[Openswan dev] Losing shared phase1
Paul Wouters
paul at xelerance.com
Mon Oct 25 19:28:22 EDT 2010
Hi,
I just noticed the following behaviour and wondered if this was bug or intent:
Image the following:
conn net1
also=base
leftsubnet=1.2.3.0/24
conn net2
also=base
leftsubnet=1.2.88.0/24
conn base
[...]
When you bring up these two tunnels, you will end up with 1 ISAKMP and 2 IPsec SA's.
Now when you do:
ipsec auto --down net1
then the phase1 and one of the phase2's will go away. You are left with one phase2
that has no phase1. If you would do:
ipsec auto --down net2
then no Delete/Notify ever makes it to the other end.
Question: Should we not keep the phase1 around on the first delete?
I guess this can be difficult to determine. Perhaps that's why it was not implemented?
Paul
More information about the Dev
mailing list