similar to Racoon just to find this missing
> functionality with openSWAN.

Okay. Then the real question still remains. Is automatically trying to bring the SA up when it
"magically disappears" a good thing to do or could it lead to problems?

But at a minimum, we should process the kernel event, and log a message, and perhaps setup a
new %trap to avoid packet leaks (or do whatever our failureshunt= mode is).

I've assigned this: http://bugs.openswan.org/issues/1171

More information about the Dev mailing list