[Openswan dev] Losing shared phase1
david_mccullough at mcafee.com
Mon Oct 25 19:37:40 EDT 2010
Jivin Paul Wouters lays it down ...
> I just noticed the following behaviour and wondered if this was bug or intent:
> Image the following:
> conn net1
> conn net2
> conn base
> When you bring up these two tunnels, you will end up with 1 ISAKMP and 2 IPsec SA's.
> Now when you do:
> ipsec auto --down net1
> then the phase1 and one of the phase2's will go away. You are left with one phase2
> that has no phase1. If you would do:
I've encountered/wondered about that. I don't know the historics, but in
my mind it seems wrong.
> ipsec auto --down net2
> then no Delete/Notify ever makes it to the other end.
> Question: Should we not keep the phase1 around on the first delete?
> I guess this can be difficult to determine. Perhaps that's why it was not implemented?
Perhaps we could restart a phase1 negotiation instead if accounting for the
phase1's that are shared is too hard ?
I like to hear what others think, but to me, leaving a tunnel with no
phase1 is not right,
David McCullough, david_mccullough at mcafee.com, Ph:+61 734352815
McAfee - SnapGear http://www.mcafee.com http://www.uCdot.org
More information about the Dev